From f3248e70d60dc1eab4c98ba3e63a688a199d681a Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Wed, 28 Jun 2023 19:15:59 -0500 Subject: [PATCH 01/22] Added search query + introduced vulnerability --- routes/search.ts | 60 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) diff --git a/routes/search.ts b/routes/search.ts index f831e4b3828..9306771b68c 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -2,14 +2,72 @@ * Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors. * SPDX-License-Identifier: MIT */ +import models = require('../models/index') import { Request, Response, NextFunction } from 'express' +import { UserModel } from '../models/user' + +import * as utils from '../lib/utils' +const challengeUtils = require('../lib/challengeUtils') +const challenges = require('../data/datacache').challenges + +class ErrorWithParent extends Error { + parent: Error | undefined +} // vuln-code-snippet start unionSqlInjectionChallenge dbSchemaChallenge module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - console.log(criteria) + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + .then(([products]: any) => { + const dataString = JSON.stringify(products) + if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start + let solved = true + UserModel.findAll().then(data => { + const users = utils.queryResultToJson(data) + if (users.data?.length) { + for (let i = 0; i < users.data.length; i++) { + solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password) + if (!solved) { + break + } + } + if (solved) { + challengeUtils.solve(challenges.unionSqlInjectionChallenge) + } + } + }).catch((error: Error) => { + next(error) + }) + } + if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) { + let solved = true + models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => { + const tableDefinitions = utils.queryResultToJson(data) + if (tableDefinitions.data?.length) { + for (let i = 0; i < tableDefinitions.data.length; i++) { + if (tableDefinitions.data[i].sql) { + solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql) + if (!solved) { + break + } + } + } + if (solved) { + challengeUtils.solve(challenges.dbSchemaChallenge) + } + } + }) + } // vuln-code-snippet hide-end + for (let i = 0; i < products.length; i++) { + products[i].name = req.__(products[i].name) + products[i].description = req.__(products[i].description) + } + res.json(utils.queryResultToJson(products)) + }).catch((error: ErrorWithParent) => { + next(error.parent) + }) } } // vuln-code-snippet end unionSqlInjectionChallenge dbSchemaChallenge From b0ada84a4cbdb0e003ca9dfe223452f502908cbd Mon Sep 17 00:00:00 2001 From: "amplify-local[bot]" <132378550+amplify-local[bot]@users.noreply.github.com> Date: Tue, 2 Jan 2024 23:10:53 +0000 Subject: [PATCH 02/22] Amplify Security - Code fix for CWE-89 accepted --- routes/search.ts | 74 +----------------------------------------------- 1 file changed, 1 insertion(+), 73 deletions(-) diff --git a/routes/search.ts b/routes/search.ts index 9306771b68c..7f12e422e7a 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -1,73 +1 @@ -/* - * Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors. - * SPDX-License-Identifier: MIT - */ -import models = require('../models/index') -import { Request, Response, NextFunction } from 'express' -import { UserModel } from '../models/user' - -import * as utils from '../lib/utils' -const challengeUtils = require('../lib/challengeUtils') -const challenges = require('../data/datacache').challenges - -class ErrorWithParent extends Error { - parent: Error | undefined -} - -// vuln-code-snippet start unionSqlInjectionChallenge dbSchemaChallenge -module.exports = function