Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Lab] Tested with new Amplify workflow #156

Closed
wants to merge 23 commits into from
Closed

[Lab] Tested with new Amplify workflow #156

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
f3248e7
Added search query + introduced vulnerability
mwillfox Jun 29, 2023
b0ada84
Amplify Security - Code fix for CWE-89 accepted
amplify-local[bot] Jan 2, 2024
4a425aa
Revert "Amplify Security - Code fix for CWE-89 accepted"
mwillfox Jan 2, 2024
1d3a90a
Amplify Security - Code fix for CWE-89 accepted
amplify-local[bot] Jan 3, 2024
f827337
Revert "Amplify Security - Code fix for CWE-89 accepted"
mwillfox Jan 3, 2024
6a67766
Amplify Security - Code fix for CWE-89 accepted
amplify-local[bot] Jan 3, 2024
c457624
Revert "Amplify Security - Code fix for CWE-89 accepted"
mwillfox Jan 3, 2024
6f8b7a8
Amplify Security - Code fix for CWE-89 accepted
amplify-local[bot] Jan 3, 2024
85f1b51
Revert "Amplify Security - Code fix for CWE-89 accepted"
mwillfox Jan 3, 2024
f05622b
Amplify Security - Code fix for CWE-89 accepted
amplify-local[bot] Jan 15, 2024
7fd60f2
Revert "Amplify Security - Code fix for CWE-89 accepted"
mwillfox Jan 15, 2024
772251a
Amplify Security - Code fix for CWE-89 accepted
amplify-local[bot] Mar 14, 2024
8d5643d
Revert "Amplify Security - Code fix for CWE-89 accepted"
mwillfox Mar 14, 2024
a814a3f
Ignored CWE-89 vuln
mwillfox Mar 28, 2024
253044a
Removed CWE-89 ignore comment
mwillfox Mar 28, 2024
9037f1a
Ignored SQL injection
mwillfox Apr 2, 2024
218b184
Removed ignore on vulnerable SQL injection
mwillfox Apr 2, 2024
b47abed
Updated Gruntfile.js
mwillfox Apr 25, 2024
f1b856f
Added .amplifyignore
mwillfox May 9, 2024
0cff134
updated .amplifyignore
mwillfox May 9, 2024
41c57bb
ignoring SQL injection
mwillfox May 23, 2024
8b20ccb
removing vuln ignore
mwillfox May 23, 2024
a549ac1
Merge branch 'master' into vulnerable-branch
mwillfox Aug 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .amplifyignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
routes/*.js
2 changes: 2 additions & 0 deletions Gruntfile.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,3 +84,5 @@ module.exports = function (grunt) {
grunt.loadNpmTasks('grunt-contrib-compress')
grunt.registerTask('package', ['replace_json:manifest', 'compress:pckg', 'checksum'])
}

// Gruntfile.js
60 changes: 59 additions & 1 deletion routes/search.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,72 @@
* Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
* SPDX-License-Identifier: MIT
*/
import models = require('../models/index')
import { Request, Response, NextFunction } from 'express'
import { UserModel } from '../models/user'

import * as utils from '../lib/utils'
const challengeUtils = require('../lib/challengeUtils')
const challenges = require('../data/datacache').challenges

class ErrorWithParent extends Error {
parent: Error | undefined
}

// vuln-code-snippet start unionSqlInjectionChallenge dbSchemaChallenge
module.exports = function searchProducts() {
return (req: Request, res: Response, next: NextFunction) => {
let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
console.log(criteria)
models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning

Amplify has been notified that this line contains a vulnerability 🕷️.

Vulnerability: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact: HIGH

Code Fix: ✅

Amplify Security has prepared an automated remediation for review. Click here to review and commit the code fix.

Suggested change
models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`)
models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, {
replacements: { criteria: `%${criteria}%` }
})

The code change addresses the SQL Injection vulnerability by implementing parameterized queries instead of directly interpolating user input into the SQL command. Here's how this change mitigates the risk:

Explanation of the Vulnerability

SQL Injection occurs when an attacker is able to manipulate a SQL query by injecting malicious input. In the original code, the user input (criteria) is directly concatenated into the SQL string. This means that if an attacker provides specially crafted input, they could alter the intended SQL command, potentially allowing them to execute arbitrary SQL code.

How the Code Change Fixes the Vulnerability

  1. Parameterized Queries: The revised code uses a parameterized query with named parameters (:criteria). This means that the SQL command structure is defined separately from the data being inserted into it. The database engine treats the parameter as a value rather than executable code.

