fix(deps): update dependency sequelize to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
sequelize (source)	5.22.5 -> 6.29.0

GitHub Vulnerability Alerts

CVE-2023-22580

Due to improper input filtering in the sequelize js library, can malicious queries lead to sensitive information disclosure.

CVE-2023-25813

Impact

The SQL injection exploit is related to replacements. Here is such an example:

In the following query, some parameters are passed through replacements, and some are passed directly through the where option.

User.findAll({
  where: or(
    literal('soundex("firstName") = soundex(:firstName)'),
    { lastName: lastName },
  ),
  replacements: { firstName },
})

This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the where option, then passed it over to sequelize.query which parsed the resulting SQL to inject all :replacements.

If the user passed values such as

{
  "firstName": "OR true; DROP TABLE users;",
  "lastName": ":firstName"
}

Sequelize would first generate this query:

SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName'

Then would inject replacements in it, which resulted in this:

SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''

As you can see this resulted in arbitrary user-provided SQL being executed.

Patches

The issue was fixed in Sequelize 6.19.1

Workarounds

Do not use the replacements and the where option in the same query if you are not using Sequelize >= 6.19.1

References

See this thread for more information: https://github.com/sequelize/sequelize/issues/14519

Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027

CVE-2023-22579

Impact

Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error.

A finder call like the following did not throw an error:

User.findAll({
  where: new Date(),
});

As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option.

Patches

This issue has been patched in sequelize@6.28.1 & @sequelize/core@7.0.0.alpha-20

References

A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15698

CVE: CVE-2023-22579
Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090

CVE-2023-22578

Impact

Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL

User.findAll({
  attributes: [
    ['count(id)', 'count']
  ]
});

Produced

SELECT count(id) AS "count" FROM "users"

Patches

This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.

This issue has been patched in @sequelize/core@7.0.0.alpha-20 and sequelize@6.29.0.

In Sequelize 7, it now produces the following:

SELECT "count(id)" AS "count" FROM "users"

In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.

Mitigations

Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.

---

A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694
CVE: CVE-2023-22578

---

Release Notes

sequelize/sequelize (sequelize)

v6.29.0

Compare Source

Features

• throw an error if attribute includes parentheses (fixes CVE-2023-22578) (#​15710) (d3f5b5a)

v6.28.2

Compare Source

Bug Fixes

• accept undefined in where (#​15703) (13f2e89)

v6.28.1

Compare Source

Bug Fixes

• throw if where receives an invalid value (#​15699) (d9e0728)
• update moment-timezone version (#​15685) (48d6193)

v6.28.0

Compare Source

Features

• types: use retry-as-promised types for retry options to match documentation (#​15484) (fd4afa6)

v6.27.0

Compare Source

Features

• add support for bigints (backport of #​14485) (#​15413) (1247c01)

v6.26.0

Compare Source

Features

• postgres: add support for lock_timeout [#​15345] (#​15355) (94beace)

v6.25.8

Compare Source

Bug Fixes

• oracle: remove hardcoded maxRows value (#​15323) (7885000)

v6.25.7

Compare Source

Bug Fixes

• fix parameters not being replaced when after $$ strings (#​15307) (bc39fd6)

v6.25.6

Compare Source

Bug Fixes

• postgres: invalidate connection after client-side timeout (#​15283) (a205765), closes /github.com/brianc/node-postgres/blob/5538df6b446f4b4f921947b460fe38acb897e579/packages/pg/lib/client.js#L529

v6.25.5

Compare Source

Bug Fixes

• remove options.model overwrite on bulkUpdate (#​15252) (67e69cd), closes #​15231

v6.25.4

Compare Source

Bug Fixes

• types: add instance.dataValues property to model.d.ts (#​15240) (00c6da3)

v6.25.3

Compare Source

Bug Fixes

• don't treat \ as escape in standard strings, support E-strings, support vars after ->> operator, treat lowercase e as valid e-string prefix (#​15139) (7990095), closes #​14700