searchProducts() { - return (req: Request, res: Response, next: NextFunction) => { - let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' - criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge - .then(([products]: any) => { - const dataString = JSON.stringify(products) - if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start - let solved = true - UserModel.findAll().then(data => { - const users = utils.queryResultToJson(data) - if (users.data?.length) { - for (let i = 0; i < users.data.length; i++) { - solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password) - if (!solved) { - break - } - } - if (solved) { - challengeUtils.solve(challenges.unionSqlInjectionChallenge) - } - } - }).catch((error: Error) => { - next(error) - }) - } - if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) { - let solved = true - models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => { - const tableDefinitions = utils.queryResultToJson(data) - if (tableDefinitions.data?.length) { - for (let i = 0; i < tableDefinitions.data.length; i++) { - if (tableDefinitions.data[i].sql) { - solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql) - if (!solved) { - break - } - } - } - if (solved) { - challengeUtils.solve(challenges.dbSchemaChallenge) - } - } - }) - } // vuln-code-snippet hide-end - for (let i = 0; i < products.length; i++) { - products[i].name = req.__(products[i].name) - products[i].description = req.__(products[i].description) - } - res.json(utils.queryResultToJson(products)) - }).catch((error: ErrorWithParent) => { - next(error.parent) - }) - } -} -// vuln-code-snippet end unionSqlInjectionChallenge dbSchemaChallenge +LyoKICogQ29weXJpZ2h0IChjKSAyMDE0LTIwMjMgQmpvZXJuIEtpbW1pbmljaCAmIHRoZSBPV0FTUCBKdWljZSBTaG9wIGNvbnRyaWJ1dG9ycy4KICogU1BEWC1MaWNlbnNlLUlkZW50aWZpZXI6IE1JVAogKi8KaW1wb3J0IG1vZGVscyA9IHJlcXVpcmUoJy4uL21vZGVscy9pbmRleCcpCmltcG9ydCB7IFJlcXVlc3QsIFJlc3BvbnNlLCBOZXh0RnVuY3Rpb24gfSBmcm9tICdleHByZXNzJwppbXBvcnQgeyBVc2VyTW9kZWwgfSBmcm9tICcuLi9tb2RlbHMvdXNlcicKCmltcG9ydCAqIGFzIHV0aWxzIGZyb20gJy4uL2xpYi91dGlscycKY29uc3QgY2hhbGxlbmdlVXRpbHMgPSByZXF1aXJlKCcuLi9saWIvY2hhbGxlbmdlVXRpbHMnKQpjb25zdCBjaGFsbGVuZ2VzID0gcmVxdWlyZSgnLi4vZGF0YS9kYXRhY2FjaGUnKS5jaGFsbGVuZ2VzCgpjbGFzcyBFcnJvcldpdGhQYXJlbnQgZXh0ZW5kcyBFcnJvciB7CiAgcGFyZW50OiBFcnJvciB8IHVuZGVmaW5lZAp9CgovLyB2dWxuLWNvZGUtc25pcHBldCBzdGFydCB1bmlvblNxbEluamVjdGlvbkNoYWxsZW5nZSBkYlNjaGVtYUNoYWxsZW5nZQptb2R1bGUuZXhwb3J0cyA9IGZ1bmN0aW9uIHNlYXJjaFByb2R1Y3RzKCkgewogIHJldHVybiAocmVxOiBSZXF1ZXN0LCByZXM6IFJlc3BvbnNlLCBuZXh0OiBOZXh0RnVuY3Rpb24pID0+IHsKICAgIGxldCBjcml0ZXJpYTogYW55ID0gcmVxLnF1ZXJ5LnEgPT09ICd1bmRlZmluZWQnID8gJycgOiByZXEucXVlcnkucSA/PyAnJwogICAgY3JpdGVyaWEgPSAoY3JpdGVyaWEubGVuZ3RoIDw9IDIwMCkgPyBjcml0ZXJpYSA6IGNyaXRlcmlhLnN1YnN0cmluZygwLCAyMDApCiAgICBtb2RlbHMuc2VxdWVsaXplLnF1ZXJ5KGBTRUxFQ1QgKiBGUk9NIFByb2R1Y3RzIFdIRVJFICgobmFtZSBMSUtFIDpjcml0ZXJpYSBPUiBkZXNjcmlwdGlvbiBMSUtFIDpjcml0ZXJpYSkgQU5EIGRlbGV0ZWRBdCBJUyBOVUxMKSBPUkRFUiBCWSBuYW1lYCwgeyByZXBsYWNlbWVudHM6IHsgY3JpdGVyaWE6IGAlJHtjcml0ZXJpYX0lYCB9IH0pIC8vIHZ1bG4tY29kZS1zbmlwcGV0IHZ1bG4tbGluZSB1bmlvblNxbEluamVjdGlvbkNoYWxsZW5nZSBkYlNjaGVtYUNoYWxsZW5nZQogICAgICAudGhlbigoW3Byb2R1Y3RzXTogYW55KSA9PiB7CiAgICAgICAgY29uc3QgZGF0YVN0cmluZyA9IEpTT04uc3RyaW5naWZ5KHByb2R1Y3RzKQogICAgICAgIGlmIChjaGFsbGVuZ2VVdGlscy5ub3RTb2x2ZWQoY2hhbGxlbmdlcy51bmlvblNxbEluamVjdGlvbkNoYWxsZW5nZSkpIHsgLy8gdnVsbi1jb2RlLXNuaXBwZXQgaGlkZS1zdGFydAogICAgICAgICAgbGV0IHNvbHZlZCA9IHRydWUKICAgICAgICAgIFVzZXJNb2RlbC5maW5kQWxsKCkudGhlbihkYXRhID0+IHsKICAgICAgICAgICAgY29uc3QgdXNlcnMgPSB1dGlscy5xdWVyeVJlc3VsdFRvSnNvbihkYXRhKQogICAgICAgICAgICBpZiAodXNlcnMuZGF0YT8ubGVuZ3RoKSB7CiAgICAgICAgICAgICAgZm9yIChsZXQgaSA9IDA7IGkgPCB1c2Vycy5kYXRhLmxlbmd0aDsgaSsrKSB7CiAgICAgICAgICAgICAgICBzb2x2ZWQgPSBzb2x2ZWQgJiYgdXRpbHMuY29udGFpbnNPckVzY2FwZWQoZGF0YVN0cmluZywgdXNlcnMuZGF0YVtpXS5lbWFpbCkgJiYgdXRpbHMuY29udGFpbnMoZGF0YVN0cmluZywgdXNlcnMuZGF0YVtpXS5wYXNzd29yZCkKICAgICAgICAgICAgICAgIGlmICghc29sdmVkKSB7CiAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgfQogICAgICAgICAgICAgIGlmIChzb2x2ZWQpIHsKICAgICAgICAgICAgICAgIGNoYWxsZW5nZVV0aWxzLnNvbHZlKGNoYWxsZW5nZXMudW5pb25TcWxJbmplY3Rpb25DaGFsbGVuZ2UpCiAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgICB9KS5jYXRjaCgoZXJyb3I6IEVycm9yKSA9PiB7CiAgICAgICAgICAgIG5leHQoZXJyb3IpCiAgICAgICAgICB9KQogICAgICAgIH0KICAgICAgICBpZiAoY2hhbGxlbmdlVXRpbHMubm90U29sdmVkKGNoYWxsZW5nZXMuZGJTY2hlbWFDaGFsbGVuZ2UpKSB7CiAgICAgICAgICBsZXQgc29sdmVkID0gdHJ1ZQogICAgICAgICAgbW9kZWxzLnNlcXVlbGl6ZS5xdWVyeSgnU0VMRUNUIHNxbCBGUk9NIHNxbGl0ZV9tYXN0ZXInKS50aGVuKChbZGF0YV06IGFueSkgPT4gewogICAgICAgICAgICBjb25zdCB0YWJsZURlZmluaXRpb25zID0gdXRpbHMucXVlcnlSZXN1bHRUb0pzb24oZGF0YSkKICAgICAgICAgICAgaWYgKHRhYmxlRGVmaW5pdGlvbnMuZGF0YT8ubGVuZ3RoKSB7CiAgICAgICAgICAgICAgZm9yIChsZXQgaSA9IDA7IGkgPCB0YWJsZURlZmluaXRpb25zLmRhdGEubGVuZ3RoOyBpKyspIHsKICAgICAgICAgICAgICAgIGlmICh0YWJsZURlZmluaXRpb25zLmRhdGFbaV0uc3FsKSB7CiAgICAgICAgICAgICAgICAgIHNvbHZlZCA9IHNvbHZlZCAmJiB1dGlscy5jb250YWluc09yRXNjYXBlZChkYXRhU3RyaW5nLCB0YWJsZURlZmluaXRpb25zLmRhdGFbaV0uc3FsKQogICAgICAgICAgICAgICAgICBpZiAoIXNvbHZlZCkgewogICAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgaWYgKHNvbHZlZCkgewogICAgICAgICAgICAgICAgY2hhbGxlbmdlVXRpbHMuc29sdmUoY2hhbGxlbmdlcy5kYlNjaGVtYUNoYWxsZW5nZSkKICAgICAgICAgICAgICB9CiAgICAgICAgICAgIH0KICAgICAgICAgIH0pCiAgICAgICAgfSAvLyB2dWxuLWNvZGUtc25pcHBldCBoaWRlLWVuZAogICAgICAgIGZvciAobGV0IGkgPSAwOyBpIDwgcHJvZHVjdHMubGVuZ3RoOyBpKyspIHsKICAgICAgICAgIHByb2R1Y3RzW2ldLm5hbWUgPSByZXEuX18ocHJvZHVjdHNbaV0ubmFtZSkKICAgICAgICAgIHByb2R1Y3RzW2ldLmRlc2NyaXB0aW9uID0gcmVxLl9fKHByb2R1Y3RzW2ldLmRlc2NyaXB0aW9uKQogICAgICAgIH0KICAgICAgICByZXMuanNvbih1dGlscy5xdWVyeVJlc3VsdFRvSnNvbihwcm9kdWN0cykpCiAgICAgIH0pLmNhdGNoKChlcnJvcjogRXJyb3JXaXRoUGFyZW50KSA9PiB7CiAgICAgICAgbmV4dChlcnJvci5wYXJlbnQpCiAgICAgIH0pCiAgfQp9Ci8vIHZ1bG4tY29kZS1zbmlwcGV0IGVuZCB1bmlvblNxbEluamVjdGlvbkNoYWxsZW5nZSBkYlNjaGVtYUNoYWxsZW5nZQo= \ No newline at end of file From 4a425aa61fbe0cdca389ac6fec927a2e1d450973 Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Tue, 2 Jan 2024 17:15:39 -0600 Subject: [PATCH 03/22] Revert "Amplify Security - Code fix for CWE-89 accepted" This reverts commit b0ada84a4cbdb0e003ca9dfe223452f502908cbd. --- routes/search.ts | 74 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) diff --git a/routes/search.ts b/routes/search.ts index 7f12e422e7a..9306771b68c 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -1 +1,73 @@ -LyoKICogQ29weXJpZ2h0IChjKSAyMDE0LTIwMjMgQmpvZXJuIEtpbW1pbmljaCAmIHRoZSBPV0FTUCBKdWljZSBTaG9wIGNvbnRyaWJ1dG9ycy4KICogU1BEWC1MaWNlbnNlLUlkZW50aWZpZXI6IE1JVAogKi8KaW1wb3J0IG1vZGVscyA9IHJlcXVpcmUoJy4uL21vZGVscy9pbmRleCcpCmltcG9ydCB7IFJlcXVlc3QsIFJlc3BvbnNlLCBOZXh0RnVuY3Rpb24gfSBmcm9tICdleHByZXNzJwppbXBvcnQgeyBVc2VyTW9kZWwgfSBmcm9tICcuLi9tb2RlbHMvdXNlcicKCmltcG9ydCAqIGFzIHV0aWxzIGZyb20gJy4uL2xpYi91dGlscycKY29uc3QgY2hhbGxlbmdlVXRpbHMgPSByZXF1aXJlKCcuLi9saWIvY2hhbGxlbmdlVXRpbHMnKQpjb25zdCBjaGFsbGVuZ2VzID0gcmVxdWlyZSgnLi4vZGF0YS9kYXRhY2FjaGUnKS5jaGFsbGVuZ2VzCgpjbGFzcyBFcnJvcldpdGhQYXJlbnQgZXh0ZW5kcyBFcnJvciB7CiAgcGFyZW50OiBFcnJvciB8IHVuZGVmaW5lZAp9CgovLyB2dWxuLWNvZGUtc25pcHBldCBzdGFydCB1bmlvblNxbEluamVjdGlvbkNoYWxsZW5nZSBkYlNjaGVtYUNoYWxsZW5nZQptb2R1bGUuZXhwb3J0cyA9IGZ1bmN0aW9uIHNlYXJjaFByb2R1Y3RzKCkgewogIHJldHVybiAocmVxOiBSZXF1ZXN0LCByZXM6IFJlc3BvbnNlLCBuZXh0OiBOZXh0RnVuY3Rpb24pID0+IHsKICAgIGxldCBjcml0ZXJpYTogYW55ID0gcmVxLnF1ZXJ5LnEgPT09ICd1bmRlZmluZWQnID8gJycgOiByZXEucXVlcnkucSA/PyAnJwogICAgY3JpdGVyaWEgPSAoY3JpdGVyaWEubGVuZ3RoIDw9IDIwMCkgPyBjcml0ZXJpYSA6IGNyaXRlcmlhLnN1YnN0cmluZygwLCAyMDApCiAgICBtb2RlbHMuc2VxdWVsaXplLnF1ZXJ5KGBTRUxFQ1QgKiBGUk9NIFByb2R1Y3RzIFdIRVJFICgobmFtZSBMSUtFIDpjcml0ZXJpYSBPUiBkZXNjcmlwdGlvbiBMSUtFIDpjcml0ZXJpYSkgQU5EIGRlbGV0ZWRBdCBJUyBOVUxMKSBPUkRFUiBCWSBuYW1lYCwgeyByZXBsYWNlbWVudHM6IHsgY3JpdGVyaWE6IGAlJHtjcml0ZXJpYX0lYCB9IH0pIC8vIHZ1bG4tY29kZS1zbmlwcGV0IHZ1bG4tbGluZSB1bmlvblNxbEluamVjdGlvbkNoYWxsZW5nZSBkYlNjaGVtYUNoYWxsZW5nZQogICAgICAudGhlbigoW3Byb2R1Y3RzXTogYW55KSA9PiB7CiAgICAgICAgY29uc3QgZGF0YVN0cmluZyA9IEpTT04uc3RyaW5naWZ5KHByb2R1Y3RzKQogICAgICAgIGlmIChjaGFsbGVuZ2VVdGlscy5ub3RTb2x2ZWQoY2hhbGxlbmdlcy51bmlvblNxbEluamVjdGlvbkNoYWxsZW5nZSkpIHsgLy8gdnVsbi1jb2RlLXNuaXBwZXQgaGlkZS1zdGFydAogICAgICAgICAgbGV0IHNvbHZlZCA9IHRydWUKICAgICAgICAgIFVzZXJNb2RlbC5maW5kQWxsKCkudGhlbihkYXRhID0+IHsKICAgICAgICAgICAgY29uc3QgdXNlcnMgPSB1dGlscy5xdWVyeVJlc3VsdFRvSnNvbihkYXRhKQogICAgICAgICAgICBpZiAodXNlcnMuZGF0YT8ubGVuZ3RoKSB7CiAgICAgICAgICAgICAgZm9yIChsZXQgaSA9IDA7IGkgPCB1c2Vycy5kYXRhLmxlbmd0aDsgaSsrKSB7CiAgICAgICAgICAgICAgICBzb2x2ZWQgPSBzb2x2ZWQgJiYgdXRpbHMuY29udGFpbnNPckVzY2FwZWQoZGF0YVN0cmluZywgdXNlcnMuZGF0YVtpXS5lbWFpbCkgJiYgdXRpbHMuY29udGFpbnMoZGF0YVN0cmluZywgdXNlcnMuZGF0YVtpXS5wYXNzd29yZCkKICAgICAgICAgICAgICAgIGlmICghc29sdmVkKSB7CiAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgfQogICAgICAgICAgICAgIGlmIChzb2x2ZWQpIHsKICAgICAgICAgICAgICAgIGNoYWxsZW5nZVV0aWxzLnNvbHZlKGNoYWxsZW5nZXMudW5pb25TcWxJbmplY3Rpb25DaGFsbGVuZ2UpCiAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgICB9KS5jYXRjaCgoZXJyb3I6IEVycm9yKSA9PiB7CiAgICAgICAgICAgIG5leHQoZXJyb3IpCiAgICAgICAgICB9KQogICAgICAgIH0KICAgICAgICBpZiAoY2hhbGxlbmdlVXRpbHMubm90U29sdmVkKGNoYWxsZW5nZXMuZGJTY2hlbWFDaGFsbGVuZ2UpKSB7CiAgICAgICAgICBsZXQgc29sdmVkID0gdHJ1ZQogICAgICAgICAgbW9kZWxzLnNlcXVlbGl6ZS5xdWVyeSgnU0VMRUNUIHNxbCBGUk9NIHNxbGl0ZV9tYXN0ZXInKS50aGVuKChbZGF0YV06IGFueSkgPT4gewogICAgICAgICAgICBjb25zdCB0YWJsZURlZmluaXRpb25zID0gdXRpbHMucXVlcnlSZXN1bHRUb0pzb24oZGF0YSkKICAgICAgICAgICAgaWYgKHRhYmxlRGVmaW5pdGlvbnMuZGF0YT8ubGVuZ3RoKSB7CiAgICAgICAgICAgICAgZm9yIChsZXQgaSA9IDA7IGkgPCB0YWJsZURlZmluaXRpb25zLmRhdGEubGVuZ3RoOyBpKyspIHsKICAgICAgICAgICAgICAgIGlmICh0YWJsZURlZmluaXRpb25zLmRhdGFbaV0uc3FsKSB7CiAgICAgICAgICAgICAgICAgIHNvbHZlZCA9IHNvbHZlZCAmJiB1dGlscy5jb250YWluc09yRXNjYXBlZChkYXRhU3RyaW5nLCB0YWJsZURlZmluaXRpb25zLmRhdGFbaV0uc3FsKQogICAgICAgICAgICAgICAgICBpZiAoIXNvbHZlZCkgewogICAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgaWYgKHNvbHZlZCkgewogICAgICAgICAgICAgICAgY2hhbGxlbmdlVXRpbHMuc29sdmUoY2hhbGxlbmdlcy5kYlNjaGVtYUNoYWxsZW5nZSkKICAgICAgICAgICAgICB9CiAgICAgICAgICAgIH0KICAgICAgICAgIH0pCiAgICAgICAgfSAvLyB2dWxuLWNvZGUtc25pcHBldCBoaWRlLWVuZAogICAgICAgIGZvciAobGV0IGkgPSAwOyBpIDwgcHJvZHVjdHMubGVuZ3RoOyBpKyspIHsKICAgICAgICAgIHByb2R1Y3RzW2ldLm5hbWUgPSByZXEuX18ocHJvZHVjdHNbaV0ubmFtZSkKICAgICAgICAgIHByb2R1Y3RzW2ldLmRlc2NyaXB0aW9uID0gcmVxLl9fKHByb2R1Y3RzW2ldLmRlc2NyaXB0aW9uKQogICAgICAgIH0KICAgICAgICByZXMuanNvbih1dGlscy5xdWVyeVJlc3VsdFRvSnNvbihwcm9kdWN0cykpCiAgICAgIH0pLmNhdGNoKChlcnJvcjogRXJyb3JXaXRoUGFyZW50KSA9PiB7CiAgICAgICAgbmV4dChlcnJvci5wYXJlbnQpCiAgICAgIH0pCiAgfQp9Ci8vIHZ1bG4tY29kZS1zbmlwcGV0IGVuZCB1bmlvblNxbEluamVjdGlvbkNoYWxsZW5nZSBkYlNjaGVtYUNoYWxsZW5nZQo= \ No newline at end of file +/* + * Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors. + * SPDX-License-Identifier: MIT + */ +import models = require('../models/index') +import { Request, Response, NextFunction } from 'express' +import { UserModel } from '../models/user' + +import * as utils from '../lib/utils' +const challengeUtils = require('../lib/challengeUtils') +const challenges = require('../data/datacache').challenges + +class ErrorWithParent extends Error { + parent: Error | undefined +} + +// vuln-code-snippet start unionSqlInjectionChallenge dbSchemaChallenge +module.exports = function searchProducts() { + return (req: Request, res: Response, next: NextFunction) => { + let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' + criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + .then(([products]: any) => { + const dataString = JSON.stringify(products) + if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start + let solved = true + UserModel.findAll().then(data => { + const users = utils.queryResultToJson(data) + if (users.data?.length) { + for (let i = 0; i < users.data.length; i++) { + solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password) + if (!solved) { + break + } + } + if (solved) { + challengeUtils.solve(challenges.unionSqlInjectionChallenge) + } + } + }).catch((error: Error) => { + next(error) + }) + } + if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) { + let solved = true + models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => { + const tableDefinitions = utils.queryResultToJson(data) + if (tableDefinitions.data?.length) { + for (let i = 0; i < tableDefinitions.data.length; i++) { + if (tableDefinitions.data[i].sql) { + solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql) + if (!solved) { + break + } + } + } + if (solved) { + challengeUtils.solve(challenges.dbSchemaChallenge) + } + } + }) + } // vuln-code-snippet hide-end + for (let i = 0; i < products.length; i++) { + products[i].name = req.__(products[i].name) + products[i].description = req.__(products[i].description) + } + res.json(utils.queryResultToJson(products)) + }).catch((error: ErrorWithParent) => { + next(error.parent) + }) + } +} +// vuln-code-snippet end unionSqlInjectionChallenge dbSchemaChallenge From 1d3a90a6b7f903ecb413bdbff8b470609ade16ae Mon Sep 17 00:00:00 2001 From: "amplify-local[bot]" <132378550+amplify-local[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 17:48:28 +0000 Subject: [PATCH 04/22] Amplify Security - Code fix for CWE-89 accepted --- routes/search.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routes/search.ts b/routes/search.ts index 9306771b68c..cf3d568f55d 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,8 +19,8 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge - .then(([products]: any) => { + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT }) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + .then((products: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start let solved = true From f827337ddc0926d382041a2b18be429cd9e2c87b Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Wed, 3 Jan 2024 12:05:23 -0600 Subject: [PATCH 05/22] Revert "Amplify Security - Code fix for CWE-89 accepted" This reverts commit 1d3a90a6b7f903ecb413bdbff8b470609ade16ae. --- routes/search.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routes/search.ts b/routes/search.ts index cf3d568f55d..9306771b68c 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,8 +19,8 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT }) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge - .then((products: any) => { + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + .then(([products]: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start let solved = true From 6a6776654db7e08260e118400356cd7fa88d9206 Mon Sep 17 00:00:00 2001 From: "amplify-local[bot]" <132378550+amplify-local[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 18:13:03 +0000 Subject: [PATCH 06/22] Amplify Security - Code fix for CWE-89 accepted --- routes/search.