Critical severityNVD Advisory· Published Jan 6, 2023· Updated Aug 5, 2024
PeterMu nodebatis sql injection
CVE-2018-25066
Description
A vulnerability was found in PeterMu nodebatis up to 2.1.x. It has been classified as critical. Affected is an unknown function. The manipulation leads to sql injection. Upgrading to version 2.2.0 is able to address this issue. The patch is identified as 6629ff5b7e3d62ad8319007a54589ec1f62c7c35. It is recommended to upgrade the affected component. VDB-217554 is the identifier assigned to this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nodebatisnpm | < 2.2.0 | 2.2.0 |
Affected products
1Patches
16629ff5b7e3dfix bug of sql injection in sqlBuilder
9 files changed · +3596 −36
dist/lib/pool.js+6 −6 modified@@ -44,7 +44,7 @@ var _class = function () { _createClass(_class, [{ key: 'getConn', value: function () { - var _ref = _asyncToGenerator(regeneratorRuntime.mark(function _callee() { + var _ref = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee() { var conn; return regeneratorRuntime.wrap(function _callee$(_context) { while (1) { @@ -74,7 +74,7 @@ var _class = function () { }, { key: 'releaseConn', value: function () { - var _ref2 = _asyncToGenerator(regeneratorRuntime.mark(function _callee2(conn) { + var _ref2 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee2(conn) { return regeneratorRuntime.wrap(function _callee2$(_context2) { while (1) { switch (_context2.prev = _context2.next) { @@ -98,7 +98,7 @@ var _class = function () { }, { key: 'query', value: function () { - var _ref3 = _asyncToGenerator(regeneratorRuntime.mark(function _callee3(key, sql, params, transationConn) { + var _ref3 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee3(key, sql, params, transationConn) { var that, conn, _that; return regeneratorRuntime.wrap(function _callee3$(_context3) { @@ -170,7 +170,7 @@ var _class = function () { }, { key: 'beginTransation', value: function () { - var _ref4 = _asyncToGenerator(regeneratorRuntime.mark(function _callee4() { + var _ref4 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee4() { var conn; return regeneratorRuntime.wrap(function _callee4$(_context4) { while (1) { @@ -200,7 +200,7 @@ var _class = function () { }, { key: 'commit', value: function () { - var _ref5 = _asyncToGenerator(regeneratorRuntime.mark(function _callee5(conn) { + var _ref5 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee5(conn) { return regeneratorRuntime.wrap(function _callee5$(_context5) { while (1) { switch (_context5.prev = _context5.next) { @@ -228,7 +228,7 @@ var _class = function () { }, { key: 'rollback', value: function () { - var _ref6 = _asyncToGenerator(regeneratorRuntime.mark(function _callee6(conn) { + var _ref6 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee6(conn) { return regeneratorRuntime.wrap(function _callee6$(_context6) { while (1) { switch (_context6.prev = _context6.next) {
dist/lib/sqlBuilder.js+13 −5 modified@@ -3,25 +3,28 @@ Object.defineProperty(exports, "__esModule", { value: true }); -/** - * sql 构造 - */ +exports.getDelSql = exports.getUpdateSql = exports.getInsertSql = undefined; + +var _sqlstring = require('sqlstring'); var getInsertSql = exports.getInsertSql = function getInsertSql(tableName, data) { var columns = [], params = [], holders = [], sql = ''; + tableName = (0, _sqlstring.escapeId)(tableName); for (var key in data) { - columns.push(key); + columns.push((0, _sqlstring.escapeId)(key)); holders.push('?'); params.push(data[key]); } columns = columns.join(','); holders = holders.join(','); sql = 'insert into ' + tableName + ' (' + columns + ') values (' + holders + ')'; return { sql: sql, params: params }; -}; +}; /** + * sql 构造 + */ var getUpdateSql = exports.getUpdateSql = function getUpdateSql(tableName, data) { var