Vulnerable branch #115
Vulnerable branch #115
Conversation
![Amplify [Lab]](https://avatars.githubusercontent.com/in/347747?s=40&u=f167c38980969fad1d181fdacb66403b97c6399a&v=4){kind=avatar}
✨ Amplify has finished checking this pull requestSecurity Pipeline
Vulnerabilities Detected
Note To ignore a finding, append |
![amplify-lab[bot]](https://avatars.githubusercontent.com/in/347747?s=60&v=4){kind=small}
| models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) | ||
| .then(([products]: any) => { |
There was a problem hiding this comment.
Warning
Amplify has been notified that this line contains a vulnerability 🕷️.
Vulnerability: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Impact: HIGH
Code Fix: ✅
Amplify Security has prepared an automated remediation for review. Click here to review and commit the code fix.
| models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) | |
| .then(([products]: any) => { | |
| models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT }) | |
| .then((products: any) => { |
The code change fixes the SQL Injection vulnerability by using parameterized queries instead of directly concatenating user input into the SQL query string.
In the original code, the user input criteria is directly concatenated into the SQL query string using string interpolation (%${criteria}%). This allows an attacker to manipulate the criteria value and inject malicious SQL code, potentially leading to unauthorized access or data manipulation.
In the fixed code, the criteria value is passed as a parameter using the replacements option in the sequelize.query method. The :criteria placeholder is used in the SQL query string, and the actual value is provided in the replacements object ({ replacements: { criteria: %${criteria}% } }). This ensures that the user input is properly sanitized and treated as a parameter, preventing SQL injection attacks.
By using parameterized queries, the fixed code separates the SQL code from the user input, making it impossible for an attacker to inject malicious SQL code. The sequelize library handles the proper escaping and sanitization of the parameter values, ensuring the security of the SQL query.
For more information on preventing SQL injection vulnerabilities, you can refer to the following documentation:
Note
Have a question or concern about this vulnerability fix? Get an answer within seconds by asking our Concierge 🤖 with @amplify-security.
i.e. @amplify-security are there known performance issues resulting from this fix?
![Amplify [Local]](https://avatars.githubusercontent.com/in/327173?s=40&u=385f4cba7826c99f3e2aa6073e33099024585247&v=4){kind=avatar}
✨ Amplify has finished checking this pull requestSecurity Pipeline
Vulnerabilities Detected
Note To ignore a finding, append |
![amplify-local[bot]](https://avatars.githubusercontent.com/in/327173?s=60&v=4){kind=small}
| models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) | ||
| .then(([products]: any) => { |
There was a problem hiding this comment.
Warning
Amplify has been notified that this line contains a vulnerability 🕷️.
Vulnerability: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Impact: HIGH
Code Fix: ✅
Amplify Security has prepared an automated remediation for review. Click here to review and commit the code fix.
| models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) | |
| .then(([products]: any) => { | |
| models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT }) | |
| .then((products: any) => { |
The code change fixes the SQL Injection vulnerability by using parameterized queries instead of directly concatenating user input into the SQL query string.
In the original code, the user input criteria is directly interpolated into the SQL query string using string concatenation. This allows an attacker to manipulate the value of criteria and inject malicious SQL code, potentially leading to unauthorized access or data manipulation.
In the fixed code, the criteria value is passed as a parameter using the replacements option in the sequelize.query method. This ensures that the user input is properly sanitized and escaped before being included in the SQL query. By using parameterized queries, the code prevents the SQL Injection vulnerability by separating the SQL code from the user input.
For more information on preventing SQL Injection vulnerabilities, you can refer to the following documentation:
Note
Have a question or concern about this vulnerability fix? Get an answer within seconds by asking our Concierge 🤖 with @amplify-security.
i.e. @amplify-security are there known performance issues resulting from this fix?
Description
A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.
Resolved or fixed issue:
Affirmation