Fix critical security vulnerabilities in routes: injection and redirection flaws#35
Open
sonarqube-agent[bot] wants to merge 1 commit into
Open
Fix critical security vulnerabilities in routes: injection and redirection flaws#35sonarqube-agent[bot] wants to merge 1 commit into
sonarqube-agent[bot] wants to merge 1 commit into
Conversation
Fixed issues: - AZjSWOS8aBAs4lm2zztR for tssecurity:S5147 rule - AZjSWOZqaBAs4lm2zztj for tssecurity:S5147 rule - AZWU-tnbYJSZqVQVbSkr for tssecurity:S3649 rule - AZjSWOVYaBAs4lm2zztX for tssecurity:S5334 rule - AZWU-tnHYJSZqVQVbSkY for tssecurity:S5146 rule Generated by SonarQube Agent (task: 18b84d7c-2db1-4257-a1f3-5d40ee74736f)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR addresses 5 critical security vulnerabilities across multiple routes: NoSQL injection in product reviews and order history, SQL injection in search, open redirection, and code injection in order processing. These fixes prevent attackers from manipulating database queries, executing arbitrary code, and redirecting users to malicious sites through user-controlled input.
View Project in SonarCloud
Fixed Issues
tssecurity:S5147 - Change this code to not construct database queries directly from user-controlled data. • BLOCKER • View issue
Location:
routes/createProductReviews.ts:19Why is this an issue?
NoSQL injections occur when an application retrieves untrusted data and inserts it into a database query without sanitizing it first.
What changed
This hunk fixes a NoSQL injection vulnerability in the product reviews creation route. The original code passed user-controlled values (
req.params.id,req.body.message,req.body.author) directly into a MongoDBinsert()call without sanitization. An attacker could craft these inputs as objects (e.g.,{ $ne: "" }) instead of plain strings, potentially manipulating the database query. By calling.toString()on each of these values before they are inserted into the database query object, the code ensures that only plain string values are used, preventing attackers from injecting complex MongoDB query operators through user-controlled HTTP request parameters and body fields.tssecurity:S5147 - Change this code to not construct database queries directly from user-controlled data. • BLOCKER • View issue
Location:
routes/orderHistory.ts:36Why is this an issue?
NoSQL injections occur when an application retrieves untrusted data and inserts it into a database query without sanitizing it first.
What changed
This hunk fixes a NoSQL injection vulnerability in the order history route. The original code passed
req.params.iddirectly into a MongoDB query (ordersCollection.update), allowing an attacker to craft a malicious HTTP request wherereq.params.idis a complex object (e.g.,{ $ne: "" }) instead of a plain string, potentially manipulating the query logic. By calling.toString()onreq.params.id, the fix ensures that only a plain string value is used in the_idfilter of the database query, preventing attackers from injecting NoSQL operators through user-controlled input.tssecurity:S5146 - Change this code to not perform redirects based on user-controlled data. • BLOCKER • View issue
Location:
routes/redirect.ts:19Why is this an issue?
Open redirection occurs when an application uses user-controllable data to redirect users to a URL.
What changed
This hunk directly addresses the open redirection vulnerability by replacing the direct use of user-controlled
toUrlinres.redirect()with a sanitized version. Instead of passing the raw user input tores.redirect(toUrl), it first passestoUrlthrough thesanitizeRedirectUrlfunction and redirects to the sanitized result. This prevents an attacker from crafting a malicious URL in the query parameter that would redirect users to an external attacker-controlled domain.tssecurity:S3649 - Change this code to not construct SQL queries directly from user-controlled data. • BLOCKER • View issue
Location:
routes/search.ts:23Why is this an issue?
Database injections (such as SQL injections) occur in an application when the application retrieves data from a user or a third-party service and inserts it into a database query without sanitizing it first.
What changed
This hunk fixes the SQL injection vulnerability in routes/search.ts by replacing direct string interpolation of user-controlled data (
criteria) into the SQL query with a parameterized query using bind variables. The original code used template literals ('%${criteria}%') to embed thecriteriavalue directly into the SQL string, allowing an attacker to manipulate the query logic. The fix uses a named bind parameter ($criteria) in the query string and passes the actual value through Sequelize'sbindoption ({ bind: { criteria: '%' + criteria + '%' } }), which ensures the user input is treated as a literal value rather than executable SQL, preventing SQL injection attacks.tssecurity:S5334 - Change this code to not dynamically execute code influenced by user-controlled data. • BLOCKER • View issue
Location:
routes/b2bOrder.ts:22Why is this an issue?
Code injections occur when applications allow the dynamic execution of code instructions from untrusted data.
An attacker can influence the behavior of the targeted application and modify it to get access to sensitive data.
What changed
Removes the import of the 'vm' module, which was used to dynamically execute code via vm.runInContext(). This import is no longer needed because the fix replaces the dynamic code execution with safe JSON.parse(), eliminating the code injection vulnerability where user-controlled data (orderLinesData) was being passed into dynamically executed code.
SonarQube Remediation Agent uses AI. Check for mistakes.