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routes/search.ts b/routes/search.ts index 9306771b68c..cf3d568f55d 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,8 +19,8 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge - .then(([products]: any) => { + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT }) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + .then((products: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start let solved = true From c4576246e29c15f5097d946cd077106fe7a6f174 Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Wed, 3 Jan 2024 12:15:33 -0600 Subject: [PATCH 07/22] Revert "Amplify Security - Code fix for CWE-89 accepted" This reverts commit 6a6776654db7e08260e118400356cd7fa88d9206. --- routes/search.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routes/search.ts b/routes/search.ts index cf3d568f55d..9306771b68c 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,8 +19,8 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT }) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge - .then((products: any) => { + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + .then(([products]: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start let solved = true From 6f8b7a8db6e0cc32c04a2b57b40c8bb45e0a1dc1 Mon Sep 17 00:00:00 2001 From: "amplify-local[bot]" <132378550+amplify-local[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 18:24:12 +0000 Subject: [PATCH 08/22] Amplify Security - Code fix for CWE-89 accepted --- routes/search.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routes/search.ts b/routes/search.ts index 9306771b68c..cf3d568f55d 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,8 +19,8 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge - .then(([products]: any) => { + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT }) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + .then((products: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start let solved = true From 85f1b5170a30b35f57301f55ef05268538a367d8 Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Wed, 3 Jan 2024 12:25:11 -0600 Subject: [PATCH 09/22] Revert "Amplify Security - Code fix for CWE-89 accepted" This reverts commit 6f8b7a8db6e0cc32c04a2b57b40c8bb45e0a1dc1. --- routes/search.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routes/search.ts b/routes/search.ts index cf3d568f55d..9306771b68c 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,8 +19,8 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT }) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge - .then((products: any) => { + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + .then(([products]: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start let solved = true From f05622b933cb730a06f21a0a0a9f0866e530c1a3 Mon Sep 17 00:00:00 2001 From: "amplify-local[bot]" <132378550+amplify-local[bot]@users.noreply.github.com> Date: Mon, 15 Jan 2024 20:16:34 +0000 Subject: [PATCH 10/22] Amplify Security - Code fix for CWE-89 accepted --- routes/search.ts | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/routes/search.ts b/routes/search.ts index 9306771b68c..687bcb6a2c2 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,8 +19,12 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge - .then(([products]: any) => { + + models.sequelize.query('SELECT * FROM Products WHERE ((name LIKE ? OR description LIKE ?) AND deletedAt IS NULL) ORDER BY name', { + replacements: [`%${criteria}%`, `%${criteria}%`], + type: models.sequelize.QueryTypes.SELECT + }) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + .then((products: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start let solved = true From 7fd60f2f37acef252f9f8308184257217bfd496e Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Mon, 15 Jan 