This page is not yet available in Spanish. We are working on its translation. If you have any questions or feedback about our current translation project, feel free to reach out to us!
module.exports=functionsearchProducts(){return(req:Request,res:Response,next:NextFunction)=>{letcriteria:any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria:criteria.substring(0,200)// only allow apple or orange related searches
if(!criteria.startsWith("apple")||!criteria.startsWith("orange")){res.status(400).send()return}models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`).then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error:ErrorWithParent)=>{next(error.parent)})}}
module.exports=functionsearchProducts(){return(req:Request,res:Response,next:NextFunction)=>{letcriteria:any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria:criteria.substring(0,200)criteria.replace(/"|'|;|and|or/i,"")models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`).then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error:ErrorWithParent)=>{next(error.parent)})}}
constinjectionChars=/"|'|;|and|or|;|#/i;module.exports=functionsearchProducts(){return(req:Request,res:Response,next:NextFunction)=>{letcriteria:any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria:criteria.substring(0,200)if(criteria.match(injectionChars)){res.status(400).send()return}models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`).then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error:ErrorWithParent)=>{next(error.parent)})}}
module.exports=functionsearchProducts(){return(req:Request,res:Response,next:NextFunction)=>{letcriteria:any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria:criteria.substring(0,200)models.sequelize.query("SELECT * FROM Products WHERE ((name LIKE '%"+criteria+"%' OR description LIKE '%"+criteria+"%') AND deletedAt IS NULL) ORDER BY name").then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error:ErrorWithParent)=>{next(error.parent)})}}
varexpress=require('express')varapp=express()constSequelize=require('sequelize');constsequelize=newSequelize('database','username','password',{dialect:'sqlite',storage:'data/juiceshop.sqlite'});app.post('/login',function(req,res){sequelize.query('SELECT * FROM Products WHERE name LIKE '+req.body.username);})app.post('/update',function(req,res){sequelize.query('UPDATE products SET bla=bli WHERE name LIKE '+req.body.username);})app.post('/remove',function(req,res){sequelize.query('DELETE FROM product WHERE name LIKE '+req.body.username);})
constexpress=require('express');constrouter=express.Router()constconfig=require('../../config')constmysql=require('mysql');constconnection=mysql.createConnection({host:config.MYSQL_HOST,port:config.MYSQL_PORT,user:config.MYSQL_USER,password:config.MYSQL_PASSWORD,database:config.MYSQL_DB_NAME,});connection.connect();router.get('/example1/user/:id',(req,res)=>{letuserId=req.params.id;letquery={sql:"SELECT * FROM users WHERE id="+userId}connection.query(query,(err,result)=>{res.json(result);});})router.get('/example2/user/:id',(req,res)=>{letuserId=req.params.id;connection.query("SELECT * FROM users WHERE id="+userId,(err,result)=>{res.json(result);});})router.get('/example3/user/:id',(req,res)=>{letuserId=req.params.id;connection.query({sql:"SELECT * FROM users WHERE id="+userId},(err,result)=>{res.json(result);});})module.exports=router
Compliant Code Examples
import{BasketModel}from"../../../models/basket";module.exports=functionlogin(){functionafterLogin(user:{data:User,bid:number},res:Response,next:NextFunction){BasketModel.findOrCreate({where:{UserId:user.data.id}}).then(([basket]:[BasketModel,boolean])=>{consttoken=security.authorize(user)user.bid=basket.id// keep track of original basket
security.authenticatedUsers.put(token,user)res.json({authentication:{token,bid:basket.id,umail:user.data.email}})}).catch((error:Error)=>{next(error)})}return(req:Request,res:Response,next:NextFunction)=>{models.sequelize.query(`SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL`,{bind:[req.body.email,req.body.password],model:models.User,plain:true}).then((authenticatedUser:{data:User})=>{constuser=utils.queryResultToJson(authenticatedUser)if(user.data?.id&&user.data.totpSecret!==''){res.status(401).json({status:'totp_token_required',data:{tmpToken:security.authorize({userId:user.data.id,type:'password_valid_needs_second_factor_token'})}})}elseif(user.data?.id){afterLogin(user,res,next)}else{res.status(401).send(res.__('Invalid email or password.'))}}).catch((error:Error)=>{next(error)})}
import{BasketModel}from"../../../models/basket";module.exports=functionlogin(){functionafterLogin(user:{data:User,bid:number},res:Response,next:NextFunction){BasketModel.findOrCreate({where:{UserId:user.data.id}}).then(([basket]:[BasketModel,boolean])=>{consttoken=security.authorize(user)user.bid=basket.id// keep track of original basket
security.authenticatedUsers.put(token,user)res.json({authentication:{token,bid:basket.id,umail:user.data.email}})}).catch((error:Error)=>{next(error)})}return(req:Request,res:Response,next:NextFunction)=>{models.sequelize.query('SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL',{bind:[req.body.email,req.body.password],model:models.User,plain:true}).then((authenticatedUser:{data:User})=>{constuser=utils.queryResultToJson(authenticatedUser)if(user.data?.id&&user.data.totpSecret!==''){res.status(401).json({status:'totp_token_required',data:{tmpToken:security.authorize({userId:user.data.id,type:'password_valid_needs_second_factor_token'})}})}elseif(user.data?.id){afterLogin(user,res,next)}else{res.status(401).send(res.__('Invalid email or password.'))}}).catch((error:Error)=>{next(error)})}
Seamless integrations. Try Datadog Code Analysis
Datadog Code Analysis
Try this rule and analyze your code with Datadog Code Analysis
How to use this rule
1
2
rulesets:- javascript-node-security # Rules to enforce JavaScript node security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Analysis scans to your CI pipelines
