I've run across some node.js code that gets a user-supplied string, calls JSON.stringify(str) and injects the value directly into an SQL statement.
e.g.
var x = JSON.stringify(UNSAFE_USER_STRING);
mysql_execute('UPDATE foo SET v = ' + x + ' WHERE id = 1');
Obviously this is an abuse of JSON.stringify, however this is not my code and the authors would like to see an attack vector before they patch it. Because UNSAFE_USER_STRING is a string, not an object and does escaping of the obvious " and \ it's not obvious if there is a serious problem
Is this code safe? And if not, could someone demonstrate what would be unsafe input?
Thanks!
No comments:
Post a Comment