[feat] security raw query type scan and validate
JimmyDaddy opened this issue · comments
JimmyDaddy commented
eg.
realm.query(`SELECT * FROM users WHERE id = 1; DELETE FROM users`);
Chen Yangjian commented
querying multiple statements is disabled by default if mysqljs/mysql is used https://github.com/mysqljs/mysql#multiple-statement-queries
IMHO, possible causes of such queries might be like below:
realm.query(`SELECT * FROM users WHERE id = ${ctx.query.id}`);
which can be checked in advance by enforcing some lint rules. Otherwise, to eliminate such problem thoroughly, we might need to check the raw sql before sending it to database. Would that be a bit too much?