Kysely SQL Injection Vulnerability in MySQL Dialect

A SQL injection vulnerability has been identified in Kysely, a type-safe TypeScript SQL query builder, in versions prior to 0.28.14. The issue arises in the `DefaultQueryCompiler.sanitizeStringLiteral()` method, which only escapes single quotes by doubling them but fails to properly escape backslashes. This oversight can be exploited in the MySQL dialect, where the `NO_BACKSLASH_ESCAPES` option is OFF by default. An attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. The vulnerability affects any code path that uses `ImmediateValueTransformer` to inline values, specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`.

Impact

Exploitation allows for arbitrary SQL injection, with potential consequences including unauthorized data access, data modification or deletion, and authentication bypass in certain application contexts.

Reproduction

To reproduce this vulnerability, create a Kysely database instance with the MySQL dialect. Then, use the `CreateIndexBuilder.where()` method to pass a crafted string that includes a backslash followed by a single quote and SQL injection payload. The injected SQL will be executed by the database, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can update to Kysely version 0.28.14 or later, where this vulnerability has been fixed. Alternatively, for those using the MySQL dialect, the `MysqlQueryCompiler` can be modified to properly escape backslashes in string literals before doubling quotes.