This page is not yet available in Spanish. We are working on its translation. If you have any questions or feedback about our current translation project, feel free to reach out to us!
module.exports=functionsearchProducts(){return(req:Request,res:Response,next:NextFunction)=>{letcriteria:any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria:criteria.substring(0,200)// only allow apple or orange related searches
if(!criteria.startsWith("apple")||!criteria.startsWith("orange")){res.status(400).send()return}models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`).then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error:ErrorWithParent)=>{next(error.parent)})}}
module.exports=functionsearchProducts(){return(req:Request,res:Response,next:NextFunction)=>{letcriteria:any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria:criteria.substring(0,200)criteria.replace(/"|'|;|and|or/i,"")models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`).then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error:ErrorWithParent)=>{next(error.parent)})}}
constinjectionChars=/"|'|;|and|or|;|#/i;module.exports=functionsearchProducts(){return(req:Request,res:Response,next:NextFunction)=>{letcriteria:any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria:criteria.substring(0,200)if(criteria.match(injectionChars)){res.status(400).send()return}models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`).then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error:ErrorWithParent)=>{next(error.parent)})}}
module.exports=functionsearchProducts(){return(req:Request,res:Response,next:NextFunction)=>{letcriteria:any=req.query.q==='undefined'?'':req.query.q??''criteria=(criteria.length<=200)?criteria:criteria.substring(0,200)models.sequelize.query("SELECT * FROM Products WHERE ((name LIKE '%"+criteria+"%' OR description LIKE '%"+criteria+"%') AND deletedAt IS NULL) ORDER BY name").then(([products]:any)=>{constdataString=JSON.stringify(products)for(leti=0;i<products.length;i++){products[i].name=req.__(products[i].name)products[i].description=req.__(products[i].description)}res.json(utils.queryResultToJson(products))}).catch((error:ErrorWithParent)=>{next(error.parent)})}}
varexpress=require('express')varapp=express()constSequelize=require('sequelize');constsequelize=newSequelize('database','username','password',{dialect:'sqlite',storage:'data/juiceshop.sqlite'});app.post('/login',function(req,res){sequelize.query('SELECT * FROM Products WHERE name LIKE '+req.body.username);})app.post('/update',function(req,res){sequelize.query('UPDATE products SET bla=bli WHERE name LIKE '+req.body.username);})app.post('/remove',function(req,res){sequelize.query('DELETE FROM product WHERE name LIKE '+req.body.username);})
constexpress=require('express');constrouter=express.Router()constconfig=require('../../config')constmysql=require('mysql');constconnection=mysql.createConnection({host:config.MYSQL_HOST,port:config.MYSQL_PORT,user:config.MYSQL_USER,password:config.MYSQL_PASSWORD,database:config.MYSQL_DB_NAME,});connection.connect();router.get('/example1/user/:id',(req,res)=>{letuserId=req.params.id;letquery={sql:"SELECT * FROM users WHERE id="+userId}connection.query(query,(err,result)=>{res.json(result);});})router.get('/example2/user/:id',(req,res)=>{letuserId=req.params.id;connection.query("SELECT * FROM users WHERE id="+userId,(err,result)=>{res.json(result);});})router.get('/example3/user/:id',(req,res)=>{letuserId=req.params.id;connection.query({sql:"SELECT * FROM users WHERE id="+userId},(err,result)=>{res.json(result);});})module.exports=router
Compliant Code Examples
import{BasketModel}from"../../../models/basket";module.exports=functionlogin(){functionafterLogin(user:{data:User,bid:number},res:Response,next:NextFunction){BasketModel.findOrCreate({where:{UserId:user.data.id}}).then(([basket]:[BasketModel,boolean])=>{consttoken=security.authorize(user)user.bid=basket.id// keep track of original basket
security.authenticatedUsers.put(token,user)res.json({authentication:{token,bid:basket.id,umail:user.data.email}})}).catch((error:Error)=>{next(error)})}return(req:Request,res:Response,next:NextFunction)=>{models.sequelize.query(`SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL`,{bind:[req.body.email,req.body.password],model:models.User,plain:true}).then((authenticatedUser:{data:User})=>{constuser=utils.queryResultToJson(authenticatedUser)if(user.data?.id&&user.data.totpSecret!==''){res.status(401).json({status:'totp_token_required',data:{tmpToken:security.authorize({userId:user.data.id,type:'password_valid_needs_second_factor_token'})}})}elseif(user.data?.id){afterLogin(user,res,next)}else{res.status(401).send(res.__('Invalid email or password.'))}}).catch((error:Error)=>{next(error)})}
import{BasketModel}from"../../../models/basket";module.exports=functionlogin(){functionafterLogin(user:{data:User,bid:number},res:Response,next:NextFunction){BasketModel.findOrCreate({where:{UserId:user.data.id}}).then(([basket]:[BasketModel,boolean])=>{consttoken=security.authorize(user)user.bid=basket.id// keep track of original basket
security.authenticatedUsers.put(token,user)res.json({authentication:{token,bid:basket.id,umail:user.data.email}})}).catch((error:Error)=>{next(error)})}return(req:Request,res:Response,next:NextFunction)=>{models.sequelize.query('SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL',{bind:[req.body.email,req.body.password],model:models.User,plain:true}).then((authenticatedUser:{data:User})=>{constuser=utils.queryResultToJson(authenticatedUser)if(user.data?.id&&user.data.totpSecret!==''){res.status(401).json({status:'totp_token_required',data:{tmpToken:security.authorize({userId:user.data.id,type:'password_valid_needs_second_factor_token'})}})}elseif(user.data?.id){afterLogin(user,res,next)}else{res.status(401).send(res.__('Invalid email or password.'))}}).catch((error:Error)=>{next(error)})}
Integraciones sin problemas. Prueba Datadog Code Security
Datadog Code Security
Prueba esta regla y analiza tu código con Datadog Code Security
Cómo usar esta regla
1
2
rulesets:- javascript-node-security # Rules to enforce JavaScript node security.
Crea un static-analysis.datadog.yml con el contenido anterior en la raíz de tu repositorio
Utiliza nuestros complementos del IDE gratuitos o añade análisis de Code Security a tus pipelines de CI.
