<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Alok Rajasukumaran</title>
    <description>The latest articles on DEV Community by Alok Rajasukumaran (@alokraj68).</description>
    <link>https://dev.to/alokraj68</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1308384%2F7d74ff50-9aa6-438d-9fd4-3314613a2cb5.jpeg</url>
      <title>DEV Community: Alok Rajasukumaran</title>
      <link>https://dev.to/alokraj68</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/alokraj68"/>
    <language>en</language>
    <item>
      <title>The SQL injection bug your code review keeps missing</title>
      <dc:creator>Alok Rajasukumaran</dc:creator>
      <pubDate>Thu, 16 Jul 2026 12:47:05 +0000</pubDate>
      <link>https://dev.to/alokraj68/the-sql-injection-bug-your-code-review-keeps-missing-595o</link>
      <guid>https://dev.to/alokraj68/the-sql-injection-bug-your-code-review-keeps-missing-595o</guid>
      <description>&lt;p&gt;Every TypeORM project I've worked on grows the same few dangerous lines. I got tired of catching them by hand, so I wrote a linter that does it for me.&lt;/p&gt;

&lt;p&gt;I was reviewing a pull request a while back and nearly scrolled past this line:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight typescript"&gt;&lt;code&gt;&lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nx"&gt;manager&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;query&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;`SELECT * FROM users WHERE id = &lt;/span&gt;&lt;span class="p"&gt;${&lt;/span&gt;&lt;span class="nx"&gt;req&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;params&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;id&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="s2"&gt;`&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Looks fine at a glance. It's a SQL injection hole. The &lt;code&gt;id&lt;/code&gt; comes off the request and lands directly in the query string.&lt;/p&gt;

&lt;p&gt;The thing that bugged me is that I only caught it because I happened to be reading carefully on that line, that day. Review catches this sort of thing a lot of the time. "A lot of the time" is how these end up in production.&lt;/p&gt;

&lt;p&gt;It's usually not only injection either. The same projects tend to collect a few other habits:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;synchronize: true&lt;/code&gt; in a data source config. It rewrites your schema on startup and can drop a column on the next deploy.&lt;/li&gt;
&lt;li&gt;A QueryBuilder &lt;code&gt;delete()&lt;/code&gt; or &lt;code&gt;update()&lt;/code&gt; that hits &lt;code&gt;.execute()&lt;/code&gt; with no &lt;code&gt;.where()&lt;/code&gt;. Forget that one line and you've changed every row in the table.&lt;/li&gt;
&lt;li&gt;Three or four writes in one function, none in a transaction, so if the second throws you're left with half-written data.&lt;/li&gt;
&lt;li&gt;On multi-tenant apps, a query that forgets the tenant filter. That's how one customer sees another customer's data.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;None of these really need a person to catch them. They're mechanical. A linter can do it on every commit.&lt;/p&gt;

&lt;p&gt;So I built one.&lt;/p&gt;

&lt;h2&gt;
  
  
  eslint-plugin-typeorm-enterprise
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npm &lt;span class="nb"&gt;install&lt;/span&gt; &lt;span class="nt"&gt;--save-dev&lt;/span&gt; eslint eslint-plugin-typeorm-enterprise
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight javascript"&gt;&lt;code&gt;&lt;span class="c1"&gt;// eslint.config.js&lt;/span&gt;
&lt;span class="kd"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;typeormEnterprise&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;require&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;eslint-plugin-typeorm-enterprise&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="nx"&gt;module&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;exports&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nx"&gt;typeormEnterprise&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;configs&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;recommended&lt;/span&gt;&lt;span class="p"&gt;];&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Now those patterns are lint errors. Ten rules today, split into configs (&lt;code&gt;recommended&lt;/code&gt;, &lt;code&gt;strict&lt;/code&gt;, &lt;code&gt;performance&lt;/code&gt;, &lt;code&gt;multiTenant&lt;/code&gt;): raw SQL, interpolated and concatenated SQL, unsafe QueryBuilder deletes, EntityManager raw queries, writes outside a transaction, tenant scoping, and a nudge to stop counting rows when you only need to know one exists.&lt;/p&gt;

&lt;h2&gt;
  
  
  Two things I was picky about
&lt;/h2&gt;

&lt;p&gt;It doesn't need any type setup. The rules read the syntax tree, so they work in a plain ESLint 9 config with nothing else to wire up, and they run under oxlint too. If you already lint with type information, there's an optional mode that checks the receiver is actually a TypeORM Repository or EntityManager instead of matching on a name.&lt;/p&gt;

&lt;p&gt;And it tries hard not to be noisy. The fastest way to get a linter switched off is a wall of false positives on the first run. This one leaves &lt;code&gt;req.query.id&lt;/code&gt; and other non-SQL calls alone.&lt;/p&gt;

&lt;h2&gt;
  
  
  Try it
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;npm: &lt;a href="https://www.npmjs.com/package/eslint-plugin-typeorm-enterprise" rel="noopener noreferrer"&gt;https://www.npmjs.com/package/eslint-plugin-typeorm-enterprise&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;GitHub: &lt;a href="https://github.com/alokraj68/eslint-plugin-typeorm-enterprise" rel="noopener noreferrer"&gt;https://github.com/alokraj68/eslint-plugin-typeorm-enterprise&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Rule ideas and false-positive reports welcome, especially real TypeORM footguns you've hit.&lt;/p&gt;

</description>
      <category>typescript</category>
      <category>node</category>
      <category>opensource</category>
      <category>webdev</category>
    </item>
  </channel>
</rss>