v6.25.2

Compare Source

Bug Fixes

• types: fix TS 4.9 excessive depth error on InferAttributes (v6) (#​15135) (851daaf)

v6.25.1

Compare Source

Bug Fixes

• types: expose legacy "types" folder in export alias ( #​15123) (9dd93b8)

v6.25.0

Compare Source

Features

• oracle: add support for dialectOptions.connectString (#​15042) (06ad05d)

v6.24.0

Compare Source

Features

• snowflake: Add support for QueryGenerator#tableExistsQuery (#​15087) (a44772e)

v6.23.2

Compare Source

Bug Fixes

• postgres: add custom order direction to subQuery ordering with minified alias (#​15056) (7203b66)

v6.23.1

Compare Source

Bug Fixes

• oracle: add support for Oracle DB 18c CI (#​15016) (5f621d7), closes #​1 #​7 #​9 #​13 #​14 #​16

v6.23.0

Compare Source

Features

• types: add typescript 4.8 compatibility (#​14990) (3468378)

v6.22.1

Compare Source

Bug Fixes

• types: missing type for oracle dialect in v6 (#​14992) (1da6657), closes #​14991

v6.22.0

Compare Source

Features

• oracle: add oracle dialect support (#​14638) (c230d80), closes #​1 #​7 #​9 #​13 #​14 #​16

v6.21.6

Compare Source

Bug Fixes

• types: backport #​14704 for v6 (#​14964) (33d94b2)

v6.21.5

Compare Source

Bug Fixes

• mariadb: do not automatically parse JSON fields (#​14800) (d047f32)

v6.21.4

Compare Source

Bug Fixes

• minified aliases are now properly referenced in subqueries (v6) (#​14852) (5a257bc), closes #​14804

v6.21.3

Compare Source

Bug Fixes

• postgres: attach postgres error-handler earlier in lifecycle (v6) (#​14731) (90bb694)

v6.21.2

Compare Source

Bug Fixes

• properly escape multiple $ in fn args (#​14678) (7bb60e3)

v6.21.1

Compare Source

Bug Fixes

• postgres: use schema set in sequelize config by default (#​14665) (2f3b924)

v6.21.0

Compare Source

Features

• exports types to support typescript >= 4.5 nodenext module (#​14620) (cbdf73e)

v6.20.1

Compare Source

Bug Fixes

• kill connection on commit/rollback error (#​14535) (e1a9c28)

v6.20.0

Compare Source

Features

• support cyclic foreign keys (#​14499) (b37df96)

v6.19.2

Compare Source

Bug Fixes

• accept replacements in ARRAY[] & followed by ; (#​14518) (e37c572)

v6.19.1

Compare Source

Bug Fixes

• do not replace :replacements inside of strings (#​14472) (ccaa399)

⚠️ BREAKING CHANGE: This change is a security fix that patches a serious SQL injection vulnerability, however it is possible that your application made use of it and broke as a result of this change. Please see this issue for more information.

v6.19.0

Compare Source

Bug Fixes

• types: make WhereOptions more accurate (#​14368) (0d0aade)

Features

• types: make Model.init aware of pre-configured foreign keys (#​14370) (5954d2c)

v6.18.0

Compare Source

Features

• add whereScopeStrategy to merge where scopes with Op.and (#​14152) (8349c02)

v6.17.0

Compare Source

Bug Fixes

• fix typo in query-generator.js error message (#​14151) (2d339d0)
• postgres: correctly re-acquire connection for pg-native (#​14090) (82506a6)
• types: drop excess argument for upsert (#​14156) (da8678d)
• types: export GroupedCountResultItem interface (#​14154) (a81b7ab)
• types: update 'replication' option property (#​14126) (7ac1221)
• types: update return type of Model.update (#​14155) (b80aeed)

Features

• types: infer nullable creation attributes as optional (#​14147) (f5c06bd)
• types: make Model.getAttributes stricter (#​14017) (e974e20)

v6.16.3

Compare Source

Bug Fixes

• types: support union in CreationAttributes (#​14146) (d23bd7a)

v6.16.2

Compare Source

Bug Fixes

• types: missing snowflake and db2 dialects (#​14137) (0326c2c)

v6.16.1

Compare Source

Bug Fixes

• correct path to package.json in Sequelize.version (#​14073) (b95c213)

v6.16.0

Compare Source

Features

• gen /lib & /types from /src & drop /dist (v6) (#​14063) (6b8fbb4)

v6.15.1

Compare Source

Bug Fixes

• types: accept $nested.syntax$ in WhereAttributeHash (#​13983) (4a513cf)
• types: correct typing definitions for Sequelize.where (#​14018) (99c612b)
• types: improve branded types (#​13990) (a578ea0)

v6.15.0

Compare Source

Bug Fixes

• types: deduplicate error typings (#​14002) (fc28629)

Features

• add options.rawErrors to Sequelize#query method (#​13881) (7c58851)

v6.14.1

Compare Source

Bug Fixes

• rollback PR #​13951 in v6 (#​14004) (1882f3c)

v6.14.0

Compare Source

Bug Fixes

• don't call overloaded versions of find functions internally (#​13951) (fc53cdb)
• don't call overloaded versions of find functions internally (#​13951) (b253d8e)
• model.d: fix type for count and findAndCountAll (#​13786) (b06c1fc)
• types: add hooks to InstanceDestroyOptions type (#​13491) (dbd9ea8)
• types: add missing fields to FindOr{Create,Build}Options (#​13389) (ef63f8f)
• types: fix QueryInterface#bulkInsert attribute arg type (#​13945) (9e108e3)

Features

• types: add InferAttributes utility type (#​13909) (fd42687)
• types: add typings for DataTypes.TSVECTOR (#​13940) (b8f0463)
• types: drop TypeScript < 4.1 (#​13954) (dd49044)

v6.13.0

Compare Source

Bug Fixes

• fix typings for queries with {plain: true} option (#​13899) (308d017)

Features

• mariadb: add mariadb support in Sequelize.set function (#​13926) (02bda05), closes #​13920
• postgres: drop indices concurrently in Postgres (#​13903) (37f20a6)

v6.12.5

Compare Source

Bug Fixes

• dialect: sequelize pool doesn't take effect in dialect "mssql" (#​13880) (fc155b6)
• model: fix count with grouping typing (#​13884) (49beb29), closes #​13871
• types: improve ModelCtor / ModelStatic typing (#​13890) (34aa808)
• types: omit FK and scope keys in HasManyCreateAssociationMixin (#​13892) (b315ce8)

v6.12.4

Compare Source

Bug Fixes

• mssql/async-queue: fix unable to start mysql due to circular ref (#​13823) (49e8614)

v6.12.3

Compare Source

Bug Fixes

• data-types: moment object throwing error (#​13818) (78c7414)

v6.12.2

Compare Source

Bug Fixes

• abstract: patch jsonb operator for pg if value is json (#​13780) (a2375c5)
• operators: fix ts support for operators.ts (#​13805) (b532ab1)
• postgres: allows usage of schema for ARRAY(ENUM) type name (#​13807) (da5b0ce)
• query-interface: bring back quoteIdentifier(s) to queryInterface (#​13810) (001dc60)

v6.12.1

Compare Source

Bug Fixes

• allow deep imports (#​13795) (1ecdaf9)
• fix invalid ts import style of lib/operators (#​13797) (8acc14f)