2024 16:15:23 -0600 Subject: [PATCH 11/22] Revert "Amplify Security - Code fix for CWE-89 accepted" This reverts commit f05622b933cb730a06f21a0a0a9f0866e530c1a3. --- routes/search.ts | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/routes/search.ts b/routes/search.ts index 687bcb6a2c2..9306771b68c 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,12 +19,8 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - - models.sequelize.query('SELECT * FROM Products WHERE ((name LIKE ? OR description LIKE ?) AND deletedAt IS NULL) ORDER BY name', { - replacements: [`%${criteria}%`, `%${criteria}%`], - type: models.sequelize.QueryTypes.SELECT - }) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge - .then((products: any) => { + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + .then(([products]: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start let solved = true From 772251a0bc5d9d8022f324b5bdb9c9ff20c50a08 Mon Sep 17 00:00:00 2001 From: "amplify-local[bot]" <132378550+amplify-local[bot]@users.noreply.github.com> Date: Thu, 14 Mar 2024 15:54:21 +0000 Subject: [PATCH 12/22] Amplify Security - Code fix for CWE-89 accepted --- routes/search.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routes/search.ts b/routes/search.ts index 9306771b68c..cf3d568f55d 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,8 +19,8 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge - .then(([products]: any) => { + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT }) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + .then((products: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start let solved = true From 8d5643d5ad973581b367b1dcd8eb9623224b7c33 Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Thu, 14 Mar 2024 18:21:31 -0500 Subject: [PATCH 13/22] Revert "Amplify Security - Code fix for CWE-89 accepted" This reverts commit 772251a0bc5d9d8022f324b5bdb9c9ff20c50a08. --- routes/search.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routes/search.ts b/routes/search.ts index cf3d568f55d..9306771b68c 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,8 +19,8 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, { replacements: { criteria: `%${criteria}%` }, type: models.sequelize.QueryTypes.SELECT }) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge - .then((products: any) => { + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + .then(([products]: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start let solved = true From a814a3f9d4673d44ebae33983eec3e656b65d210 Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Thu, 28 Mar 2024 12:19:44 -0500 Subject: [PATCH 14/22] Ignored CWE-89 vuln --- routes/search.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routes/search.ts b/routes/search.ts index 9306771b68c..cbdc39c6f3a 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,7 +19,7 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // @amplify-ignore .then(([products]: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start From 253044a2f034605978930887bcf85729451346ec Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Thu, 28 Mar 2024 13:04:29 -0500 Subject: [PATCH 15/22] Removed CWE-89 ignore comment --- routes/search.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routes/search.ts b/routes/search.ts index cbdc39c6f3a..ded568c390e 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,7 +19,7 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // @amplify-ignore + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) .then(([products]: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start From 9037f1a3fa46d1da9d424a2eade5d4c57b47bfc9 Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Tue, 2 Apr 2024 13:54:41 -0500 Subject: [PATCH 16/22] Ignored SQL injection --- routes/search.