1.0.2 • Published 12 months ago
stripe-escape-input v1.0.2
Stripe Escape Input
Prevent injections in Stripe search queries by escaping user input.
Problem
const stripe = require("stripe")(process.env.STRIPE_SECRET_KEY)
const userInput = "124' OR created>0 OR status:'active"
let subscriptions = await stripe.subscriptions.search({
query: `metadata['myField']: '${userInput}'`
})
console.log(subscriptions) // all subscriptions ever due to injection
A user input that is directly used in a Stripe search query is vulnerable to injections. This can be exploited to gain access to all records. The principle is basically the same as in SQL injections.
Solution
To prevent injections, we need to escape the user input before using it in a Stripe search query.
npm i stripe-escape-input
const escapeInput = require("stripe-escape-input")
const stripe = require("stripe")(process.env.STRIPE_SECRET_KEY)
const userInput = "124' OR created>0 OR status:'active"
let subscriptions = await stripe.subscriptions.search({
query: `metadata['myField']: '${escapeInput(userInput)}'`
})
console.log(subscriptions) // 0 subscriptions