From 166ba292692e9f4a8d525c240b65468fd5eaf933 Mon Sep 17 00:00:00 2001 From: "aikido-autofix[bot]" <119856028+aikido-autofix[bot]@users.noreply.github.com> Date: Tue, 12 May 2026 10:05:54 +0000 Subject: [PATCH] fix(security): autofix NoSQL injection attack possible --- routes/updateProductReviews.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routes/updateProductReviews.ts b/routes/updateProductReviews.ts index 93a6a45a9a5..9114b7a61ad 100644 --- a/routes/updateProductReviews.ts +++ b/routes/updateProductReviews.ts @@ -15,7 +15,7 @@ module.exports = function productReviews () { return (req: Request, res: Response, next: NextFunction) => { const user = security.authenticatedUsers.from(req) // vuln-code-snippet vuln-line forgedReviewChallenge db.reviews.update( // vuln-code-snippet neutral-line forgedReviewChallenge - { _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge + { _id: { $eq: req.body.id } }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge { $set: { message: req.body.message } }, { multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge ).then(