Skip to content

Commit fe16b36

Browse files
DefenderKDefenderK
authored
Update index.js
1 parent 1078c19 commit fe16b36

File tree

1 file changed

+31
-17
lines changed

1 file changed

+31
-17
lines changed

routes/index.js

Lines changed: 31 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -138,24 +138,37 @@ exports.get_account_details = function(req, res, next) {
138138

139139
// New NoSQL Injection vulnerability - added for Snyk testing
140140
/*
141-
exports.getUserById = function(req, res, next) {
142-
// Get the user ID from query parameters
143-
const userId = req.query.id;
144-
145-
// Directly use user input in MongoDB operator without sanitization
146-
// This is vulnerable if userId is something like: {"$ne": null}
147-
User.findOne({_id: userId}, function(err, user) {
148-
if (err) return next(err);
149-
150-
if (!user) {
151-
return res.status(404).send('User not found');
152-
}
153-
154-
return res.render('user_profile', {
155-
title: 'User Profile',
156-
user: user
141+
exports.loginHandler = function (req, res, next) {
142+
if (validator.isEmail(req.body.username)) {
143+
User.find({ username: req.body.username, password: req.body.password }, function (err, users) {
144+
if (users.length > 0) {
145+
const redirectPage = req.body.redirectPage
146+
const session = req.session
147+
const username = req.body.username
148+
return adminLoginSuccess(redirectPage, session, username, res)
149+
} else {
150+
return res.status(401).send()
151+
}
157152
});
153+
} else {
154+
return res.status(401).send()
155+
}
156+
};
157+
158+
159+
if (validator.isEmail(req.body.username)) {
160+
User.find({ username: req.body.username, password: req.body.password }, function (err, users) {
161+
if (users.length > 0) {
162+
const redirectPage = req.body.redirectPage
163+
const session = req.session
164+
const username = req.body.username
165+
return adminLoginSuccess(redirectPage, session, username, res)
166+
} else {
167+
return res.status(401).send()
168+
}
158169
});
170+
} else {
171+
return res.status(401).send()
159172
};
160173
*/
161174

@@ -261,7 +274,7 @@ exports.create = function (req, res, next) {
261274
};
262275

263276
// Insert new vulnerable code:
264-
277+
/*
265278
exports.destroy = function (req, res, next) {
266279
Todo.findById(req.params.id, function (err, todo) {
267280
@@ -289,6 +302,7 @@ exports.edit = function (req, res, next) {
289302
});
290303
});
291304
};
305+
*/
292306

293307
exports.update = function (req, res, next) {
294308
Todo.findById(req.params.id, function (err, todo) {

0 commit comments

Comments
 (0)