idKey = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : 'id'; @@ -30,8 +33,11 @@ var getUpdateSql = exports.getUpdateSql = function getUpdateSql(tableName, data) params = [], holders = []; var where = ''; + tableName = (0, _sqlstring.escapeId)(tableName); + idKey = (0, _sqlstring.escapeId)(idKey); for (var key in data) { if (key != idKey) { + key = (0, _sqlstring.escapeId)(key); holders.push(key + ' = ?'); params.push(data[key]); } @@ -49,6 +55,8 @@ var getDelSql = exports.getDelSql = function getDelSql(tableName, id) { var idKey = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : 'id'; var sql = 'delete from ' + tableName + ' where ' + idKey + ' = ?'; + tableName = (0, _sqlstring.escapeId)(tableName); + idKey = (0, _sqlstring.escapeId)(idKey); return { sql: sql, params: [id]
dist/nodebatis.js+17 −17 modified@@ -56,7 +56,7 @@ var NodeBatis = function () { _createClass(NodeBatis, [{ key: 'execute', value: function () { - var _ref = _asyncToGenerator(regeneratorRuntime.mark(function _callee(key, data, transationConn) { + var _ref = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee(key, data, transationConn) { var sqlObj, result; return regeneratorRuntime.wrap(function _callee$(_context) { while (1) { @@ -91,7 +91,7 @@ var NodeBatis = function () { }, { key: 'query', value: function () { - var _ref2 = _asyncToGenerator(regeneratorRuntime.mark(function _callee2(key, data, transationConn) { + var _ref2 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee2(key, data, transationConn) { return regeneratorRuntime.wrap(function _callee2$(_context2) { while (1) { switch (_context2.prev = _context2.next) { @@ -119,7 +119,7 @@ var NodeBatis = function () { }, { key: 'insert', value: function () { - var _ref3 = _asyncToGenerator(regeneratorRuntime.mark(function _callee3(tableName, data, transationConn) { + var _ref3 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee3(tableName, data, transationConn) { var sqlObj, key; return regeneratorRuntime.wrap(function _callee3$(_context3) { while (1) { @@ -162,7 +162,7 @@ var NodeBatis = function () { }, { key: 'update', value: function () { - var _ref4 = _asyncToGenerator(regeneratorRuntime.mark(function _callee4(tableName, data, idKey, transationConn) { + var _ref4 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee4(tableName, data, idKey, transationConn) { var sqlObj, key; return regeneratorRuntime.wrap(function _callee4$(_context4) { while (1) { @@ -205,7 +205,7 @@ var NodeBatis = function () { }, { key: 'del', value: function () { - var _ref5 = _asyncToGenerator(regeneratorRuntime.mark(function _callee5(tableName, id, idKey, transationConn) { + var _ref5 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee5(tableName, id, idKey, transationConn) { var sqlObj, key; return regeneratorRuntime.wrap(function _callee5$(_context5) { while (1) { @@ -251,7 +251,7 @@ var NodeBatis = function () { }, { key: 'getTransation', value: function () { - var _ref6 = _asyncToGenerator(regeneratorRuntime.mark(function _callee13() { + var _ref6 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee13() { var _this = this; var that, conn, nodebatis; @@ -268,7 +268,7 @@ var NodeBatis = function () { nodebatis = { conn: conn, execute: function () { - var _ref7 = _asyncToGenerator(regeneratorRuntime.mark(function _callee6(key, data) { + var _ref7 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee6(key, data) { return regeneratorRuntime.wrap(function _callee6$(_context6) { while (1) { switch (_context6.prev = _context6.next) { @@ -292,7 +292,7 @@ var NodeBatis = function () { }; }(), query: function () { - var _ref8 = _asyncToGenerator(regeneratorRuntime.mark(function _callee7(key, data) { + var _ref8 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee7(key, data) { return