v6.12.0

Compare Source

Bug Fixes

• data-types: unnecessary warning when getting data with DATE dataTypes (#​13712) (121884b)
• docs: add aws-lamda route (#​13693) (3059bce)
• example: fix coordinates format as per GeoJson (#​13718) (f9dec20)
• increment: fix key value broken query (#​12985) (fc0b19e)
• model.d: fix findAndCountAll.count type (#​13736) (b7b472e)
• snowflake: fix to prevent disconnect attempt on already disconnected connection (#​13775) (2a9a551)
• types: add Col to where Ops (#​13717) (2d7b865)
• types: add instance member declaration (#​13684) (ae3cde5)
• types: add missing schema field to sequelize options (c7a0839), closes #​12606
• types: allow override json function with custom return type (#​13694) (2c3b384)
• upsert: fall back to DO NOTHING if no update key values provided (#​13594) (4071378)
• upsert: fall back to DO NOTHING if no update key values provided (#​13711) (f9dfaa7), closes #​13594
• wrong interface used within mixin (#​13685) (bd3ddf5)

Features

• dialects: add experimental support for db2 (#​13374) (4443d2a)
• dialect: snowflake dialect support (#​13406) (ad68a5e)
• model: complete getAttributes feature (b6510df)
• typescript: create alpha release with ts (911125e)
• types: transition lib/errors (#​13710) (8cdce6a)
• upsert: add conflictFields option (#​13723) (496bede)

v6.11.0

Compare Source

Features

• option for attributes having dotNotation (#​13670) (41876f1)

v6.10.0

Compare Source

Bug Fixes

• typing on creation within an association (#​13678) (0312f8e)
• logger: change logging depth from 3 to 1 (#​12879) (ddddc24)
• mariadb: fix MariaDB 10.5 JSON (#​13633) (cdd61dd)
• model: clone options object instead of modifying (#​13589) (3be43de)
• mssql: fix sub query issue occurring with renamed primary key fields (#​12801) (73d99ab)
• mssql: sqlserver 2008 fix for using offsets and include criteria (47c4494)
• query: make stacktraces include original calling code (#​13347) (f581543)
• types: Add missing type definitions in models (#​13553) (73ecf6c)
• types: add specifc tojson type in model.d.ts (#​13661) (5924be5)
• types: DataType.TEXT overloading definition (#​13654) (1690801)
• types: include 'paranoid' in IncludeThroughOptions definition (#​13625) (b1fb1f3)
• types: ne op documentation (#​13666) (98485df)
• types: rename types and update CONTRIBUTING docs (#​13348) (1f23924)
• expect result is null but got zero (#​13637) (da3ac09)

Features

• definitions: Adds AbstractQuery and before/afterQuery hook definitions (#​13635) (37a5858)
• postgresql: easier SSL config and options param support (#​13673) (9591573)

v6.9.0

Compare Source

Bug Fixes

• docs: using incorrect esdocs syntax (#​13615) (c3c690b)
• sqlite: quote table names in sqlite getForeignKeysQuery (#​13587) (eeb6a8f)
• upsert: do not overwrite an explcit created_at during upsert (#​13593) (594cee8)

Features

• mysql: add support for MySQL v8 (#​13618) (35978f0)

v6.8.0

Compare Source

Bug Fixes

• types: allow any values in isIn validator (#​12962) (d511d91)
• allows insert primary key with zero (#​13458) (e4aff2f)
• model: Convert number values only if they aren't null to avoid NaN (199b632)
• model.d: accept [Op.is] in where (broken in TypeScript 4.4) (#​13499) (d685a9a)
• postgres: fix findCreateFind to work with postgres transactions (#​13482) (84421d7)
• select: do not force set subQuery to false (#​13490) (0943339)
• sqlite: fix wrongly overwriting storage if empty string (#​13376) (c3e608b), closes #​13375
• types: add missing upsert hooks (#​13394) (5e9c209)
• types: extend BulkCreateOptions by SearchPathable (#​13469) (47c2d05), closes #​13454
• types: typo in model.d.ts (#​13574) (31d0fbc)

