Skip to content

Commit b632d9c

Browse files
c-wc-w
authored
Merge pull request #19 from CatalystCode/fix-sql-injection
Fix SQL injection vulnerability
2 parents 7172397 + 1a4a63f commit b632d9c

File tree

4 files changed

+17
-13
lines changed

4 files changed

+17
-13
lines changed

services/features.js

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,15 +6,12 @@ const async = require('async'),
66
GeoPoint = require('geopoint'),
77
HttpStatus = require('http-status-codes'),
88
postgres = require('./postgres'),
9+
escapeSql = postgres.escapeSql,
910
ServiceError = common.utils.ServiceError,
1011
turf = require('turf');
1112

1213
let featureDatabasePool;
1314

14-
function escapeSql(value) {
15-
return `'${value.replace(/'/g,"''")}'`;
16-
}
17-
1815
function executeQuery(query, callback) {
1916
featureDatabasePool.connect((err, client, done) => {
2017
if (err) return callback(err);

services/featuresCosmosDb.js

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ const async = require('async'),
66
GeoPoint = require('geopoint'),
77
HttpStatus = require('http-status-codes'),
88
process = require('process'),
9+
escapeSql = require('./postgres').escapeSql,
910
ServiceError = common.utils.ServiceError,
1011
turf = require('turf'),
1112
url = require('url');
@@ -114,7 +115,7 @@ function init(callback) {
114115

115116
function getById(query, callback) {
116117
const ids = query.id.constructor === Array ? query.id : [query.id];
117-
const getQuery = `SELECT ${buildQueryColumns(query)} FROM features WHERE id IN (${escapeSql(ids.join(','))})`;
118+
const getQuery = `SELECT ${buildQueryColumns(query)} FROM features WHERE id IN (${ids.map(escapeSql).join(',')})`;
118119
executeQuery(getQuery, (err, rows) => {
119120
if (err) return callback(err);
120121
if (!rows || rows.length === 0) return callback(null, null);

services/postgres.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,10 @@ const pg = require('pg'),
33
querystring = require('querystring'),
44
url = require('url');
55

6+
function escapeSql(value) {
7+
return `'${value.replace(/'/g,"''")}'`;
8+
}
9+
610
function init(callback) {
711
const connectionString = process.env.FEATURES_CONNECTION_STRING;
812

@@ -30,5 +34,6 @@ function init(callback) {
3034
}
3135

3236
module.exports = {
37+
escapeSql: escapeSql,
3338
init: init
3439
};

services/visits.js

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ const async = require('async'),
66
HttpStatus = require('http-status-codes'),
77
log = common.services.log("featureService/services/visits"),
88
postgres = require('./postgres'),
9+
escapeSql = postgres.escapeSql,
910
ServiceError = common.utils.ServiceError,
1011
uuid = require('uuid/v4');
1112

@@ -40,7 +41,7 @@ function resultsToVisits(results) {
4041
}
4142

4243
function deleteByUserId(userId, callback) {
43-
executeQuery(`DELETE FROM visits WHERE user_id='${userId}'`, callback);
44+
executeQuery(`DELETE FROM visits WHERE user_id=${escapeSql(userId)}`, callback);
4445
}
4546

4647
function executeQuery(query, callback) {
@@ -69,11 +70,11 @@ function fromRequest(visitsJson, callback) {
6970
}
7071

7172
function getByTimestamp(userId, timestamp, callback) {
72-
executeQuery(`SELECT * FROM visits WHERE user_id='${userId}' AND start >= ${timestamp} AND finish <= ${timestamp}`, callback);
73+
executeQuery(`SELECT * FROM visits WHERE user_id=${escapeSql(userId)} AND start >= ${timestamp} AND finish <= ${timestamp}`, callback);
7374
}
7475

7576
function getByUserId(userId, callback) {
76-
let query = `SELECT * FROM visits WHERE user_id='${userId}'`;
77+
let query = `SELECT * FROM visits WHERE user_id=${escapeSql(userId)}`;
7778
executeQuery(query, callback);
7879
}
7980

@@ -119,16 +120,16 @@ function upsert(visits, callback) {
119120
let upsertQuery = `INSERT INTO visits (
120121
id, user_id, feature_id, start, finish, created_at, updated_at
121122
) VALUES (
122-
'${visit.id}',
123-
'${visit.userId}',
124-
'${visit.featureId}',
123+
${escapeSql(visit.id)},
124+
${escapeSql(visit.userId)},
125+
${escapeSql(visit.featureId)},
125126
${visit.start},
126127
${visit.finish},
127128
current_timestamp,
128129
current_timestamp
129130
) ON CONFLICT (id) DO UPDATE SET
130-
user_id = '${visit.userId}',
131-
feature_id = '${visit.featureId}',
131+
user_id = ${escapeSql(visit.userId)},
132+
feature_id = ${escapeSql(visit.featureId)},
132133
start = ${visit.start},
133134
finish = ${visit.finish},
134135
updated_at = current_timestamp

0 commit comments

Comments
 (0)