Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ Lab ] Testing remediations after retry improvements #101

Closed
wants to merge 11 commits into from
Closed

[ Lab ] Testing remediations after retry improvements #101

Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
f3248e7
Added search query + introduced vulnerability
mwillfox Jun 29, 2023
b0ada84
Amplify Security - Code fix for CWE-89 accepted
amplify-local[bot] Jan 2, 2024
4a425aa
Revert "Amplify Security - Code fix for CWE-89 accepted"
mwillfox Jan 2, 2024
1d3a90a
Amplify Security - Code fix for CWE-89 accepted
amplify-local[bot] Jan 3, 2024
f827337
Revert "Amplify Security - Code fix for CWE-89 accepted"
mwillfox Jan 3, 2024
6a67766
Amplify Security - Code fix for CWE-89 accepted
amplify-local[bot] Jan 3, 2024
c457624
Revert "Amplify Security - Code fix for CWE-89 accepted"
mwillfox Jan 3, 2024
6f8b7a8
Amplify Security - Code fix for CWE-89 accepted
amplify-local[bot] Jan 3, 2024
85f1b51
Revert "Amplify Security - Code fix for CWE-89 accepted"
mwillfox Jan 3, 2024
f05622b
Amplify Security - Code fix for CWE-89 accepted
amplify-local[bot] Jan 15, 2024
7fd60f2
Revert "Amplify Security - Code fix for CWE-89 accepted"
mwillfox Jan 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Added search query + introduced vulnerability
  • Loading branch information
@mwillfox
mwillfox committed Sep 21, 2023
commit f3248e70d60dc1eab4c98ba3e63a688a199d681a
60 changes: 59 additions & 1 deletion routes/search.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,72 @@
* Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
* SPDX-License-Identifier: MIT
*/
import models = require('../models/index')
import { Request, Response, NextFunction } from 'express'
import { UserModel } from '../models/user'

import * as utils from '../lib/utils'
const challengeUtils = require('../lib/challengeUtils')
const challenges = require('../data/datacache').challenges

class ErrorWithParent extends Error {
parent: Error | undefined
}

// vuln-code-snippet start unionSqlInjectionChallenge dbSchemaChallenge
module.exports = function searchProducts() {
return (req: Request, res: Response, next: NextFunction) => {
let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
console.log(criteria)
models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge
.then(([products]: any) => {
Comment on lines +22 to +23
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning

Amplify has been notified that this line contains a vulnerability 🕷️.

Vulnerability: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact: HIGH

Guidance: ✅

Code Fix: ✅

Learn more about this alert

Suggested change
models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge
.then(([products]: any) => {
models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT }) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge
.then((products: any) => {

The code change fixes the SQL Injection vulnerability by using parameterized queries instead of directly concatenating user input into the SQL query.

In the original code, the user input criteria is directly interpolated into the SQL query using string concatenation. This allows an attacker to manipulate the input and inject malicious SQL code, potentially leading to unauthorized access or data manipulation.

In the fixed code, the criteria value is passed as a parameter using the replacements option in the sequelize.query method. This ensures that the user input is properly escaped and treated as a parameter rather than part of the SQL query itself. Parameterized queries help prevent SQL Injection attacks by separating the SQL code from the user input.

By using parameterized queries, the fixed code mitigates the SQL Injection vulnerability and makes the application more secure.

For more information on SQL Injection and how to prevent it, you can refer to the OWASP SQL Injection Prevention Cheat Sheet: OWASP SQL Injection Prevention Cheat Sheet

Note

Have a question or concern about this vulnerability fix? Get an answer within seconds by asking our Concierge 🤖 with @amplify-security.
i.e. @amplify-security are there known performance issues resulting from this fix?

const dataString = JSON.stringify(products)
if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start
let solved = true
UserModel.findAll().then(data => {
const users = utils.queryResultToJson(data)
if (users.data?.length) {
for (let i = 0; i < users.data.length; i++) {
solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password)
if (!solved) {
break
}
}
if (solved) {
challengeUtils.solve(challenges.unionSqlInjectionChallenge)
}
}
}).catch((error: Error) => {
next(error)
})
}
if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) {
let solved = true
models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => {
const tableDefinitions = utils.queryResultToJson(data)
if (tableDefinitions.data?.length) {
for (let i = 0; i < tableDefinitions.data.length; i++) {
if (tableDefinitions.data[i].sql) {
solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql)
if (!solved) {
break
}
}
}
if (solved) {
challengeUtils.solve(challenges.dbSchemaChallenge)
}
}
})
} // vuln-code-snippet hide-end
for (let i = 0; i < products.length; i++) {
products[i].name = req.__(products[i].name)
products[i].description = req.__(products[i].description)
}
res.json(utils.queryResultToJson(products))
}).catch((error: ErrorWithParent) => {
next(error.parent)
})
}
}
// vuln-code-snippet end unionSqlInjectionChallenge dbSchemaChallenge