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routes/search.ts b/routes/search.ts index ded568c390e..cbdc39c6f3a 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,7 +19,7 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // @amplify-ignore .then(([products]: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start From 218b1846b769869e19aa8340df5eaf3817ba6a1f Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Tue, 2 Apr 2024 13:57:28 -0500 Subject: [PATCH 17/22] Removed ignore on vulnerable SQL injection --- routes/search.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routes/search.ts b/routes/search.ts index cbdc39c6f3a..ded568c390e 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,7 +19,7 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // @amplify-ignore + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) .then(([products]: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start From b47abed9c39fd873c5604e7d50d189e514496831 Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Thu, 25 Apr 2024 10:44:23 -0500 Subject: [PATCH 18/22] Updated Gruntfile.js --- Gruntfile.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Gruntfile.js b/Gruntfile.js index a6b6bcac0ce..1005f5e5167 100644 --- a/Gruntfile.js +++ b/Gruntfile.js @@ -84,3 +84,5 @@ module.exports = function (grunt) { grunt.loadNpmTasks('grunt-contrib-compress') grunt.registerTask('package', ['replace_json:manifest', 'compress:pckg', 'checksum']) } + +// Gruntfile.js From f1b856f62cae3e2f26990eb745044e9b9580ba6b Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Thu, 9 May 2024 16:51:41 -0500 Subject: [PATCH 19/22] Added .amplifyignore --- .amplifyignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .amplifyignore diff --git a/.amplifyignore b/.amplifyignore new file mode 100644 index 00000000000..6a1e48ad452 --- /dev/null +++ b/.amplifyignore @@ -0,0 +1 @@ +routes/*.ts From 0cff134ba7d6384fb2c84611796e1679391556e4 Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Thu, 9 May 2024 17:03:57 -0500 Subject: [PATCH 20/22] updated .amplifyignore --- .amplifyignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.amplifyignore b/.amplifyignore index 6a1e48ad452..90659d69755 100644 --- a/.amplifyignore +++ b/.amplifyignore @@ -1 +1 @@ -routes/*.ts +routes/*.js From 41c57bbc107a76dcb03f6411297f37f9e28b8284 Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Thu, 23 May 2024 13:43:20 -0500 Subject: [PATCH 21/22] ignoring SQL injection --- routes/search.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routes/search.ts b/routes/search.ts index ded568c390e..cbdc39c6f3a 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,7 +19,7 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // @amplify-ignore .then(([products]: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start From 8b20ccbab74ac108eb4aa41c826d81ba6264ea9a Mon Sep 17 00:00:00 2001 From: Michael Fox Date: Thu, 23 May 2024 14:02:45 -0500 Subject: [PATCH 22/22] removing vuln ignore --- routes/search.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routes/search.ts b/routes/search.ts index cbdc39c6f3a..ded568c390e 100644 --- a/routes/search.ts +++ b/routes/search.ts @@ -19,7 +19,7 @@ module.exports = function searchProducts() { return (req: Request, res: Response, next: NextFunction) => { let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // @amplify-ignore + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) .then(([products]: any) => { const dataString = JSON.stringify(products) if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start