All activity
Neeraj Lleft a comment
Hey everyone! 👋 I'm Neeraj, a CS student from Singapore. I built prisma-firewall over 2 days while working on a personal project using Prisma. I kept thinking about how easy it is to make a mistake that causes real damage. A stray deleteMany() with no where clause, a findMany() that dumps your entire database, sensitive fields accidentally returned in a query. Then I discovered something that...
prisma-firewallA security firewall for Prisma
Every Prisma developer has a silent risk in their codebase. A single deleteMany() with no where clause wipes an entire table. A findMany() with no limit dumps your entire database to the client. And there's a lesser known attack called operator injection, where an attacker sends { "not": "" } as a password value instead of a plain string, and Prisma accepts it as a valid query operator, bypassing authentication entirely.
When tested, Prisma did not block it. prisma-firewall does.
prisma-firewallA security firewall for Prisma