[Snyk] Security upgrade sequelize from 3.35.1 to 6.28.1

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	551/1000 Why? Recently disclosed, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-SEQUELIZE-3324089	Yes	No Known Exploit
	601/1000 Why? Recently disclosed, Has a fix available, CVSS 6.3	Access of Resource Using Incompatible Type ('Type Confusion') SNYK-JS-SEQUELIZE-3324090	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: sequelize

The new version differs by 250 commits.

• d9e0728 fix: throw if where receives an invalid value (#15699)
• 48d6193 fix: update moment-timezone version (#15685)
• fd4afa6 feat(types): use retry-as-promised types for retry options to match documentation (#15484)
• 1247c01 feat: add support for bigints (backport of #14485) (#15413)
• 94beace feat(postgres): add support for lock_timeout [#15345] (#15355)
• 7885000 fix(oracle): remove hardcoded maxRows value (#15323)
• bc39fd6 fix: fix parameters not being replaced when after $$ strings (#15307)
• a205765 fix(postgres): invalidate connection after client-side timeout (#15283)
• 67e69cd fix: remove options.model overwrite on bulkUpdate (#15252)
• 00c6da3 fix(types): add instance.dataValues property to model.d.ts (#15240)
• bf98d7c meta: swap Slack links (#15159)
• 7990095 fix: don't treat \ as escape in standard strings, support E-strings, support vars after ->> operator, treat lowercase e as valid e-string prefix (#15139)
• 851daaf fix(types): fix TS 4.9 excessive depth error on `InferAttributes` (v6) (#15135)
• 9dd93b8 fix(types): expose legacy "types" folder in export alias ( #15123)
• 06ad05d feat(oracle): add support for `dialectOptions.connectString` (#15042)
• a44772e feat(snowflake): Add support for `QueryGenerator#tableExistsQuery` (#15087)
• 55051d0 docs: add missing ssl options for sequelize instance (v6) (#15049)
• 5c88734 docs(model): Added paranoid option for Model.BelongsToMany.through (#15065)
• 7203b66 fix(postgres): add custom order direction to subQuery ordering with minified alias (#15056)
• 5f621d7 fix(oracle): add support for Oracle DB 18c CI (#15016)
• 3468378 feat(types): add typescript 4.8 compatibility (#14990)
• 1da6657 fix(types): missing type for oracle dialect in v6 (#14992)
• c230d80 feat(oracle): add oracle dialect support (#14638)
• 33d94b2 fix(types): backport #14704 for v6 (#14964)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[secure-code-warrior-for-github]

Micro-Learning Topic: Information disclosure (Detected by phrase)

Matched on "Information Exposure"

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Type confusion (Detected by phrase)

Matched on "Type Confusion"

What is this? (2min video)

When attackers are able to manipulate the memory reserved for objects directly, they can then pass a reference to a crafted block of memory to be used in the place of a valid object type. This triggers the run time engine to execute arbitrary code which is under the control of the attacker due to the induced type confusion.

Try a challenge in Secure Code Warrior

[secureflag-knowledge-base]

Open Redirect

Play Labs on this vulnerability with SecureFlag!

Start Open Redirect Lab

Description

Open Redirects, otherwise known as Unvalidated Redirects and Forwards, are a class of vulnerability made possible when a web application, comprised of insufficient input-validation controls, is manipulated into redirecting unwitting users of the application to a malicious, attacker-controlled URL.

This type of exploit is popular with criminals involved in phishing and credential theft, unsurprising given the false layer of trust attributed to the fact that the modified link and the original site share the same server name.

Read more

Impact

There are many overlapping techniques criminals employ to dupe unwitting victims into handing over their hard-earned cash. One of these methods is undoubtedly betting on the misplaced trust many of us place in familiar server names. This write-up exemplifies how even the most arguably well-known URL of all, https://www.google.com, can be taken advantage of via its redirection facility.

In addition, Open Redirect vulnerabilities can:

• Lead to Cross-Site Scripting (XSS) attacks if the redirect uses data: or javascript: protocols;
• Potentially circumvent Server-Side Request Forgery (SSRF) filters;
• Nullify allow list effectiveness in some cases to bypass Content Security Policy (CSP);
• Lead to Carriage Return and Line Feed (CRLF) attacks if line breaks are present in the destination parameter.

Scenarios

As outlined above, attackers often use this attack as it 'hijacks' the trust users place in a well-known URL.

Here's a topical example from 2021; if the target domain is www.covidvaccinations.com, an attacker might craft the following URL:

http://www.covidvaccinations.com/redirect.php?url=http://attackerwebsite.com

Attackers send links like the one above in phishing campaigns in the hopes that they will lure a victim into clicking on the link.

Prevention

The following measures can be applied to either eliminate or drastically reduce the potential for Open Redirect exploitation:

• If they aren't necessary, don't use redirects and forwards!
• In cases where they are required, do not allow the URL as user input for the destination;
• When user input is unavoidable, validate the supplied value, its appropriateness for the application, and ensure it is authorized for the user:
  • This can be a fiddly task, so closely adhere to best practices and ensure continued maintenance.
• If possible, force the user to provide an ID or token that is mapped server-side to a complete target URL;
• Input sanitization should be implemented by creating an allow list of trusted URLs determined by host or regex.

Testing

Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content.

• OWASP ASVS: 5.1.5

View this in the SecureFlag Knowledge Base

[secure-code-warrior-for-github]

Micro-Learning Topic: Cross-site scripting (Detected by phrase)

Matched on "Cross-Site Scripting"

What is this? (2min video)

Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try a challenge in Secure Code Warrior

Helpful references

• Prevent Cross-Site Scripting (XSS) in ASP.NET Core - A detailed Microsoft article on how to prevent cross-site scripting in ASP.NET Core.
• OWASP Cross Site Scripting (XSS) Software Attack - OWASP community page with comprehensive information about cross site scripting, and links to various OWASP resources to help detect or prevent it.
• OWASP Cross Site Scripting Prevention Cheat Sheet - This article provides a simple positive model for preventing XSS using output encoding properly.

Micro-Learning Topic: Open redirect (Detected by phrase)

Matched on "Open Redirect"

What is this? (2min video)

This vulnerability refers to the ability of an attacker to arbitrarily perform a redirection (external) or forward (internal) against the system. It arises due to insufficient validation or sanitisation of inputs used to perform a redirect or forward and may result in privilege escalation (in the case of a forward) or may be used to launch phishing attacks against users (in the case of redirects).

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Unvalidated Redirects and Forwards Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing redirection and forwarding flaws in your applications.
• Preventing Open Redirection Attacks (C#) - A detailed Microsoft article on how to prevent open redirection vulnerabilities in ASP.NET MVC.

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-Side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Unvalidated redirect (Detected by phrase)

Matched on "Unvalidated Redirect"

What is this? (2min video)

This vulnerability refers to the ability of an attacker to arbitrarily perform a redirection (external) or forward (internal) against the system. It arises due to insufficient validation or sanitisation of inputs used to perform a redirect or forward and may result in privilege escalation (in the case of a forward) or may be used to launch phishing attacks against users (in the case of redirects).

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Unvalidated Redirects and Forwards Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing redirection and forwarding flaws in your applications.
• Preventing Open Redirection Attacks (C#) - A detailed Microsoft article on how to prevent open redirection vulnerabilities in ASP.NET MVC.