GMS-2016-77: SQL Injection via like, contains, startsWith, endsWith

October 31, 2016

Any user input that goes into Waterline’s like, contains, startsWith, or endsWith will end up in waterline-sequel with the potential for malicious code. A malicious user can input their own SQL statements that will get executed and have full access to the database.

References

github.com/balderdashy/waterline/issues/1219

Detect and mitigate GMS-2016-77 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →