Skip to content

Added new validation and data checks #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
velkymx merged 1 commit into from
Dec 12, 2025
Merged

Added new validation and data checks #3

velkymx merged 1 commit into from
Dec 12, 2025

Conversation

@velkymx
Copy link
Owner

@velkymx velkymx commented Dec 12, 2025

⏺ Release Notes: v1.5.0

Security-Focused Release

Version 1.5.0 is a major security update that addresses critical vulnerabilities and adds enterprise-grade
security features to ts-orm. This release focuses on preventing SQL injection attacks, enhancing input
validation, and protecting sensitive information through error sanitization.

Highlights

  • SQL Injection Prevention: Hybrid validation and escaping for all database identifiers
  • Enhanced Validation: Strict format checking for UUID, datetime, date, and boolean types
  • Error Sanitization: Protected error messages prevent schema information leakage
  • Security Test Suite: 9 new tests covering injection attempts and validation edge cases

Security Enhancements

SQL Injection Prevention

  • ✅ All table names validated and escaped before query execution
  • ✅ All column names validated and escaped (WHERE, SET, ORDER BY, JOIN clauses)
  • ✅ Qualified identifiers (e.g., table.column) validated in JOIN operations
  • ✅ Hybrid approach: Pattern validation [a-zA-Z0-9_] + mysql2 escapeId()
  • ✅ Protection against common injection vectors:
    • Malicious table names: users; DROP TABLE users--
    • Malicious ORDER BY: id; DROP TABLE--
    • Malicious WHERE conditions: id' OR '1'='1

Enhanced Input Validation

  • ✅ UUID v4 format validation: Regex pattern
    /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i
  • ✅ Datetime format validation: YYYY-MM-DD HH:MM:SS with range checks (month 1-12, day 1-31, hour 0-23,
    etc.)
  • ✅ Date format validation: YYYY-MM-DD with validity checks using Date object
  • ✅ Boolean type validation: Accepts true, false, 0, 1, '0', '1'
  • ✅ Enum null handling: Properly allows null/undefined for non-required enum fields
  • ✅ Required field fix: Now allows falsy values like false and 0 but rejects undefined/null

Error Sanitization

  • ✅ Database errors mapped to safe, generic messages
  • ✅ Full error details logged server-side with console.error()
  • ✅ Schema information never exposed to clients
  • ✅ Error mappings:
    • ER_DUP_ENTRY → "Record already exists"
    • ER_NO_REFERENCED_ROW → "Related record not found"
    • ER_ROW_IS_REFERENCED → "Cannot delete record - it is referenced by other records"
    • All other errors → "Database operation failed"

@github-actions
Copy link

github-actions bot commented Dec 12, 2025

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@velkymx velkymx merged commit 42b2418 into main Dec 12, 2025
1 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@velkymx