[Local] Test before project delete

[mwillfox]

Description

A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.

Resolved or fixed issue:

Affirmation

• My code follows the CONTRIBUTING.md guidelines

[amplify-lab]

✨ Amplify has finished checking this pull request

⚠️ 2 issues detected in 📄 3 files and ❇️ 63 lines of code.

Security Pipeline

Tool	Configured	Result
Semgrep	✅	⚠️

Vulnerabilities Detected

Vulnerability	Path	Fingerprint
CWE-89	routes/search.ts:22	[eec4f3b0...]
CWE-89	routes/search.ts:22	[ed4aa726...]

Note

To ignore a finding, append @amplify-ignore in a comment to the end of the vulnerable line like // @amplify-ignore or # @amplify-ignore. For more details, visit Amplify Security.

[amplify-lab]

Warning

Amplify has been notified that this line contains a vulnerability 🕷️.

Vulnerability: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact: HIGH

Code Fix: ✅

Amplify Security has prepared an automated remediation for review. Click here to review and commit the code fix.

Suggested change

	models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`)
	.then(([products]: any) => {
	models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT })
	.then((products: any) => {

The code change fixes the SQL Injection vulnerability by using parameterized queries instead of directly concatenating user input into the SQL query string.

In the original code, the user input criteria is directly concatenated into the SQL query string using string interpolation (%${criteria}%). This allows an attacker to manipulate the criteria value and inject malicious SQL code, potentially leading to unauthorized access or data manipulation.

In the fixed code, the criteria value is passed as a parameter using the replacements option in the sequelize.query method. The :criteria placeholder in the query string is replaced with the actual value of criteria during query execution. This ensures that the user input is treated as a parameter and not as part of the SQL query itself, effectively preventing SQL Injection attacks.

For more information on preventing SQL Injection vulnerabilities, you can refer to the following documentation:

• OWASP SQL Injection Prevention Cheat Sheet
• Sequelize Querying - Raw Queries

Note

Have a question or concern about this vulnerability fix? Get an answer within seconds by asking our Concierge 🤖 with @amplify-security.
i.e. @amplify-security are there known performance issues resulting from this fix?

[amplify-lab]

Warning

Amplify has been notified that this line contains a vulnerability 🕷️.

Vulnerability: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact: MEDIUM

Code Fix: ✅

Amplify Security has prepared an automated remediation for review. Click here to review and commit the code fix.

Suggested change

	models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`)
	.then(([products]: any) => {
	models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT })
	.then((products: any) => {

The code change fixes the 'Cross-site Scripting' vulnerability by properly neutralizing the input before using it in the SQL query.

In the original code, the criteria variable is directly concatenated into the SQL query string using string interpolation. This can allow an attacker to inject malicious code into the query, leading to a cross-site scripting vulnerability.

The code change replaces the string interpolation with parameterized queries. It uses the replacements option in the sequelize.query method to pass the criteria value as a parameter. This ensures that the input is properly escaped and prevents any malicious code from being executed.

By using parameterized queries, the code change mitigates the risk of cross-site scripting vulnerabilities by properly handling user input in the SQL query.

Note

Have a question or concern about this vulnerability fix? Get an answer within seconds by asking our Concierge 🤖 with @amplify-security.
i.e. @amplify-security are there known performance issues resulting from this fix?

[amplify-local]

✨ Amplify has finished checking this pull request

⚠️ 2 issues detected in 📄 3 files and ❇️ 63 lines of code.

Security Pipeline

Tool	Configured	Result
Semgrep	✅	⚠️

Vulnerabilities Detected

Vulnerability	Path	Fingerprint
CWE-89	routes/search.ts:22	[eec4f3b0...]
CWE-89	routes/search.ts:22	[ed4aa726...]

Note

To ignore a finding, append @amplify-ignore in a comment to the end of the vulnerable line like // @amplify-ignore or # @amplify-ignore. For more details, visit Amplify Security.

[amplify-local]

Warning

Amplify has been notified that this line contains a vulnerability 🕷️.

Vulnerability: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact: HIGH

Code Fix: ✅

Amplify Security has prepared an automated remediation for review. Click here to review and commit the code fix.

Suggested change

	models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`)
	.then(([products]: any) => {
	models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT })
	.then((products: any) => {

The code change fixes the SQL Injection vulnerability by using parameterized queries instead of directly concatenating user input into the SQL query string.

In the original code, the user input criteria is directly concatenated into the SQL query string using string interpolation (%${criteria}%). This allows an attacker to manipulate the criteria value and inject malicious SQL code, potentially leading to unauthorized access or data manipulation.

In the fixed code, the criteria value is passed as a parameter using the replacements option in the sequelize.query() method. The :criteria placeholder is used in the query string, and the actual value is provided in the replacements object ({ replacements: { criteria: %${criteria}% } }). This ensures that the user input is properly sanitized and treated as a parameter, preventing SQL injection attacks.

By using parameterized queries, the fixed code separates the SQL logic from the user input, making it safe from SQL injection vulnerabilities.

For more information on preventing SQL injection vulnerabilities, you can refer to the following documentation:

• OWASP SQL Injection Prevention Cheat Sheet
• Sequelize Querying - Raw Queries

Note

Have a question or concern about this vulnerability fix? Get an answer within seconds by asking our Concierge 🤖 with @amplify-security.
i.e. @amplify-security are there known performance issues resulting from this fix?

[amplify-local]

Warning

Amplify has been notified that this line contains a vulnerability 🕷️.

Vulnerability: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact: MEDIUM

Code Fix: ✅

Amplify Security has prepared an automated remediation for review. Click here to review and commit the code fix.

Suggested change

	models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`)
	.then(([products]: any) => {
	models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE ? OR description LIKE ?) AND deletedAt IS NULL) ORDER BY name`, {
	replacements: [`%${criteria}%`, `%${criteria}%`],
	type: models.sequelize.QueryTypes.SELECT
	})
	.then((products: any) => {

The code change fixes the 'Cross-site Scripting' vulnerability by properly neutralizing the input during web page generation.

In the original code, the criteria variable is directly concatenated into the SQL query string using string interpolation (%${criteria}%). This allows an attacker to inject malicious code into the query, leading to potential cross-site scripting attacks.

The code change replaces the string interpolation with parameterized queries. Instead of directly concatenating the criteria variable into the query string, placeholders (?) are used. The actual values for the placeholders are provided separately in the replacements option of the sequelize.query method. This ensures that the input is properly escaped and prevents any malicious code from being executed.

By using parameterized queries, the code change mitigates the 'Cross-site Scripting' vulnerability and improves the security of the application.

For more information on preventing SQL injection vulnerabilities, you can refer to the following documentation:

• OWASP SQL Injection Prevention Cheat Sheet
• Sequelize Querying - Raw Queries

Note

Have a question or concern about this vulnerability fix? Get an answer within seconds by asking our Concierge 🤖 with @amplify-security.
i.e. @amplify-security are there known performance issues resulting from this fix?