regeneratorRuntime.wrap(function _callee7$(_context7) { while (1) { switch (_context7.prev = _context7.next) { @@ -316,7 +316,7 @@ var NodeBatis = function () { }; }(), insert: function () { - var _ref9 = _asyncToGenerator(regeneratorRuntime.mark(function _callee8(tableName, data) { + var _ref9 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee8(tableName, data) { return regeneratorRuntime.wrap(function _callee8$(_context8) { while (1) { switch (_context8.prev = _context8.next) { @@ -340,7 +340,7 @@ var NodeBatis = function () { }; }(), update: function () { - var _ref10 = _asyncToGenerator(regeneratorRuntime.mark(function _callee9(tableName, data, idKey) { + var _ref10 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee9(tableName, data, idKey) { return regeneratorRuntime.wrap(function _callee9$(_context9) { while (1) { switch (_context9.prev = _context9.next) { @@ -364,7 +364,7 @@ var NodeBatis = function () { }; }(), del: function () { - var _ref11 = _asyncToGenerator(regeneratorRuntime.mark(function _callee10(tableName, id, idKey) { + var _ref11 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee10(tableName, id, idKey) { return regeneratorRuntime.wrap(function _callee10$(_context10) { while (1) { switch (_context10.prev = _context10.next) { @@ -388,7 +388,7 @@ var NodeBatis = function () { }; }(), commit: function () { - var _ref12 = _asyncToGenerator(regeneratorRuntime.mark(function _callee11() { + var _ref12 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee11() { var ret; return regeneratorRuntime.wrap(function _callee11$(_context11) { while (1) { @@ -432,7 +432,7 @@ var NodeBatis = function () { }; }(), rollback: function () { - var _ref13 = _asyncToGenerator(regeneratorRuntime.mark(function _callee12() { + var _ref13 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee12() { var ret; return regeneratorRuntime.wrap(function _callee12$(_context12) { while (1) { @@ -495,7 +495,7 @@ var NodeBatis = function () { }, { key: 'beginTransation', value: function () { - var _ref14 = _asyncToGenerator(regeneratorRuntime.mark(function _callee15() { + var _ref14 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee15() { var _this2 = this; var that, conn; @@ -511,7 +511,7 @@ var NodeBatis = function () { conn = _context15.sent; conn.execute = function () { - var _ref15 = _asyncToGenerator(regeneratorRuntime.mark(function _callee14(key, data) { + var _ref15 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee14(key, data) { return regeneratorRuntime.wrap(function _callee14$(_context14) { while (1) { switch (_context14.prev = _context14.next) { @@ -553,7 +553,7 @@ var NodeBatis = function () { }, { key: 'commit', value: function () { - var _ref16 = _asyncToGenerator(regeneratorRuntime.mark(function _callee16(conn) { + var _ref16 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee16(conn) { return regeneratorRuntime.wrap(function _callee16$(_context16) { while (1) { switch (_context16.prev = _context16.next) { @@ -581,7 +581,7 @@ var NodeBatis = function () { }, { key: 'rollback', value: function () { - var _ref17 = _asyncToGenerator(regeneratorRuntime.mark(function _callee17(conn) { + var _ref17 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee17(conn) { return regeneratorRuntime.wrap(function _callee17$(_context17) { while (1) { switch (_context17.prev = _context17.next) {
package.json+2 −1 modified@@ -1,6 +1,6 @@ { "name": "nodebatis", - "version": "2.1.3", + "version": "2.2.0", "description": "a sql style orm for nodejs", "main": "dist/nodebatis.js", "scripts": { @@ -19,6 +19,7 @@ "babel-polyfill": "^6.9.1", "js-yaml": "^3.6.1", "mysql": "^2.11.1", + "sqlstring": "^2.3.0", "validator": "^5.5.0" }, "devDependencies": {
