Create testing.js by bandarisantosh · Pull Request #25 · bandarisantosh/bad-python-app

bandarisantosh · 2025-03-06T22:49:09Z

No description provided.

private-semgrep-app · 2025-03-06T22:52:47Z

test.js

+  );
+
+  // proruleid: pg-express
+  const q1 = pgClient.query(`SELECT pg_sleep(${req.body.sleep});`);


Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.

Dataflow graph

flowchart LR classDef invis fill:white, stroke: none classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none subgraph File0["test.js"] direction LR %% Source subgraph Source direction LR v0["<a href=https://github.com/bandarisantosh/bad-python-app/blob/5c5e3a9d011b1e813419749b3b7e8e820d70da3f/test.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] req</a>"] end %% Intermediate %% Sink subgraph Sink direction LR v1["<a href=https://github.com/bandarisantosh/bad-python-app/blob/5c5e3a9d011b1e813419749b3b7e8e820d70da3f/test.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] pgClient</a>"] end end %% Class Assignment Source:::invis Sink:::invis File0:::invis %% Connections Source --> Sink

Loading

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

/fp <comment> for false positive

/ar <comment> for acceptable risk

/other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by pg-express.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

private-semgrep-app · 2025-03-06T22:52:48Z

test.js

+  const client = new Client();
+  await client.connect();
+  // proruleid: pg-express
+  const res = await client.query(


Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.

Dataflow graph

flowchart LR classDef invis fill:white, stroke: none classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none subgraph File0["test.js"] direction LR %% Source subgraph Source direction LR v0["<a href=https://github.com/bandarisantosh/bad-python-app/blob/5c5e3a9d011b1e813419749b3b7e8e820d70da3f/test.js#L39 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 39] req</a>"] end %% Intermediate %% Sink subgraph Sink direction LR v1["<a href=https://github.com/bandarisantosh/bad-python-app/blob/5c5e3a9d011b1e813419749b3b7e8e820d70da3f/test.js#L37 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 37] client</a>"] end end %% Class Assignment Source:::invis Sink:::invis File0:::invis %% Connections Source --> Sink

Loading

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change

const res = await client.query(

const queryText = "INSERT INTO profiledb (profilename, profiledescription, approved) VALUES ($1, $2, 'Pending')";

const queryValues = [req.query.profileTitle, req.query.profileBody];

const res = await client.query(queryText, queryValues);

View step-by-step instructions

Identify the SQL queries that are constructed using string concatenation with user input, such as req.query.profileTitle and req.query.profileBody.

Replace these queries with parameterized queries to prevent SQL injection. For example, change:
pool.query( "INSERT INTO profiledb (profilename, profiledescription, approved) VALUES ('" + req.query.profileTitle + "', '" + req.query.profileBody + "', 'Pending');" );
to:
const queryText = "INSERT INTO profiledb (profilename, profiledescription, approved) VALUES ($1, $2, 'Pending')"; const queryValues = [req.query.profileTitle, req.query.profileBody]; pool.query(queryText, queryValues);

Apply the same change to other similar queries, such as the one using client.query.

Ensure that all user inputs used in SQL queries are passed as parameters in the query method to separate SQL commands from user data.

Using parameterized queries helps prevent SQL injection by ensuring that user inputs are treated as data rather than executable code.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

/fp <comment> for false positive

/ar <comment> for acceptable risk

/other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by pg-express.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

private-semgrep-app · 2025-03-06T22:52:49Z

test.js

+  const q2 = pgClient.query(text, values);
+
+  // proruleid: pg-express
+  const q3 = cl2.connect("something").query(text1);


Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.

