mysql GEOMETRY / GEOGRAPHY injection case (#6305)

lib/data-types.js

@@ -882,8 +882,8 @@ inherits(GEOMETRY, ABSTRACT);
 GEOMETRY.prototype.key = GEOMETRY.key = 'GEOMETRY';
 
 GEOMETRY.prototype.escape = false;
-GEOMETRY.prototype._stringify = function _stringify(value) {
-  return 'GeomFromText(\'' + Wkt.convert(value) + '\')';
+GEOMETRY.prototype._stringify = function _stringify(value, options) {
+  return 'GeomFromText(' + options.escape(Wkt.convert(value)) + ')';
 };
 
 /**
@@ -905,8 +905,8 @@ inherits(GEOGRAPHY, ABSTRACT);
 GEOGRAPHY.prototype.key = GEOGRAPHY.key = 'GEOGRAPHY';
 
 GEOGRAPHY.prototype.escape = false;
-GEOGRAPHY.prototype._stringify = function _stringify(value) {
-  return 'GeomFromText(\'' + Wkt.convert(value) + '\')';
+GEOGRAPHY.prototype._stringify = function _stringify(value, options) {
+  return 'GeomFromText(' + options.escape(Wkt.convert(value)) + ')';
 };
 
 for (const helper of Object.keys(helpers)) {

test/integration/model/geometry.test.js

@@ -177,7 +177,7 @@ describe(Support.getTestDialectTeaser('Model'), function() {
         });
       });
     });
-    
+
     describe('sql injection attacks', function () {
       beforeEach(function() {
         this.Model = this.sequelize.define('Model', {
@@ -197,6 +197,18 @@ describe(Support.getTestDialectTeaser('Model'), function() {
           }
         });
       });
+
+      it('should properly escape the single quotes in coordinates', function () {
+        return this.Model.create({
+          location: {
+            type: "Point",
+            properties: {
+              exploit: "'); DELETE YOLO INJECTIONS; -- "
+            },
+            coordinates: [39.807222,"'); DELETE YOLO INJECTIONS; --"]
+          }
+        });
+      });
     });
   }
 });