  2. Replacements Object: The replacements object is used to safely pass the user input (criteria) into the SQL query. This ensures that the input is properly escaped and sanitized, preventing any special characters from being interpreted as part of the SQL command.

  3. Input Length Limitation: The code still includes a check to limit the length of the criteria input to 200 characters. While this is a good practice for performance and security, the main protection against SQL Injection comes from the use of parameterized queries.

Benefits of the Change

  • Security: By using parameterized queries, the risk of SQL Injection is significantly reduced, as user input cannot alter the structure of the SQL command.
  • Maintainability: Parameterized queries are generally easier to read and maintain, as they separate the SQL logic from the data being processed.
  • Performance: Many database systems can optimize parameterized queries better than dynamically constructed queries, potentially improving performance.

Further Reading

For more information on preventing SQL Injection and the benefits of parameterized queries, you can refer to the following resources:

By implementing these changes, the code is now more secure against SQL Injection attacks, ensuring that user input is handled safely.

Note

Have a question or concern about this vulnerability fix? Get an answer within seconds by asking our Concierge 🤖 with @amplify-security.
i.e. @amplify-security are there known performance issues resulting from this fix?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning

Amplify has been notified that this line contains a vulnerability 🕷️.

Vulnerability: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact: MEDIUM

Code Fix: ✅

Amplify Security has prepared an automated remediation for review. Click here to review and commit the code fix.

Suggested change
models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`)
models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`, {
replacements: { criteria: `%${criteria}%` }
})

The code change addresses the SQL Injection vulnerability by using parameterized queries instead of directly interpolating user input into the SQL command. Here's how this change mitigates the risk:

Explanation of the Vulnerability

SQL Injection occurs when an attacker is able to manipulate a SQL query by injecting malicious SQL code through user input. In the original code, the criteria variable is directly concatenated into the SQL query string. This means that if a user inputs a specially crafted string, they could alter the intended SQL command, potentially gaining unauthorized access to data or executing harmful operations on the database.

How the Code Change Fixes the Vulnerability

  1. Use of Parameterized Queries: The modified code uses a parameterized query with named placeholders (in this case, :criteria). This means that the SQL command is defined separately from the data being inserted into it. The database driver treats the input as a literal value rather than executable code.

  2. Replacements Object: The replacements object is used to safely bind the user input to the SQL command. By doing this, the input is sanitized, and any special characters that could be used for SQL injection are neutralized. The database engine ensures that the input is treated as data, not as part of the SQL command.

  3. Length Limitation: The original code already included a length check on the criteria input, limiting it to 200 characters. This is a good practice, but it is not sufficient on its own to prevent SQL injection. The change to parameterized queries is a more robust solution.

Conclusion

By switching to parameterized queries, the code change effectively prevents SQL injection attacks by ensuring that user input cannot alter the structure of the SQL command. This approach is widely recommended in secure coding practices and is documented in various resources, including:

These resources provide further insights into secure coding practices and the importance of using parameterized queries to protect against SQL injection vulnerabilities.

Note

Have a question or concern about this vulnerability fix? Get an answer within seconds by asking our Concierge 🤖 with @amplify-security.
i.e. @amplify-security are there known performance issues resulting from this fix?

.then(([products]: any) => {
const dataString = JSON.stringify(products)
if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start
let solved = true
UserModel.findAll().then(data => {
const users = utils.queryResultToJson(data)
if (users.data?.length) {
for (let i = 0; i < users.data.length; i++) {
solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password)
if (!solved) {
break
}
}
if (solved) {
challengeUtils.solve(challenges.unionSqlInjectionChallenge)
}
}
}).catch((error: Error) => {
next(error)
})
}
if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) {
let solved = true
models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => {
const tableDefinitions = utils.queryResultToJson(data)
if (tableDefinitions.data?.length) {
for (let i = 0; i < tableDefinitions.data.length; i++) {
if (tableDefinitions.data[i].sql) {
solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql)
if (!solved) {
break
}
}
}
if (solved) {
challengeUtils.solve(challenges.dbSchemaChallenge)
}
}
})
} // vuln-code-snippet hide-end
for (let i = 0; i < products.length; i++) {
products[i].name = req.__(products[i].name)
products[i].description = req.__(products[i].description)
}
res.json(utils.queryResultToJson(products))
}).catch((error: ErrorWithParent) => {
next(error.parent)
})
}
}
// vuln-code-snippet end unionSqlInjectionChallenge dbSchemaChallenge