Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ID: javascript-node-security/sql-injection
Language: JavaScript
Severity: Error
Category: Security
CWE: 89
Description
Check for variable declarations in a SQL statement where there is potential for SQL injections.
Learn More
Non-Compliant Code Examples
module.exports = function searchProducts () {
return (req: Request, res: Response, next: NextFunction) => {
let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
// only allow apple or orange related searches
if (!criteria.startsWith("apple") || !criteria.startsWith("orange")) {
res.status(400).send()
return
}
models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`)
.then(([products]: any) => {
const dataString = JSON.stringify(products)
for (let i = 0; i < products.length; i++) {
products[i].name = req.__(products[i].name)
products[i].description = req.__(products[i].description)
}
res.json(utils.queryResultToJson(products))
}).catch((error: ErrorWithParent) => {
next(error.parent)
})
}
}
module.exports = function searchProducts () {
return (req: Request, res: Response, next: NextFunction) => {
let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
criteria.replace(/"|'|;|and|or/i, "")
models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`)
.then(([products]: any) => {
const dataString = JSON.stringify(products)
for (let i = 0; i < products.length; i++) {
products[i].name = req.__(products[i].name)
products[i].description = req.__(products[i].description)
}
res.json(utils.queryResultToJson(products))
}).catch((error: ErrorWithParent) => {
next(error.parent)
})
}
}
const injectionChars = /"|'|;|and|or|;|#/i;
module.exports = function searchProducts () {
return (req: Request, res: Response, next: NextFunction) => {
let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
if (criteria.match(injectionChars)) {
res.status(400).send()
return
}
models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`)
.then(([products]: any) => {
const dataString = JSON.stringify(products)
for (let i = 0; i < products.length; i++) {
products[i].name = req.__(products[i].name)
products[i].description = req.__(products[i].description)
}
res.json(utils.queryResultToJson(products))
}).catch((error: ErrorWithParent) => {
next(error.parent)
})
}
}
module.exports = function searchProducts () {
return (req: Request, res: Response, next: NextFunction) => {
let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
models.sequelize.query("SELECT * FROM Products WHERE ((name LIKE '%"+criteria+"%' OR description LIKE '%"+criteria+"%') AND deletedAt IS NULL) ORDER BY name")
.then(([products]: any) => {
const dataString = JSON.stringify(products)
for (let i = 0; i < products.length; i++) {
products[i].name = req.__(products[i].name)
products[i].description = req.__(products[i].description)
}
res.json(utils.queryResultToJson(products))
}).catch((error: ErrorWithParent) => {
next(error.parent)
})
}
}
var express = require('express')
var app = express()
const Sequelize = require('sequelize');
const sequelize = new Sequelize('database', 'username', 'password', {
dialect: 'sqlite',
storage: 'data/juiceshop.sqlite'
});
app.post('/login', function (req, res) {
sequelize.query('SELECT * FROM Products WHERE name LIKE ' + req.body.username);
})
app.post('/update', function (req, res) {
sequelize.query('UPDATE products SET bla=bli WHERE name LIKE ' + req.body.username);
})
app.post('/remove', function (req, res) {
sequelize.query('DELETE FROM product WHERE name LIKE ' + req.body.username);
})
const express = require('express');
const router = express.Router()
const config = require('../../config')
const mysql = require('mysql');
const connection = mysql.createConnection({
host : config.MYSQL_HOST,
port : config.MYSQL_PORT,
user : config.MYSQL_USER,
password : config.MYSQL_PASSWORD,
database : config.MYSQL_DB_NAME,
});
connection.connect();
router.get('/example1/user/:id', (req,res) => {
let userId = req.params.id;
let query = {
sql : "SELECT * FROM users WHERE id=" + userId
}
connection.query(query,(err, result) => {
res.json(result);
});
})
router.get('/example2/user/:id', (req,res) => {
let userId = req.params.id;
connection.query("SELECT * FROM users WHERE id=" + userId,(err, result) => {
res.json(result);
});
})
router.get('/example3/user/:id', (req,res) => {
let userId = req.params.id;
connection.query({
sql : "SELECT * FROM users WHERE id=" +userId
},(err, result) => {
res.json(result);
});
})
module.exports = router
Compliant Code Examples
import {BasketModel} from "../../../models/basket";
module.exports = function login () {
function afterLogin (user: { data: User, bid: number }, res: Response, next: NextFunction) {
BasketModel.findOrCreate({ where: { UserId: user.data.id } })
.then(([basket]: [BasketModel, boolean]) => {
const token = security.authorize(user)
user.bid = basket.id // keep track of original basket
security.authenticatedUsers.put(token, user)
res.json({ authentication: { token, bid: basket.id, umail: user.data.email } })
}).catch((error: Error) => {
next(error)
})
}
return (req: Request, res: Response, next: NextFunction) => {
models.sequelize.query(`SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL`,
{ bind: [ req.body.email, req.body.password ], model: models.User, plain: true })
.then((authenticatedUser: { data: User }) => {
const user = utils.queryResultToJson(authenticatedUser)
if (user.data?.id && user.data.totpSecret !== '') {
res.status(401).json({
status: 'totp_token_required',
data: {
tmpToken: security.authorize({
userId: user.data.id,
type: 'password_valid_needs_second_factor_token'
})
}
})
} else if (user.data?.id) {
afterLogin(user, res, next)
} else {
res.status(401).send(res.__('Invalid email or password.'))
}
}).catch((error: Error) => {
next(error)
})
}
import {BasketModel} from "../../../models/basket";
module.exports = function login () {
function afterLogin (user: { data: User, bid: number }, res: Response, next: NextFunction) {
BasketModel.findOrCreate({ where: { UserId: user.data.id } })
.then(([basket]: [BasketModel, boolean]) => {
const token = security.authorize(user)
user.bid = basket.id // keep track of original basket
security.authenticatedUsers.put(token, user)
res.json({ authentication: { token, bid: basket.id, umail: user.data.email } })
}).catch((error: Error) => {
next(error)
})
}
return (req: Request, res: Response, next: NextFunction) => {
models.sequelize.query('SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL',
{ bind: [ req.body.email, req.body.password ], model: models.User, plain: true })
.then((authenticatedUser: { data: User }) => {
const user = utils.queryResultToJson(authenticatedUser)
if (user.data?.id && user.data.totpSecret !== '') {
res.status(401).json({
status: 'totp_token_required',
data: {
tmpToken: security.authorize({
userId: user.data.id,
type: 'password_valid_needs_second_factor_token'
})
}
})
} else if (user.data?.id) {
afterLogin(user, res, next)
} else {
res.status(401).send(res.__('Invalid email or password.'))
}
}).catch((error: Error) => {
next(error)
})
}