This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
module.exports=functionsearchProducts(){return(req:Request,res:Response,next:NextFunction)=>{letcriteria:any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria:criteria.substring(0,200)// only allow apple or orange related searches
if(!criteria.startsWith("apple")||!criteria.startsWith("orange")){res.status(400).send()return}models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`).then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error:ErrorWithParent)=>{next(error.parent)})}}
module.exports=functionsearchProducts(){return(req:Request,res:Response,next:NextFunction)=>{letcriteria:any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria:criteria.substring(0,200)criteria.replace(/"|'|;|and|or/i,"")models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`).then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error:ErrorWithParent)=>{next(error.parent)})}}
constinjectionChars=/"|'|;|and|or|;|#/i;module.exports=functionsearchProducts(){return(req:Request,res:Response,next:NextFunction)=>{letcriteria:any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria:criteria.substring(0,200)if(criteria.match(injectionChars)){res.status(400).send()return}models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`).then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error:ErrorWithParent)=>{next(error.parent)})}}
module.exports=functionsearchProducts(){return(req:Request,res:Response,next:NextFunction)=>{letcriteria:any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria:criteria.substring(0,200)models.sequelize.query("SELECT * FROM Products WHERE ((name LIKE '%"+criteria+"%' OR description LIKE '%"+criteria+"%') AND deletedAt IS NULL) ORDER BY name").then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error:ErrorWithParent)=>{next(error.parent)})}}
varexpress=require('express')varapp=express()constSequelize=require('sequelize');constsequelize=newSequelize('database','username','password',{dialect:'sqlite',storage:'data/juiceshop.sqlite'});app.post('/login',function(req,res){sequelize.query('SELECT * FROM Products WHERE name LIKE '+req.body.username);})app.post('/update',function(req,res){sequelize.query('UPDATE products SET bla=bli WHERE name LIKE '+req.body.username);})app.post('/remove',function(req,res){sequelize.query('DELETE FROM product WHERE name LIKE '+req.body.username);})
constexpress=require('express');constrouter=express.Router()constconfig=require('../../config')constmysql=require('mysql');constconnection=mysql.createConnection({host:config.MYSQL_HOST,port:config.MYSQL_PORT,user:config.MYSQL_USER,password:config.MYSQL_PASSWORD,database:config.MYSQL_DB_NAME,});connection.connect();router.get('/example1/user/:id',(req,res)=>{letuserId=req.params.id;letquery={sql:"SELECT * FROM users WHERE id="+userId}connection.query(query,(err,result)=>{res.json(result);});})router.get('/example2/user/:id',(req,res)=>{letuserId=req.params.id;connection.query("SELECT * FROM users WHERE id="+userId,(err,result)=>{res.json(result);});})router.get('/example3/user/:id',(req,res)=>{letuserId=req.params.id;connection.query({sql:"SELECT * FROM users WHERE id="+userId},(err,result)=>{res.json(result);});})module.exports=router
Compliant Code Examples
import{BasketModel}from"../../../models/basket";module.exports=functionlogin(){functionafterLogin(user:{data:User,bid:number},res:Response,next:NextFunction){BasketModel.findOrCreate({where:{UserId:user.data.id}}).then(([basket]:[BasketModel,boolean])=>{consttoken=security.authorize(user)user.bid=basket.id// keep track of original basket
security.authenticatedUsers.put(token,user)res.json({authentication:{token,bid:basket.id,umail:user.data.email}})}).catch((error:Error)=>{next(error)})}return(req:Request,res:Response,next:NextFunction)=>{models.sequelize.query(`SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL`,{bind:[req.body.email,req.body.password],model:models.User,plain:true}).then((authenticatedUser:{data:User})=>{constuser=utils.queryResultToJson(authenticatedUser)if(user.data?.id&&user.data.totpSecret!==''){res.status(401).json({status:'totp_token_required',data:{tmpToken:security.authorize({userId:user.data.id,type:'password_valid_needs_second_factor_token'})}})}elseif(user.data?.id){afterLogin(user,res,next)}else{res.status(401).send(res.__('Invalid email or password.'))}}).catch((error:Error)=>{next(error)})}
import{BasketModel}from"../../../models/basket";module.exports=functionlogin(){functionafterLogin(user:{data:User,bid:number},res:Response,next:NextFunction){BasketModel.findOrCreate({where:{UserId:user.data.id}}).then(([basket]:[BasketModel,boolean])=>{consttoken=security.authorize(user)user.bid=basket.id// keep track of original basket
security.authenticatedUsers.put(token,user)res.json({authentication:{token,bid:basket.id,umail:user.data.email}})}).catch((error:Error)=>{next(error)})}return(req:Request,res:Response,next:NextFunction)=>{models.sequelize.query('SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL',{bind:[req.body.email,req.body.password],model:models.User,plain:true}).then((authenticatedUser:{data:User})=>{constuser=utils.queryResultToJson(authenticatedUser)if(user.data?.id&&user.data.totpSecret!==''){res.status(401).json({status:'totp_token_required',data:{tmpToken:security.authorize({userId:user.data.id,type:'password_valid_needs_second_factor_token'})}})}elseif(user.data?.id){afterLogin(user,res,next)}else{res.status(401).send(res.__('Invalid email or password.'))}}).catch((error:Error)=>{next(error)})}
Seamless integrations. Try Datadog Code Security
Datadog Code Security
Try this rule and analyze your code with Datadog Code Security
How to use this rule
1
2
rulesets:- javascript-node-security # Rules to enforce JavaScript node security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Security scans to your CI pipelines
