Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NEW Create Product endpoint #2

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

NEW Create Product endpoint #2

wants to merge 3 commits into from

Conversation

austenstone
Copy link
Member

@austenstone austenstone commented Jan 24, 2022
edited
Loading

This pull request introduces a new feature to the application that allows users to create new products. However, the implementation of this feature introduces a potential security vulnerability. The most significant changes include the creation of a new function create in the model/products.js file and a new router endpoint in the routes/products.js file.

New feature implementation:

  • model/products.js: Added a create function to insert a new product into the database. This function takes a product object as input, constructs an SQL query to insert the product into the products table, and returns the product id. This function is then added to the actions object that is exported by the module.

Potential security vulnerability:

  • routes/products.js: Created a new router endpoint at /products/create that handles all HTTP methods. This endpoint extracts parameters from the request, creates a product object, and then calls the create function from db_products to insert the product into the database. However, this implementation does not sanitize or validate the input parameters, which could lead to SQL injection attacks.

@austenstone austenstone reopened this Jan 24, 2022
@austenstone austenstone requested a review from mikewesthub May 3, 2022 20:24
@austenstone austenstone removed the request for review from mikewesthub May 3, 2022 20:27
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 7, 2022
View reviewed changes
model/products.js
product.price +
"');";

return db.one(q);

Check failure

Code scanning / CodeQL

Database query built from user-controlled sources

This query depends on [a user-provided value](1). This query depends on [a user-provided value](2).
@austenstone
Copy link
Member Author

octodemo/vulnerable-node#23

@austenstone austenstone changed the title NEW Create Product endpoint WIP: NEW Create Product endpoint Jan 25, 2023
@austenstone austenstone marked this pull request as draft January 25, 2023 16:41
@austenstone austenstone changed the title WIP: NEW Create Product endpoint NEW Create Product endpoint Jan 26, 2023
@austenstone austenstone reopened this Dec 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@austenstone-alt austenstone-alt Awaiting requested review from austenstone-alt austenstone-alt will be requested when the pull request is marked ready for review austenstone-alt is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@austenstone