package-lock.json+3537 −0 addedsrc/lib/sqlBuilder.js+9 −1 modified@@ -2,10 +2,13 @@ * sql 构造 */ +import { escapeId } from 'sqlstring' + export const getInsertSql = (tableName, data) => { let columns = [], params = [], holders = [], sql = '' + tableName = escapeId(tableName) for (let key in data) { - columns.push(key) + columns.push(escapeId(key)) holders.push('?') params.push(data[key]) } @@ -18,8 +21,11 @@ export const getInsertSql = (tableName, data) => { export const getUpdateSql = (tableName, data, idKey = 'id') => { let sql = '', params = [], holders = [] let where = '' + tableName = escapeId(tableName) + idKey = escapeId(idKey) for (let key in data) { if (key != idKey) { + key = escapeId(key) holders.push(`${key} = ?`) params.push(data[key]) } @@ -35,6 +41,8 @@ export const getUpdateSql = (tableName, data, idKey = 'id') => { export const getDelSql = (tableName, id, idKey = 'id') => { let sql = `delete from ${tableName} where ${idKey} = ?` + tableName = escapeId(tableName) + idKey = escapeId(idKey) return { sql: sql, params: [id]
test/dist/test.js+7 −4 modified@@ -23,7 +23,7 @@ var nodebatis = new NodeBatis(path.resolve(__dirname, '../yaml'), { }); var queryTest = function () { - var _ref = _asyncToGenerator(regeneratorRuntime.mark(function _callee(name, age) { + var _ref = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee(name, age) { var ret; return regeneratorRuntime.wrap(function _callee$(_context) { while (1) { @@ -60,7 +60,7 @@ var queryTest = function () { }(); var insertTest = function () { - var _ref2 = _asyncToGenerator(regeneratorRuntime.mark(function _callee2() { + var _ref2 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee2() { var ret; return regeneratorRuntime.wrap(function _callee2$(_context2) { while (1) { @@ -88,7 +88,7 @@ var insertTest = function () { }(); var updateTest = function () { - var _ref3 = _asyncToGenerator(regeneratorRuntime.mark(function _callee3() { + var _ref3 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee3() { var ret; return regeneratorRuntime.wrap(function _callee3$(_context3) { while (1) { @@ -116,7 +116,7 @@ var updateTest = function () { }(); var deleteTest = function () { - var _ref4 = _asyncToGenerator(regeneratorRuntime.mark(function _callee4() { + var _ref4 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee4() { var ret; return regeneratorRuntime.wrap(function _callee4$(_context4) { while (1) { @@ -143,4 +143,7 @@ var deleteTest = function () { }; }(); +insertTest(); +updateTest(); +deleteTest(); queryTest(); \ No newline at end of file
test/dist/transationTest.js+2 −2 modified@@ -23,7 +23,7 @@ var nodebatis = new NodeBatis(path.resolve(__dirname, '../yaml'), { }); var transationTest = function () { - var _ref = _asyncToGenerator(regeneratorRuntime.mark(function _callee() { + var _ref = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee() { var tdao, result3, result1, result2; return regeneratorRuntime.wrap(function _callee$(_context) { while (1) { @@ -75,7 +75,7 @@ var transationTest = function () { return function transationTest() { return _ref.apply(this, arguments); }; -}();_asyncToGenerator(regeneratorRuntime.mark(function _callee2() { +}();_asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee2() { var result; return regeneratorRuntime.wrap(function _callee2$(_context2) { while (1) {
test/src/test.js+3 −0 modified@@ -42,4 +42,7 @@ let deleteTest = async () => { console.log(ret) } +insertTest() +updateTest() +deleteTest() queryTest()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/PeterMu/nodebatis/commit/6629ff5b7e3d62ad8319007a54589ec1f62c7c35ghsapatchWEB
- github.com/PeterMu/nodebatis/releases/tag/v2.2.0ghsapatchWEB
- github.com/advisories/GHSA-8ph8-9q2j-c3rqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-25066ghsaADVISORY
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.