Dataflow graph

flowchart LR classDef invis fill:white, stroke: none classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none subgraph File0["test.js"] direction LR %% Source subgraph Source direction LR v0["<a href=https://github.com/bandarisantosh/bad-python-app/blob/5c5e3a9d011b1e813419749b3b7e8e820d70da3f/test.js#L28 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 28] req</a>"] end %% Intermediate subgraph Traces0[Traces] direction TB v2["<a href=https://github.com/bandarisantosh/bad-python-app/blob/5c5e3a9d011b1e813419749b3b7e8e820d70da3f/test.js#L28 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 28] `</a>"] v3["<a href=https://github.com/bandarisantosh/bad-python-app/blob/5c5e3a9d011b1e813419749b3b7e8e820d70da3f/test.js#L28 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 28] text1</a>"] end v2 --> v3 %% Sink subgraph Sink direction LR v1["<a href=https://github.com/bandarisantosh/bad-python-app/blob/5c5e3a9d011b1e813419749b3b7e8e820d70da3f/test.js#L52 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 52] cl2.connect("something")</a>"] end end %% Class Assignment Source:::invis Sink:::invis Traces0:::invis File0:::invis %% Connections Source --> Traces0 Traces0 --> Sink

Loading

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

/fp <comment> for false positive

/ar <comment> for acceptable risk

/other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by pg-express.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

private-semgrep-app · 2025-03-06T22:52:50Z

test.js

+async function test2(req, res, next) {
+  const pool = new Pool(a);
+  // proruleid: pg-express
+  pool.query(


Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.

Dataflow graph

flowchart LR classDef invis fill:white, stroke: none classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none subgraph File0["test.js"] direction LR %% Source subgraph Source direction LR v0["<a href=https://github.com/bandarisantosh/bad-python-app/blob/5c5e3a9d011b1e813419749b3b7e8e820d70da3f/test.js#L18 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 18] req</a>"] end %% Intermediate %% Sink subgraph Sink direction LR v1["<a href=https://github.com/bandarisantosh/bad-python-app/blob/5c5e3a9d011b1e813419749b3b7e8e820d70da3f/test.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] pool</a>"] end end %% Class Assignment Source:::invis Sink:::invis File0:::invis %% Connections Source --> Sink

Loading

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change

pool.query(

pool.query(

"INSERT INTO profiledb (profilename, profiledescription, approved) VALUES ($1, $2, 'Pending');",

[req.query.profileTitle, req.query.profileBody]

);

View step-by-step instructions

Change the SQL query to use parameterized queries instead of string concatenation. This prevents SQL injection by separating SQL commands from user data.

Replace the query string with placeholders for the dynamic values. For example, change the query to: "INSERT INTO profiledb (profilename, profiledescription, approved) VALUES ($1, $2, 'Pending');".

Pass the dynamic values as an array in the second argument of the query method. For example, use: pool.query("INSERT INTO profiledb (profilename, profiledescription, approved) VALUES ($1, $2, 'Pending');", [req.query.profileTitle, req.query.profileBody]);.

Repeat the above steps for any other queries that use user input directly in the SQL string.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

/fp <comment> for false positive

/ar <comment> for acceptable risk

/other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by pg-express.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

Create test.js

5c5e3a9

private-semgrep-app bot reviewed Mar 6, 2025

View reviewed changes

bandarisantosh changed the title ~~Create test.js~~ Create testing.js Mar 6, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Create testing.js#25

Create testing.js#25
bandarisantosh wants to merge 1 commit intomainfrom
bandarisantosh-patch-18

bandarisantosh commented Mar 6, 2025

Uh oh!

private-semgrep-app bot Mar 6, 2025

Uh oh!

private-semgrep-app bot Mar 6, 2025

Uh oh!

private-semgrep-app bot Mar 6, 2025

Uh oh!

private-semgrep-app bot Mar 6, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

-  const res = await client.query(
+  const queryText = "INSERT INTO profiledb (profilename, profiledescription, approved) VALUES ($1, $2, 'Pending')";
+  const queryValues = [req.query.profileTitle, req.query.profileBody];
+  const res = await client.query(queryText, queryValues);

Conversation

bandarisantosh commented Mar 6, 2025

Uh oh!

private-semgrep-app bot Mar 6, 2025

Choose a reason for hiding this comment

Uh oh!

private-semgrep-app bot Mar 6, 2025

Choose a reason for hiding this comment

Uh oh!

private-semgrep-app bot Mar 6, 2025

Choose a reason for hiding this comment

Uh oh!

private-semgrep-app bot Mar 6, 2025

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant