stripe-escape-input
v1.0.2
Published
Prevent injections in Stripe search queries by escaping user input
Downloads
5
Readme
Stripe Escape Input
Prevent injections in Stripe search queries by escaping user input.
Problem
const stripe = require("stripe")(process.env.STRIPE_SECRET_KEY)
const userInput = "124' OR created>0 OR status:'active"
let subscriptions = await stripe.subscriptions.search({
query: `metadata['myField']: '${userInput}'`
})
console.log(subscriptions) // all subscriptions ever due to injectionA user input that is directly used in a Stripe search query is vulnerable to injections. This can be exploited to gain access to all records. The principle is basically the same as in SQL injections.
Solution
To prevent injections, we need to escape the user input before using it in a Stripe search query.
npm i stripe-escape-inputconst escapeInput = require("stripe-escape-input")
const stripe = require("stripe")(process.env.STRIPE_SECRET_KEY)
const userInput = "124' OR created>0 OR status:'active"
let subscriptions = await stripe.subscriptions.search({
query: `metadata['myField']: '${escapeInput(userInput)}'`
})
console.log(subscriptions) // 0 subscriptionsSources
- https://stripe.com/docs/api/subscriptions/search
- https://stripe.com/docs/search#search-syntax