This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
// SQL statements inside tagged templates are assumed to be escaped correctly.
asyncfunctionfindUser1(input){returnprisma.$queryRaw`SELECT id FROM User WHERE name = ${input}`;}asyncfunctionfindUser2(input){returnsql`SELECT id FROM User WHERE name = ${input}`;}// However, untagged templates are still treated as raw strings.
asyncfunctionfindUser3(input){returndb.query(`SELECT id FROM User WHERE name = ${input}`);}
module.exports=functionsearchProducts(){return(req: Request,res: Response,next: NextFunction)=>{letcriteria: any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria : criteria.substring(0,200)// only allow apple or orange related searches
if(!criteria.startsWith("apple")||!criteria.startsWith("orange")){res.status(400).send()return}models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`).then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error: ErrorWithParent)=>{next(error.parent)})}}
module.exports=functionsearchProducts(){return(req: Request,res: Response,next: NextFunction)=>{letcriteria: any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria : criteria.substring(0,200)criteria.replace(/"|'|;|and|or/i,"")models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`).then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error: ErrorWithParent)=>{next(error.parent)})}}
constinjectionChars=/"|'|;|and|or|;|#/i;module.exports=functionsearchProducts(){return(req: Request,res: Response,next: NextFunction)=>{letcriteria: any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria : criteria.substring(0,200)if(criteria.match(injectionChars)){res.status(400).send()return}models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`).then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error: ErrorWithParent)=>{next(error.parent)})}}
module.exports=functionsearchProducts(){return(req: Request,res: Response,next: NextFunction)=>{letcriteria: any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria : criteria.substring(0,200)models.sequelize.query("SELECT * FROM Products WHERE ((name LIKE '%"+criteria+"%' OR description LIKE '%"+criteria+"%') AND deletedAt IS NULL) ORDER BY name").then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error: ErrorWithParent)=>{next(error.parent)})}}
varexpress=require('express')varapp=express()constSequelize=require('sequelize');constsequelize=newSequelize('database','username','password',{dialect:'sqlite',storage:'data/juiceshop.sqlite'});app.post('/login',function(req,res){sequelize.query('SELECT * FROM Products WHERE name LIKE '+req.body.username);})app.post('/update',function(req,res){sequelize.query('UPDATE products SET bla=bli WHERE name LIKE '+req.body.username);})app.post('/remove',function(req,res){sequelize.query('DELETE FROM product WHERE name LIKE '+req.body.username);})
constexpress=require('express');constrouter=express.Router()constconfig=require('../../config')constmysql=require('mysql');constconnection=mysql.createConnection({host : config.MYSQL_HOST,port : config.MYSQL_PORT,user : config.MYSQL_USER,password : config.MYSQL_PASSWORD,database : config.MYSQL_DB_NAME,});connection.connect();router.get('/example1/user/:id',(req,res)=>{letuserId=req.params.id;letquery={sql:"SELECT * FROM users WHERE id="+userId}connection.query(query,(err,result)=>{res.json(result);});})router.get('/example2/user/:id',(req,res)=>{letuserId=req.params.id;connection.query("SELECT * FROM users WHERE id="+userId,(err,result)=>{res.json(result);});})router.get('/example3/user/:id',(req,res)=>{letuserId=req.params.id;connection.query({sql:"SELECT * FROM users WHERE id="+userId},(err,result)=>{res.json(result);});})module.exports=router
Compliant Code Examples
import{BasketModel}from"../../../models/basket";module.exports=functionlogin(){functionafterLogin(user:{data: User,bid: number},res: Response,next: NextFunction){BasketModel.findOrCreate({where:{UserId: user.data.id}}).then(([basket]:[BasketModel,boolean])=>{consttoken=security.authorize(user)user.bid=basket.id// keep track of original basket
security.authenticatedUsers.put(token,user)res.json({authentication:{token,bid: basket.id,umail: user.data.email}})}).catch((error: Error)=>{next(error)})}return(req: Request,res: Response,next: NextFunction)=>{models.sequelize.query(`SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL`,{bind:[req.body.email,req.body.password],model: models.User,plain: true}).then((authenticatedUser:{data: User})=>{constuser=utils.queryResultToJson(authenticatedUser)if(user.data?.id&&user.data.totpSecret!==''){res.status(401).json({status:'totp_token_required',data:{tmpToken: security.authorize({userId: user.data.id,type:'password_valid_needs_second_factor_token'})}})}elseif(user.data?.id){afterLogin(user,res,next)}else{res.status(401).send(res.__('Invalid email or password.'))}}).catch((error: Error)=>{next(error)})}
import{BasketModel}from"../../../models/basket";module.exports=functionlogin(){functionafterLogin(user:{data: User,bid: number},res: Response,next: NextFunction){BasketModel.findOrCreate({where:{UserId: user.data.id}}).then(([basket]:[BasketModel,boolean])=>{consttoken=security.authorize(user)user.bid=basket.id// keep track of original basket
security.authenticatedUsers.put(token,user)res.json({authentication:{token,bid: basket.id,umail: user.data.email}})}).catch((error: Error)=>{next(error)})}return(req: Request,res: Response,next: NextFunction)=>{models.sequelize.query('SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL',{bind:[req.body.email,req.body.password],model: models.User,plain: true}).then((authenticatedUser:{data: User})=>{constuser=utils.queryResultToJson(authenticatedUser)if(user.data?.id&&user.data.totpSecret!==''){res.status(401).json({status:'totp_token_required',data:{tmpToken: security.authorize({userId: user.data.id,type:'password_valid_needs_second_factor_token'})}})}elseif(user.data?.id){afterLogin(user,res,next)}else{res.status(401).send(res.__('Invalid email or password.'))}}).catch((error: Error)=>{next(error)})}
Seamless integrations. Try Datadog Code Security
Datadog Code Security
Try this rule and analyze your code with Datadog Code Security
How to use this rule
1
2
rulesets:- typescript-node-security # Rules to enforce TypeScript node security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Security scans to your CI pipelines
