@jamesgecko @kyle Thanks, James. The attack vectors are not really different to any other web app: your major one is arbitrary code execution via injection attacks. JSDB sanitises strings automatically by escaping backticks, backslashes, and dollar signs (https://source.small-tech.org/site.js/lib/jsdb/-/issues/9). Beyond that, you should never load in a JSDF file from a domain you don’t own and control yourself and have a secure connection to. If you can think of other attack vectors, please do let me know :)

@jamesgecko @kyle PS. I’m now also implementing sanitisation of query input so that developer’s using the library are not expected to do it.

@jamesgecko @kyle Hey both, thanks again for raising this issue. It did get me thinking that JSDB should automatically sanitise queries also, so I’ve just published version 1.1.0 which does that. If you get a chance to peek at the code / explanation of the strategy in the readme and let me know if you see any issues, I’d appreciate it :)

@aral I'll have to admit that I am not fluent in Javascript. My worries were more triggered by the overall concept of data being stored as executable code that was evaled when reading, and what an attacker could do who could write to that database or bypass sanitization attempts, since they would, in theory, have the full range of JS capabilities at their disposal (arbitrary code exec) instead of the more limited set of standard DB queries (data leak).

@kyle Yep, valid concerns. As far as I can see, the sanitation routines I’ve implemented address those attack vectors. The only time the person using JSDB has to implement their own sanitation at the moment is if they’re creating a custom query themselves using string manipulation with untrusted content. Otherwise, I believe I’ve blocked (at least the obvious) arbitrary code execution and also the query extension/data leak pathways. Hopefully more eyes can verify or improve it :)