Revert "Amplify Security - Code fix for CWE-89 accepted"

This reverts commit b0ada84.

routes/search.ts

@@ -1 +1,73 @@
-LyoKICogQ29weXJpZ2h0IChjKSAyMDE0LTIwMjMgQmpvZXJuIEtpbW1pbmljaCAmIHRoZSBPV0FTUCBKdWljZSBTaG9wIGNvbnRyaWJ1dG9ycy4KICogU1BEWC1MaWNlbnNlLUlkZW50aWZpZXI6IE1JVAogKi8KaW1wb3J0IG1vZGVscyA9IHJlcXVpcmUoJy4uL21vZGVscy9pbmRleCcpCmltcG9ydCB7IFJlcXVlc3QsIFJlc3BvbnNlLCBOZXh0RnVuY3Rpb24gfSBmcm9tICdleHByZXNzJwppbXBvcnQgeyBVc2VyTW9kZWwgfSBmcm9tICcuLi9tb2RlbHMvdXNlcicKCmltcG9ydCAqIGFzIHV0aWxzIGZyb20gJy4uL2xpYi91dGlscycKY29uc3QgY2hhbGxlbmdlVXRpbHMgPSByZXF1aXJlKCcuLi9saWIvY2hhbGxlbmdlVXRpbHMnKQpjb25zdCBjaGFsbGVuZ2VzID0gcmVxdWlyZSgnLi4vZGF0YS9kYXRhY2FjaGUnKS5jaGFsbGVuZ2VzCgpjbGFzcyBFcnJvcldpdGhQYXJlbnQgZXh0ZW5kcyBFcnJvciB7CiAgcGFyZW50OiBFcnJvciB8IHVuZGVmaW5lZAp9CgovLyB2dWxuLWNvZGUtc25pcHBldCBzdGFydCB1bmlvblNxbEluamVjdGlvbkNoYWxsZW5nZSBkYlNjaGVtYUNoYWxsZW5nZQptb2R1bGUuZXhwb3J0cyA9IGZ1bmN0aW9uIHNlYXJjaFByb2R1Y3RzKCkgewogIHJldHVybiAocmVxOiBSZXF1ZXN0LCByZXM6IFJlc3BvbnNlLCBuZXh0OiBOZXh0RnVuY3Rpb24pID0+IHsKICAgIGxldCBjcml0ZXJpYTogYW55ID0gcmVxLnF1ZXJ5LnEgPT09ICd1bmRlZmluZWQnID8gJycgOiByZXEucXVlcnkucSA/PyAnJwogICAgY3JpdGVyaWEgPSAoY3JpdGVyaWEubGVuZ3RoIDw9IDIwMCkgPyBjcml0ZXJpYSA6IGNyaXRlcmlhLnN1YnN0cmluZygwLCAyMDApCiAgICBtb2RlbHMuc2VxdWVsaXplLnF1ZXJ5KGBTRUxFQ1QgKiBGUk9NIFByb2R1Y3RzIFdIRVJFICgobmFtZSBMSUtFIDpjcml0ZXJpYSBPUiBkZXNjcmlwdGlvbiBMSUtFIDpjcml0ZXJpYSkgQU5EIGRlbGV0ZWRBdCBJUyBOVUxMKSBPUkRFUiBCWSBuYW1lYCwgeyByZXBsYWNlbWVudHM6IHsgY3JpdGVyaWE6IGAlJHtjcml0ZXJpYX0lYCB9IH0pIC8vIHZ1bG4tY29kZS1zbmlwcGV0IHZ1bG4tbGluZSB1bmlvblNxbEluamVjdGlvbkNoYWxsZW5nZSBkYlNjaGVtYUNoYWxsZW5nZQogICAgICAudGhlbigoW3Byb2R1Y3RzXTogYW55KSA9PiB7CiAgICAgICAgY29uc3QgZGF0YVN0cmluZyA9IEpTT04uc3RyaW5naWZ5KHByb2R1Y3RzKQogICAgICAgIGlmIChjaGFsbGVuZ2VVdGlscy5ub3RTb2x2ZWQoY2hhbGxlbmdlcy51bmlvblNxbEluamVjdGlvbkNoYWxsZW5nZSkpIHsgLy8gdnVsbi1jb2RlLXNuaXBwZXQgaGlkZS1zdGFydAogICAgICAgICAgbGV0IHNvbHZlZCA9IHRydWUKICAgICAgICAgIFVzZXJNb2RlbC5maW5kQWxsKCkudGhlbihkYXRhID0+IHsKICAgICAgICAgICAgY29uc3QgdXNlcnMgPSB1dGlscy5xdWVyeVJlc3VsdFRvSnNvbihkYXRhKQogICAgICAgICAgICBpZiAodXNlcnMuZGF0YT8ubGVuZ3RoKSB7CiAgICAgICAgICAgICAgZm9yIChsZXQgaSA9IDA7IGkgPCB1c2Vycy5kYXRhLmxlbmd0aDsgaSsrKSB7CiAgICAgICAgICAgICAgICBzb2x2ZWQgPSBzb2x2ZWQgJiYgdXRpbHMuY29udGFpbnNPckVzY2FwZWQoZGF0YVN0cmluZywgdXNlcnMuZGF0YVtpXS5lbWFpbCkgJiYgdXRpbHMuY29udGFpbnMoZGF0YVN0cmluZywgdXNlcnMuZGF0YVtpXS5wYXNzd29yZCkKICAgICAgICAgICAgICAgIGlmICghc29sdmVkKSB7CiAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgfQogICAgICAgICAgICAgIGlmIChzb2x2ZWQpIHsKICAgICAgICAgICAgICAgIGNoYWxsZW5nZVV0aWxzLnNvbHZlKGNoYWxsZW5nZXMudW5pb25TcWxJbmplY3Rpb25DaGFsbGVuZ2UpCiAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgICB9KS5jYXRjaCgoZXJyb3I6IEVycm9yKSA9PiB7CiAgICAgICAgICAgIG5leHQoZXJyb3IpCiAgICAgICAgICB9KQogICAgICAgIH0KICAgICAgICBpZiAoY2hhbGxlbmdlVXRpbHMubm90U29sdmVkKGNoYWxsZW5nZXMuZGJTY2hlbWFDaGFsbGVuZ2UpKSB7CiAgICAgICAgICBsZXQgc29sdmVkID0gdHJ1ZQogICAgICAgICAgbW9kZWxzLnNlcXVlbGl6ZS5xdWVyeSgnU0VMRUNUIHNxbCBGUk9NIHNxbGl0ZV9tYXN0ZXInKS50aGVuKChbZGF0YV06IGFueSkgPT4gewogICAgICAgICAgICBjb25zdCB0YWJsZURlZmluaXRpb25zID0gdXRpbHMucXVlcnlSZXN1bHRUb0pzb24oZGF0YSkKICAgICAgICAgICAgaWYgKHRhYmxlRGVmaW5pdGlvbnMuZGF0YT8ubGVuZ3RoKSB7CiAgICAgICAgICAgICAgZm9yIChsZXQgaSA9IDA7IGkgPCB0YWJsZURlZmluaXRpb25zLmRhdGEubGVuZ3RoOyBpKyspIHsKICAgICAgICAgICAgICAgIGlmICh0YWJsZURlZmluaXRpb25zLmRhdGFbaV0uc3FsKSB7CiAgICAgICAgICAgICAgICAgIHNvbHZlZCA9IHNvbHZlZCAmJiB1dGlscy5jb250YWluc09yRXNjYXBlZChkYXRhU3RyaW5nLCB0YWJsZURlZmluaXRpb25zLmRhdGFbaV0uc3FsKQogICAgICAgICAgICAgICAgICBpZiAoIXNvbHZlZCkgewogICAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgaWYgKHNvbHZlZCkgewogICAgICAgICAgICAgICAgY2hhbGxlbmdlVXRpbHMuc29sdmUoY2hhbGxlbmdlcy5kYlNjaGVtYUNoYWxsZW5nZSkKICAgICAgICAgICAgICB9CiAgICAgICAgICAgIH0KICAgICAgICAgIH0pCiAgICAgICAgfSAvLyB2dWxuLWNvZGUtc25pcHBldCBoaWRlLWVuZAogICAgICAgIGZvciAobGV0IGkgPSAwOyBpIDwgcHJvZHVjdHMubGVuZ3RoOyBpKyspIHsKICAgICAgICAgIHByb2R1Y3RzW2ldLm5hbWUgPSByZXEuX18ocHJvZHVjdHNbaV0ubmFtZSkKICAgICAgICAgIHByb2R1Y3RzW2ldLmRlc2NyaXB0aW9uID0gcmVxLl9fKHByb2R1Y3RzW2ldLmRlc2NyaXB0aW9uKQogICAgICAgIH0KICAgICAgICByZXMuanNvbih1dGlscy5xdWVyeVJlc3VsdFRvSnNvbihwcm9kdWN0cykpCiAgICAgIH0pLmNhdGNoKChlcnJvcjogRXJyb3JXaXRoUGFyZW50KSA9PiB7CiAgICAgICAgbmV4dChlcnJvci5wYXJlbnQpCiAgICAgIH0pCiAgfQp9Ci8vIHZ1bG4tY29kZS1zbmlwcGV0IGVuZCB1bmlvblNxbEluamVjdGlvbkNoYWxsZW5nZSBkYlNjaGVtYUNoYWxsZW5nZQo=
+/*
+ * Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * SPDX-License-Identifier: MIT
+ */
+import models = require('../models/index')
+import { Request, Response, NextFunction } from 'express'
+import { UserModel } from '../models/user'
+
+import * as utils from '../lib/utils'
+const challengeUtils = require('../lib/challengeUtils')
+const challenges = require('../data/datacache').challenges
+
+class ErrorWithParent extends Error {
+  parent: Error | undefined
