0

In a database table, I was running some phone number validations and I noticed that some unicode characters were inserted in a phone number field.

The characters are:

  • (U+202C): Pop Directional Formatting
  • (U+202D): Left-to-Right Override

The database cell is in the following format:

[U+202D]+35387123456789[U+202C]

I checked the other columns belonging to this entry and have come to the conclusion that they likely speak Arabic, which is written from right-to-left, meaning the user probably switched writing direction to enter their phone number and the system somehow stored these unicode characters.

I think my case is probably a false alarm, however I found that there are some exploits in Rust that use these characters.

Can anybody tell me if there is any risk of an exploit being executed using NodeJS/Sequelize/Postgres?

Declan Murphy
  • 1
  • On the frontend: I imagine the validator might fail and allow for some active DoS. On the backend: possibly ridiculously a lot data could get saved, which is effectively DoS too... What kind of validators are you using anyways? Using good frontend validators like what Angular and etc offers is very important imho – Sir Muffington Feb 24 '22 at 18:10
  • Unicode (yes, even the good ol' UTF-8) has a lot of exploits in itself... It's up to the implementation of Node.js and other devs to try to fix the inherent issues. – Sir Muffington Feb 24 '22 at 18:19

0 Answers0