Vulnerable branch #109
This reverts commit 1d3a90a.
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -19,8 +19,8 @@ module.exports = function searchProducts() { | |||||||||
| return (req: Request, res: Response, next: NextFunction) => { | ||||||||||
| let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' | ||||||||||
| criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) | ||||||||||
| models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge | ||||||||||
| .then(([products]: any) => { | ||||||||||
|
Comment on lines
+22
to
+23
There was a problem hiding this comment. Warning Amplify has been notified that this line contains a vulnerability 🕷️. Vulnerability: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Impact: HIGH Guidance: ✅ Code Fix: ✅
Suggested change
The code change fixes the SQL Injection vulnerability by using parameterized queries instead of directly concatenating user input into the SQL query string. In the original code, the user input In the fixed code, the By using parameterized queries, the code ensures that user input is properly sanitized and escaped, eliminating the risk of SQL Injection vulnerabilities. For more information on preventing SQL Injection vulnerabilities, you can refer to the following documentation: Note Have a question or concern about this vulnerability fix? Get an answer within seconds by asking our Concierge 🤖 with |
||||||||||
| const dataString = JSON.stringify(products) | ||||||||||
| if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start | ||||||||||
| let solved = true | ||||||||||
|
|
||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Warning
Amplify has been notified that this line contains a vulnerability 🕷️.
Vulnerability: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Impact: HIGH
Guidance: ✅
Code Fix: ✅
Learn more about this alert
Amplify Security has prepared an automated remediation for review. Click here to review and commit the code fix.
Note
Have a question or concern about this vulnerability fix? Get an answer within seconds by asking our Concierge 🤖 with
@amplify-security.i.e. @amplify-security are there known performance issues resulting from this fix?