diff --git a/routes/login.ts b/routes/login.ts index 7e0fbb314ad..6a7da085c4f 100644 --- a/routes/login.ts +++ b/routes/login.ts @@ -33,7 +33,8 @@ module.exports = function login () { return (req: Request, res: Response, next: NextFunction) => { verifyPreLoginChallenges(req) // vuln-code-snippet hide-line - models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: UserModel, plain: true }) // vuln-code-snippet vuln-line loginAdminChallenge loginBenderChallenge loginJimChallenge + const params = { email: req.body.email || '', password: security.hash(req.body.password || '') } + models.sequelize.query(`SELECT * FROM Users WHERE email = :email AND password = :password AND deletedAt IS NULL`, { replacements: params, model: UserModel, plain: true }) // vuln-code-snippet vuln-line loginAdminChallenge loginBenderChallenge loginJimChallenge .then((authenticatedUser: { data: User }) => { // vuln-code-snippet neutral-line loginAdminChallenge loginBenderChallenge loginJimChallenge const user = utils.queryResultToJson(authenticatedUser) if (user.data?.id && user.data.totpSecret !== '') {