Add database utilities #4
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
🤖 Claude Code Review
This PR adds database utility functions but contains multiple serious security vulnerabilities and data safety issues. The code includes SQL injection vulnerabilities, XSS risks, exposed credentials, and unsafe data deletion functions that could compromise the application's security and data integrity.
📁 Files reviewed (2 files, 36 changes)
- 🆕
src/lib/bad-code.ts(+36/-0) - 🆕
testxxx22.png(+0/-0)
Issues Found
- 🚨 Critical: 4
❌ Changes requested - Please fix the critical issues before merging.
Powered by Claude AI
|
|
||
| // CRITICAL: SQL Injection vulnerability - user input directly in query | ||
| export async function getUserByName(name: string) { | ||
| const result = await prisma.$queryRawUnsafe( |
There was a problem hiding this comment.
🚨 CRITICAL
SQL injection vulnerability: User input is directly interpolated into the SQL query without sanitization. An attacker could inject malicious SQL by providing input like '; DROP TABLE users; --. Use parameterized queries or Prisma's type-safe query methods instead.
| } | ||
|
|
||
| // CRITICAL: XSS vulnerability - rendering unsanitized HTML | ||
| export function renderUserComment(comment: string): string { |
There was a problem hiding this comment.
🚨 CRITICAL
XSS vulnerability: User comment content is directly inserted into HTML without sanitization. Malicious users could inject JavaScript code like <script>alert('XSS')</script>. Sanitize the comment content or use a templating system that escapes HTML by default.
| return `<div class="comment">${comment}</div>`; | ||
| } | ||
|
|
||
| // CRITICAL: Hardcoded credentials exposed in code |
There was a problem hiding this comment.
🚨 CRITICAL
Exposed credentials: Database password and API secret key are hardcoded in the source code. These will be visible to anyone with access to the repository. Move these to environment variables and never commit secrets to version control.
| } | ||
|
|
||
| // CRITICAL: Deleting all data without confirmation | ||
| export async function clearAllUsers() { |
There was a problem hiding this comment.
🚨 CRITICAL
Data loss risk: This function deletes all user data without any confirmation mechanism or access controls. This could result in catastrophic data loss if called accidentally or by unauthorized users. Add proper authorization checks and confirmation mechanisms.
github-actions
bot
added
claude:changes-requested
|
Test PR with bad code - closing |
Summary
Test plan