Is Sequelize model.build (req.body) safe for injection?

Question

Is Sequelize model.build (req.body) safe for injection?

I am new to Sequelize (a node.js ORM) and am wondering if the following code is safe:

var models = require('../models');
var router = require('express').Router();

router.post('/', function(req, res, next){
  models.Account
    .create(req.body)       // <-- THIS IS WHAT MY QUESTION IS ABOUT, IS THIS SAFE?
    .then(function(result){
      res.status(200)
        .send(result)
        .end();
    }).catch(next);
});

If you use this, could it be unsafe? Another solution:

var models = require('../models');
var router = require('express').Router();

router.post('/', function(req, res, next){
  models.Account
    .create({
      username:    req.body.username, // <-- THIS IS MORE VERBOSE BUT PROBABLY SAFER?
      accountname: req.body.accountname,
      level:       req.body.level
    })
    .then(function(result){
      res.status(200)
        .send(result)
        .end();
    }).catch(next);
});

So, basically my question is: Is it safe to use the full body of the request as an input to the function model.create()(and model.set(), and model.build())?

+4

node.js sequelize.js code-injection

Hendrik jan Mar 04 '16 at 9:51

source share

1 answer

Colin Mackay · Accepted Answer · 2016-03-04T10:04:31+0000

, , , . , SQL Injection Attack, models.Account.create, ORM, , HTTP- ( , , )

Is Sequelize model.build (req.body) safe for injection?

More articles: