diff --git a/data/static/codefixes/unionSqlInjectionChallenge_1.ts b/data/static/codefixes/unionSqlInjectionChallenge_1.ts index 8ef9f5af173..fcf4054925b 100644 --- a/data/static/codefixes/unionSqlInjectionChallenge_1.ts +++ b/data/static/codefixes/unionSqlInjectionChallenge_1.ts @@ -3,7 +3,7 @@ module.exports = function searchProducts () { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) criteria.replace(/"|'|;|and|or/i, "") - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :searchPattern OR description LIKE :searchPattern) AND deletedAt IS NULL) ORDER BY name`, { replacements: { searchPattern: `%${criteria}%` } }) .then(([products]: any) => { const dataString = JSON.stringify(products) for (let i = 0; i < products.length; i++) { diff --git a/routes/login.ts b/routes/login.ts index 7e0fbb314ad..d143faa02e9 100644 --- a/routes/login.ts +++ b/routes/login.ts @@ -33,7 +33,7 @@ module.exports = function login () { return (req: Request, res: Response, next: NextFunction) => { verifyPreLoginChallenges(req) // vuln-code-snippet hide-line - models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: UserModel, plain: true }) // vuln-code-snippet vuln-line loginAdminChallenge loginBenderChallenge loginJimChallenge + models.sequelize.query(`SELECT * FROM Users WHERE email = :email AND password = :password AND deletedAt IS NULL`, { model: UserModel, plain: true, replacements: { email: req.body.email || '', password: security.hash(req.body.password || '') } }) // vuln-code-snippet vuln-line loginAdminChallenge loginBenderChallenge loginJimChallenge .then((authenticatedUser: { data: User }) => { // vuln-code-snippet neutral-line loginAdminChallenge loginBenderChallenge loginJimChallenge const user = utils.queryResultToJson(authenticatedUser) if (user.data?.id && user.data.totpSecret !== '') { diff --git a/routes/search.ts b/routes/search.ts index f3eaeff8835..e5a93c1a88d 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -20,7 +20,7 @@ module.exports = function searchProducts () { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :search OR description LIKE :search) AND deletedAt IS NULL) ORDER BY name`, { replacements: { search: `%${criteria}%` } }) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge .then(([products]: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start