maddy2get / express-brute-sequelize Goto Github PK
View Code? Open in Web Editor NEWSequelize Store for express-brute
License: MIT License
Sequelize Store for express-brute
License: MIT License
Can you update the sequelize version in package.json to use a more recent version?
Hi,
Just a warning with "sequelize deprecated Model.find has been deprecated, please use Model.findOne instead".
In /node_modules/express-brute-sequelize/index.js, line 58 and 93 :
return this._table.find({
Replace by:
return this._table.findOne({
Thanks.
Project uses sequelize v ~3.0.0 which has an SQL Injection via GeoJSON vulnerability according to nsp check
this issue was patched from sequelize version >=3.23.6
Can you fix it?
Unused SQLite dependency in source. It is not listed as a dependency in package.json. However when using the module it will throw an error.
This is the offending code in this library, comment is mine
get:(key, callback) ->
_id = @options.prefix+key
@_table.find(where:{_id:_id})
.then (doc) =>
###
`destroy` will return 1 from the promise when the record existed
###
return @_table.destroy({where:{"_id":_id}}) if doc && new Date(doc.expires).getTime() < new Date().getTime()
return Promise.resolve(count:doc.count,lastRequest:new Date(doc.lastRequest),firstRequest:new Date(doc.firstRequest)) if doc
Promise.resolve()
.then (data)->
data = undefined if !data
typeof callback == 'function' && callback(null,data)
return null
.catch (err) ->
typeof callback == 'function' && callback(err)
return null
When doc.expires
is earlier than the current time, there's a call to destroy
. If the record exists in the database, Sequelize resolved the promise with a 1
.
That means the callback is getting called with 1
.
In the express-brute library, a truthiness check is run against the return value of get
to determine whether or not to update the lastRequest, etc.
This truthiness check assumes it's getting an object with the expected brute-record properties. Line 100 thus calls getTime
on undefined and everything freaks out.
This is a one-line fix, I'll open a PR shortly
ER_TABLEACCESS_DENIED_ERROR: DELETE command denied to user 'username'@'ip' for table 'bruteStores'
Anyone run into this error before? Anyone have a fix?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.