Denying SQL injection attacks
SQL injection is another large class of security exploits, where the attacker puts SQL commands into input data. See https://www.xkcd.com/327/ for an example.
The sql-injection
package scans query strings, request body parameters, and route parameters for SQL code.
Install with:
$ npm install sql-injection --save
Then install it in app.mjs
:
import sqlinjection from 'sql-injection'; ... app.use(sqlinjection);
Sequelize deprecation warning regarding operator injection attack
You may have seen this deprecation warning printed by Notes:
sequelize deprecated String based operators are now deprecated. Please use Symbol based operators for better security, read more at http://docs.sequelizejs.com/manual/tutorial/querying.html#operators
Nowhere in Notes are we using Sequelize
string-based operators, and therefore this would seem to be a spurious error message. In actuality, it is a real issue with potential similar to an SQL injection attack.
This issue queue entry has an in...