Fix security issue with sequelize generated id attribute

Mick Hansen
Commit 8399d6f5 authored Jan 30, 2014 by Mick Hansen
Showing with 31 additions and 8 deletions
changelog.md
lib/dao-factory.js
lib/dao.js
test/dao/values.test.js
--- a/changelog.md
+++ b/changelog.md
@@ -8,6 +8,7 @@ Notice: All 1.7.x changes are present in 2.0.x aswell
 - [Feature] Support for HAVING queries. [#1286](https://github.com/sequelize/sequelize/pull/1286)
 - bulkUpdate and bulkDestroy now returns affected rows. [#1293](https://github.com/sequelize/sequelize/pull/1293)
 - fixes transaction memory leak issue
+- fixes security issue where it was possible to overwrite the id attribute when defined by sequelize (screwup - and fix - by mickhansen)
 # v1.7.0-rc2
 - fixes unixSocket connections for mariadb [#1248](https://github.com/sequelize/sequelize/pull/1248)

--- a/lib/dao-factory.js
+++ b/lib/dao-factory.js
@@ -164,7 +164,7 @@ module.exports = (function() {
    this.DAO.prototype._hasPrimaryKeys = this.options.hasPrimaryKeys
    this.DAO.prototype._isPrimaryKey = Utils._.memoize(function (key) {
-      return self.primaryKeyAttributes.indexOf(key) !== -1
+      return self.primaryKeyAttributes.indexOf(key) !== -1 && key !== 'id'
    })
    if (this.options.timestamps) {

--- a/lib/dao.js
+++ b/lib/dao.js
@@ -170,6 +170,12 @@ module.exports = (function() {
            return
          }
+          // If attempting to set generated id and id is already defined, return
+          // This is hack since generated id is not in primaryKeys, although it should be
+          if (originalValue && key === "id") {
+            return
+          }
          // If attempting to set read only attributes, return
          if (!options.raw && this._hasReadOnlyAttributes && this._isReadOnlyAttribute(key)) {
            return
@@ -485,14 +491,13 @@ module.exports = (function() {
    return validator.hookValidate()
  }
-  DAO.prototype.updateAttributes = function(updates, fieldsOrOptions) {
+  DAO.prototype.updateAttributes = function(updates, options) {
-    if (fieldsOrOptions instanceof Array) {
+    if (options instanceof Array) {
-      fieldsOrOptions = { fields: fieldsOrOptions }
+      options = { fields: options }
    }
-    this.setAttributes(updates)
+    this.set(updates)
+    return this.save(options)
-    return this.save(fieldsOrOptions)
  }
  DAO.prototype.setAttributes = function(updates) {

--- a/test/dao/values.test.js
+++ b/test/dao/values.test.js
@@ -17,7 +17,24 @@ chai.Assertion.includeStack = true
 describe(Support.getTestDialectTeaser("DAO"), function () {
  describe('Values', function () {
    describe('set', function () {
-      it('doesn\'t overwrite primary keys', function () {
+      it('doesn\'t overwrite generated primary keys', function () {
+        var User = this.sequelize.define('User', {
+          name: {type: DataTypes.STRING}
+        })
+        var user = User.build({id: 1, name: 'Mick'})
+        expect(user.get('id')).to.equal(1)
+        expect(user.get('name')).to.equal('Mick')
+        user.set({
+          id: 2,
+          name: 'Jan'
+        })
+        expect(user.get('id')).to.equal(1)
+        expect(user.get('name')).to.equal('Jan')
+      })
+      it('doesn\'t overwrite defined primary keys', function () {
        var User = this.sequelize.define('User', {
          identifier: {type: DataTypes.STRING, primaryKey: true}
        })