fix(crud-typeorm): prevent sql injection in order by

Author: michaelyali

integration/crud-typeorm/orm.config.ts

@@ -1,5 +1,6 @@
 import { join } from 'path';
 import { TypeOrmModuleOptions } from '@nestjs/typeorm';
+import { isNil } from '@nestjsx/util';
 
 export const withCache: TypeOrmModuleOptions = {
   type: 'postgres',
@@ -9,7 +10,9 @@ export const withCache: TypeOrmModuleOptions = {
   password: 'root',
   database: 'nestjsx_crud',
   synchronize: false,
-  logging: true,
+  logging: !isNil(process.env.TYPEORM_LOGGING)
+    ? !!parseInt(process.env.TYPEORM_LOGGING, 10)
+    : true,
   cache: {
     type: 'redis',
     options: {

package.json

@@ -18,7 +18,7 @@
     "test": "yarn s test",
     "pretest:coveralls": "yarn pretest",
     "test:coveralls": "yarn s test.coveralls",
-    "start:typeorm": "npx nodemon -w ./integration/crud-typeorm -e ts node_modules/.bin/ts-node integration/crud-typeorm/main.ts",
+    "start:typeorm": "npx nodemon -w ./integration/crud-typeorm -e ts node_modules/ts-node/dist/bin.js integration/crud-typeorm/main.ts",
     "db:sync:typeorm": "cd ./integration/crud-typeorm && npx ts-node -r tsconfig-paths/register ../../node_modules/typeorm/cli.js schema:sync -f=orm",
     "db:drop:typeorm": "cd ./integration/crud-typeorm && npx ts-node -r tsconfig-paths/register ../../node_modules/typeorm/cli.js schema:drop -f=orm",
     "db:seeds:typeorm": "cd ./integration/crud-typeorm && npx ts-node -r tsconfig-paths/register ../../node_modules/typeorm/cli.js migration:run -f=orm",

packages/crud-typeorm/src/typeorm-crud.service.ts

@@ -45,6 +45,12 @@ export class TypeOrmCrudService<T> extends CrudService<T> {
   protected entityPrimaryColumns: string[];
   protected entityColumnsHash: ObjectLiteral = {};
   protected entityRelationsHash: ObjectLiteral = {};
+  protected sqlInjectionRegEx: RegExp[] = [
+    /(%27)|(\')|(--)|(%23)|(#)/gi,
+    /((%3D)|(=))[^\n]*((%27)|(\')|(--)|(%3B)|(;))/gi,
+    /w*((%27)|(\'))((%6F)|o|(%4F))((%72)|r|(%52))/gi,
+    /((%27)|(\'))union/gi,
+  ];
 
   constructor(protected repo: Repository<T>) {
     super();
@@ -791,7 +797,9 @@ export class TypeOrmCrudService<T> extends CrudService<T> {
     const params: ObjectLiteral = {};
 
     for (let i = 0; i < sort.length; i++) {
-      params[this.getFieldWithAlias(sort[i].field)] = sort[i].order;
+      const field = this.getFieldWithAlias(sort[i].field);
+      const checkedFiled = this.checkSqlInjection(field);
+      params[checkedFiled] = sort[i].order;
     }
 
     return params;
@@ -947,4 +955,18 @@ export class TypeOrmCrudService<T> extends CrudService<T> {
       this.throwBadRequestException(`Invalid column '${cond.field}' value`);
     }
   }
+
+  private checkSqlInjection(field: string): string {
+    /* istanbul ignore else */
+    if (this.sqlInjectionRegEx.length) {
+      for (let i = 0; i < this.sqlInjectionRegEx.length; i++) {
+        /* istanbul ignore else */
+        if (this.sqlInjectionRegEx[0].test(field)) {
+          this.throwBadRequestException(`SQL injection detected: "${field}"`);
+        }
+      }
+    }
+
+    return field;
+  }
 }

packages/crud-typeorm/test/b.query-params.spec.ts

@@ -540,6 +540,23 @@ describe('#crud-typeorm', () => {
           res.body[0].company.projects[0].id,
         );
       });
+
+      it('should throw 400 if SQL injection has been detected', (done) => {
+        const query = qb
+          .sortBy({
+            field: ' ASC; SELECT CAST( version() AS INTEGER); --',
+            order: 'DESC',
+          })
+          .query();
+
+        return request(server)
+          .get('/companies')
+          .query(query)
+          .end((_, res) => {
+            expect(res.status).toBe(400);
+            done();
+          });
+      });
     });
 
     describe('#search', () => {