SQL Injection using Knex raw() or whereRaw() functions
Description
Untrusted input concatenated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection.
Examples
Insecure Code
javascript
const knex = require('knex')({ client: 'pg' });
const query = 'SELECT * FROM users WHERE name = \' + req.query.name + '\';
knex.raw(query);Secure Code
javascript
const knex = require('knex')({ client: 'pg' });
const query = 'SELECT * FROM users WHERE name =?';
knex.raw(query, [req.query.name]);Remediation
Use parameterized queries or prepared statements to prevent user input from being executed as SQL code.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0358 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-89 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | sql-injection, nodejs |
| OWASP | A1:2017-Injection, A03:2021-Injection |