Verified Commit 288d877b authored by Aral Balkan's avatar Aral Balkan
Browse files

Add dollar sign and curly brackets to sanitised characters

(And work-in-progress: update readme with security notes on queries.)
parent 253f82ea
......@@ -139,8 +139,17 @@ Just because it’s JavaScript, it doesn’t mean that you can throw anything in
Additionally, `null` and `undefined` values will be persisted as-is.
### Security note regarding strings
Strings are automatically sanitised to escape backticks, backslashes, and template placeholder tokens to avoid arbitrary code execution via JavaScript injection attacks.
The relevant areas in the codebase are linked to below.
- [String sanitation code (JSDF class)](https://github.com/small-tech/jsdb/blob/master/lib/JSDF.js#L45)
- [String sanitation code tests (test/index.js)](https://github.com/small-tech/jsdb/blob/master/test/index.js#L804)
If you notice anything we’ve overlooked or if you have suggestions for improvements, [please open an issue](https://github.com/small-tech/jsdb/issues).
### Custom data types
Custom data types (instances of your own classes) are also supported.
......@@ -685,6 +694,33 @@ const carsThatAreRegal = db.cars.where('tags').includes('regal').get()
]
```
### Security considerations with queries
JSDB (as of version 1.1.0), attempts to sanitise your queries for you to avoid [Little Bobby Tables](https://xkcd.com/327/).
The current sanitation strategy is two-fold and is executed at time of query execution:
1. Remove dangerous characters (statement terminators, etc.):
- Semi-colon (`;`)
- Backslash (`\`)
- Backtick (`\``)
- Plus sign (`+`)
- Dollar sign (`$`)
- Curly brackets (`{}`)
Reasoning: remove symbols that could be used to create valid code so that if our sieve (see below) doesn’t catch an attempt, the code will throw an error when executed, which we can catch and handle.
2. Use a sieve to remove expected input. If our sieve contains any leftover material, we immediately return an empty result set without executing the query.
During query execution, if the query throws (due to an injection attempt that as been neutralised at Step 1 but made it through the sieve), we simply catch the error and return an empty result set.
The relevant areas in the codebase are linked to below.
- Query sanitation code (QueryProxy class)
- Query sanitation code tests (test/index.js)
If you notice anything we’ve overlooked or if you have suggestions for improvements, [please open an issue](https://github.com/small-tech/jsdb/issues).
## Performance characteristics
- The time complexity of reads and writes are both O(1).
......
......@@ -46,7 +46,7 @@ class QueryProxy {
//
// Remove statement terminators, etc. Sorry, Little Bobby Tables.
this.query = this.query.replace(/[;\\\+\`]/g, '')
this.query = this.query.replace(/[;\\\+\`\{\}\$]/g, '')
// Now let’s see if there’s anything nefarious left after we strip away
// the things we expect to be there. This isn’t perfect if the attacker
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment