crud-query-parser TypeORM Adapter SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the crud-query-parser library, specifically within the TypeORM adapter. This issue arises from improper handling of the order/sort parameter, allowing malicious SQL queries to be injected. The vulnerability affects versions prior to 0.1.0, and impacts users who have ordering enabled and have not configured a property filter.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Remediation

Users can upgrade to crud-query-parser version 0.1.0 or later, which includes a fix for this vulnerability by introducing TypeORM field validation. Alternatively, users can add an allowlist of fields to filter out invalid ones before passing the request to the TypeORM adapter, or disable ordering by clearing the order field before it is processed by the adapter.