Features

• postgres: support query_timeout dialect option (#​13258) (3ca085d)
• typings: add UnknownConstraintError (#​13461) (69d899e)

v6.7.0

Compare Source

Bug Fixes

• deps: upgrade to secure versions of dev deps (#​13549) (cf53734)
• docs: fix typo in documentation for polymorphic associations (#​13405) (bbf3d76)
• types: allow rangable to take a string tuple (#​13486) (ca2a11a)

Features

• test: add test for nested column in where query (#​13478) (26b62c7), closes #​13288
• types: make config type deeply writeable for before connect hook (#​13424) (f078f77)

v6.6.5

Compare Source

Bug Fixes

• dependency: upgrade validator (#​13350) (56bb1d6)

v6.6.4

Compare Source

Bug Fixes

• typings: make Transactionable compatible with TransactionOptions (#​13334) (cd2de40)
• utils: clone attributes before mutating them (#​13226) (1a16b91)
• data-types: use proper field name for ARRAY(ENUM) (#​13210) (1cfbd33)
• typings: fix ignoreDuplicates option (#​13220) (b33d78e)
• typings: allow schema for queryInterface methods (#​13223) (6b0b532)
• typings: restrict update typings (#​13216) (63ceb73)
• typings: returning can specify column names (#​13215) (143cc84)
• typings: model init returns model class, not instance (#​13214) (8f2a0d5)
• plurals: bump inflection dependency (#​13260) (deeb5c6)
• bulk-create: ON CONFLICT with unique index (#​13345) (6dcb565)

v6.6.2

Compare Source

Bug Fixes

• types: fix Model.prototype.previous() (#​13042) (5b16b32)

v6.6.1

Compare Source

Bug Fixes

• query-generator: use AND in sql for not/between (#​13043) (a663c54)
• sqlite: retrieve primary key on upsert (#​12991) (023e1d9)
• types: allow (keyof TAttributes)[] in UpdateOptions.returning (#​13130) (97ba242)
• types: models with attributes couldn't be used in some cases (#​13010) (de5f21d)
• types: remove string from Order type (#​13057) (ac39f8a)

v6.6.0

Compare Source

Bug Fixes

• types: allow sequelize.col in attributes (#​13105) (3fd64cb)
• types: allow bigints in WhereValue (#​13028) (8892507)
• types: decapitalize queryGenerator property (#​13126) (9cb4d7f)
• types: fix Model#previous type (#​13106) (466e361)
• types: fix ValidationErrorItem types (#​13108) (e35a9bf)

Features

• add-constraint: add deferrable option (#​13096) (f98bd7e)

v6.5.1

Compare Source

Bug Fixes

• mysql: release connection on deadlocks (#​13102) (6388507)
  • Note: this complements the work done in 6.5.0, fixing another situation not covered by it with MySQL.
• types: allow transaction to be null (#​13093) (ced4dc7)

v6.5.0

Compare Source

Second release in 2021! 🎉

Bug Fixes

• mysql, mariadb: release connection on deadlocks (#​12841) (c77b1f3)
• types: allow changing values on before hooks (#​12970) (e5b8929)
• types: typo in sequelize.js and sequelize.d.ts (#​12975) (2fe980e)

Features

• postgres: add TSVECTOR datatype and @@​ operator (#​12955) (e45df29)

v6.4.0

Compare Source

First release in 2021! 🎉

Bug Fixes

• types: better support for readonly arrays (287607a)
• types: remove part forgotten in #​12175 (2249ded)

Features

• query-interface: support composite foreign keys (#​12456) (9ecebef)

v6.3.5

Compare Source

Bug Fixes

• truncate: fix missing await in truncate all models with cascade (#​12664) (933b3f6)

v6.3.4

Compare Source

Bug Fixes

• model: handle true timestamp fields correctly (#​12580) (#​12581) (490db41)

v6.3.3

Compare Source

Bug Fixes

• mark database drivers as optional peer dependencies (#​12484) ([ec2af0d](https://togithub.com/sequelize/sequelize/

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.