+}
+
+// vuln-code-snippet start unionSqlInjectionChallenge dbSchemaChallenge
+module.exports = function searchProducts() {
+  return (req: Request, res: Response, next: NextFunction) => {
+    let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
+    criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
+    models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge
+      .then(([products]: any) => {
+        const dataString = JSON.stringify(products)
+        if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start
+          let solved = true
+          UserModel.findAll().then(data => {
+            const users = utils.queryResultToJson(data)
+            if (users.data?.length) {
+              for (let i = 0; i < users.data.length; i++) {
+                solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password)
+                if (!solved) {
+                  break
+                }
+              }
+              if (solved) {
+                challengeUtils.solve(challenges.unionSqlInjectionChallenge)
+              }
+            }
+          }).catch((error: Error) => {
+            next(error)
+          })
+        }
+        if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) {
+          let solved = true
+          models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => {
+            const tableDefinitions = utils.queryResultToJson(data)
+            if (tableDefinitions.data?.length) {
+              for (let i = 0; i < tableDefinitions.data.length; i++) {
+                if (tableDefinitions.data[i].sql) {
+                  solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql)
+                  if (!solved) {
+                    break
+                  }
+                }
+              }
+              if (solved) {
+                challengeUtils.solve(challenges.dbSchemaChallenge)
+              }
+            }
+          })
+        } // vuln-code-snippet hide-end
+        for (let i = 0; i < products.length; i++) {
+          products[i].name = req.__(products[i].name)
+          products[i].description = req.__(products[i].description)
+        }
+        res.json(utils.queryResultToJson(products))
+      }).catch((error: ErrorWithParent) => {
+        next(error.parent)
+      })
+  }
+}
+// vuln-code-snippet end unionSqlInjectionChallenge dbSchemaChallenge