Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Array is being stored as [object Object] in v5.1.6 #1694

Open
shubhamp-sf opened this issue Mar 23, 2023 · 6 comments
Open

Array is being stored as [object Object] in v5.1.6 #1694

shubhamp-sf opened this issue Mar 23, 2023 · 6 comments
Labels
bug

Comments

@shubhamp-sf
Copy link

shubhamp-sf commented Mar 23, 2023
edited
Loading

Issue Summary

This package had a vulnerability from v5.0.0 - v5.1.4, which is said to be fixed by this commit and published starting the version 5.1.6, but this version came with a breaking change i.e. an array is being stored as [object Object]. As can be seen in sample.log in my reproduction code whereas the same works in 5.1.4.

Steps to Reproduce

Reproduction repo: https://github.com/shubhamp-sf/sequelize-x-sqlite3-5.1.6

Version

5.1.6

Node.js Version

v18.15.0

How did you install the library?

Using npm on Darwin arm64 based machine.
@shubhamp-sf shubhamp-sf mentioned this issue Mar 23, 2023
Merged
1 task
@shubhamp-sf
Copy link
Author

@daniellockyer can I have your attention on this please? It's breaking since that vulner.. fix.

@syl-oh
Copy link

syl-oh commented Mar 28, 2023
edited
Loading

I have seen the same thing with date being saved as [object Object] since the vulnerability fix. In our case we had to save it as string instead of Date.

@shubhamp-sf
Copy link
Author

@syl-oh that's kind of a workaround then, This change should have been introduced as BREAKING by maintainers if they expect us to change all those affected type (date, object etc.).
But either way It shouldn't affect the existing types as far as I've read the vulnerability.

@SebSiecz
Copy link

SebSiecz commented Apr 1, 2023

an array stored gets returned as [object Object].

Also seeing this with arrays since the vulnerability fix, but not only returned as this, but the actual value stored in the DB file is [object Object] so potential data loss there.

@shubhamp-sf shubhamp-sf changed the title Array is being returned as [object Object] in v5.1.6 Array is being stored as [object Object] in v5.1.6 Apr 3, 2023
shubhamp-sf referenced this issue Apr 3, 2023
@daniellockyer
Fixed code execution vulnerability due to Object coercion
edb1934 
refs GHSA-jqv5-7xpx-qj74
fixes TryGhost/Toolbox#491

- when you call `ToString()` on `Napi::Value`, it calls
  `napi_coerce_to_string` underneath, which has the ability to run
  arbitrary JS code if the passed in value is a crafted object
- both remote code execution or denial-of-service are possible via
  this vulnerability
- `toString()` on an Object returns `[object Object]` so instead of
  calling the function, we're going to hardcode it to prevent this
  issue

Credits: Dave McDaniel of Cisco Talos
@shubhamp-sf shubhamp-sf mentioned this issue Apr 4, 2023
Closed
1 task
@shubhamp-sf shubhamp-sf mentioned this issue Apr 20, 2023
Merged
11 tasks
@shubhamp-sf shubhamp-sf mentioned this issue May 21, 2023
Closed
8 tasks
shubhamp-sf added a commit to shubhamp-sf/loopback-next that referenced this issue May 21, 2023
@shubhamp-sf
fix(sequelize): statically use 5.1.4 version of sqlite3
0040c5b 
Due to a bug in the latest version: TryGhost/node-sqlite3#1694

Signed-off-by: Shubham P <[email protected]>
@shubhamp-sf shubhamp-sf mentioned this issue May 21, 2023
Merged
8 tasks
samarpanB pushed a commit to loopbackio/loopback-next that referenced this issue May 21, 2023
@shubhamp-sf @samarpanB
fix(sequelize): statically use 5.1.4 version of sqlite3
135a500 
Due to a bug in the latest version: TryGhost/node-sqlite3#1694

Signed-off-by: Shubham P <[email protected]>
@yanguoyu yanguoyu mentioned this issue Jun 1, 2023
Merged
@shubhamp-sf
Copy link
Author

@daniellockyer Can you please fix it? It's a major bug.

@mvduin
Copy link

mvduin commented Jul 19, 2023

Even if stringifying arguments were an actual security vulnerability (it isn't), the correct fix would have been to throw a TypeError, not silently corrupt user data. Nobody wants to insert "[object Object]" into a database.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mvduin @SebSiecz @syl-oh @shubhamp-sf