Skip to content

Commit 1a4a63f

Browse files
c-wc-w
committed
Fix SQL injection vulnerability
1 parent bb82c22 commit 1a4a63f

File tree

2 files changed

+10
-9
lines changed

2 files changed

+10
-9
lines changed

services/featuresCosmosDb.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,7 @@ function init(callback) {
115115

116116
function getById(query, callback) {
117117
const ids = query.id.constructor === Array ? query.id : [query.id];
118-
const getQuery = `SELECT ${buildQueryColumns(query)} FROM features WHERE id IN (${escapeSql(ids.join(','))})`;
118+
const getQuery = `SELECT ${buildQueryColumns(query)} FROM features WHERE id IN (${ids.map(escapeSql).join(',')})`;
119119
executeQuery(getQuery, (err, rows) => {
120120
if (err) return callback(err);
121121
if (!rows || rows.length === 0) return callback(null, null);

services/visits.js

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ const async = require('async'),
66
HttpStatus = require('http-status-codes'),
77
log = common.services.log("featureService/services/visits"),
88
postgres = require('./postgres'),
9+
escapeSql = postgres.escapeSql,
910
ServiceError = common.utils.ServiceError,
1011
uuid = require('uuid/v4');
1112

@@ -40,7 +41,7 @@ function resultsToVisits(results) {
4041
}
4142

4243
function deleteByUserId(userId, callback) {
43-
executeQuery(`DELETE FROM visits WHERE user_id='${userId}'`, callback);
44+
executeQuery(`DELETE FROM visits WHERE user_id=${escapeSql(userId)}`, callback);
4445
}
4546

4647
function executeQuery(query, callback) {
@@ -69,11 +70,11 @@ function fromRequest(visitsJson, callback) {
6970
}
7071

7172
function getByTimestamp(userId, timestamp, callback) {
72-
executeQuery(`SELECT * FROM visits WHERE user_id='${userId}' AND start >= ${timestamp} AND finish <= ${timestamp}`, callback);
73+
executeQuery(`SELECT * FROM visits WHERE user_id=${escapeSql(userId)} AND start >= ${timestamp} AND finish <= ${timestamp}`, callback);
7374
}
7475

7576
function getByUserId(userId, callback) {
76-
let query = `SELECT * FROM visits WHERE user_id='${userId}'`;
77+
let query = `SELECT * FROM visits WHERE user_id=${escapeSql(userId)}`;
7778
executeQuery(query, callback);
7879
}
7980

@@ -119,16 +120,16 @@ function upsert(visits, callback) {
119120
let upsertQuery = `INSERT INTO visits (
120121
id, user_id, feature_id, start, finish, created_at, updated_at
121122
) VALUES (
122-
'${visit.id}',
123-
'${visit.userId}',
124-
'${visit.featureId}',
123+
${escapeSql(visit.id)},
124+
${escapeSql(visit.userId)},
125+
${escapeSql(visit.featureId)},
125126
${visit.start},
126127
${visit.finish},
127128
current_timestamp,
128129
current_timestamp
129130
) ON CONFLICT (id) DO UPDATE SET
130-
user_id = '${visit.userId}',
131-
feature_id = '${visit.featureId}',
131+
user_id = ${escapeSql(visit.userId)},
132+
feature_id = ${escapeSql(visit.featureId)},
132133
start = ${visit.start},
133134
finish = ${visit.finish},
134135
updated_at = current_timestamp

0 commit comments

Comments
 (0)