VULN NodeJS + TypeORM

Guillaume_Michel · December 2, 2019, 9:57am

Versions: SonarQ Version 7.9.1 (build 27448) + Sonar-Scanner MacOS Version 4.2.0.1873
Trying to detect SQL Injection VULNs in TypeORM usages

I am trying to detect SQL injection patterns in wrong usages of typeORM like:
this.connection.query(SELECT XYZ, ABC FROM A WHERE ABC = ${aValue});
instead of:
this.connection.query(SELECT XYZ, ABC FROM A WHERE ABC = $1, [aValue]);
where this.connection is a Connect from import { Connection } from 'typeorm';

The rule javascript:S2077 is properly enabled.

The result: nothing is detected.

Do I need to enable other specific rules (typeorm rule ?)

Best

eric.therond · December 2, 2019, 3:44pm

Hello Guillaume

Welcome to the community !

TypeORM is not supported for the moment but we will add this library to the S2077 rule.

Thanks for reported to us this issue and don’t hesitate if you see other improvements.

Eric