Skip to content

Harden product review routes against NoSQL injection#37

Open
sonarqube-agent[bot] wants to merge 1 commit into
masterfrom
remediate-master-20260622-010131-90dbfbf0
Open

Harden product review routes against NoSQL injection#37
sonarqube-agent[bot] wants to merge 1 commit into
masterfrom
remediate-master-20260622-010131-90dbfbf0

Conversation

@sonarqube-agent

Copy link
Copy Markdown

This PR was automatically created by the Remediation Agent's Scheduled backlog remediation feature.

Why these issues? These findings are both BLOCKER-level NoSQL injection issues in closely related routes, so they can be addressed with the same validation pattern in one coherent change. Fixing them together improves security coverage efficiently and reduces the chance of inconsistent handling between create and update paths.

Validate and normalize user-controlled review data before it reaches MongoDB queries in the create and update product review routes. This blocks attacker-supplied objects or arrays from being interpreted as query operators, reducing the risk of NoSQL injection.

View Project in SonarCloud


Fixed Issues

tssecurity:S5147 - Change this code to not construct database queries directly from user-controlled data. • BLOCKERView issue

Location: routes/createProductReviews.ts:19

Why is this an issue?

NoSQL injections occur when an application retrieves untrusted data and inserts it into a database query without sanitizing it first.

What changed

This hunk adds the Express next callback so the handler can stop processing and report an error when suspicious input is detected. By itself it does not sanitize the database values, but it enables the later validation logic that blocks non-string user-controlled data before it reaches the insert query, which supports the fix for the reported NoSQL injection risk.

--- a/routes/createProductReviews.ts
+++ b/routes/createProductReviews.ts
@@ -16,1 +16,1 @@ module.exports = function productReviews () {
-  return (req: Request, res: Response) => {
+  return (req: Request, res: Response, next: (err?: Error) => void) => {
tssecurity:S5147 - Change this code to not construct database queries directly from user-controlled data. • BLOCKERView issue

Location: routes/updateProductReviews.ts:17

Why is this an issue?

NoSQL injections occur when an application retrieves untrusted data and inserts it into a database query without sanitizing it first.

What changed

This hunk helps fix the NoSQL injection warning by normalizing the request body value to a string before it is used in the MongoDB update query. The reported problem is that req.body.id is user-controlled and could be an object or array containing MongoDB operators. Converting it with toString() and rejecting non-string results reduces the chance of attacker-controlled structured data being inserted into the query. This hunk is the validation/setup part of the fix that the next hunk then uses at the query site.

--- a/routes/updateProductReviews.ts
+++ b/routes/updateProductReviews.ts
@@ -16,0 +17,5 @@ module.exports = function productReviews () {
+    const id = req.body?.id?.toString()
+    if (typeof id !== 'string') {
+      next(new Error('Blocked illegal activity by ' + req.socket.remoteAddress))
+      return
+    }

Have a suggestion or found an issue? Share your feedback here.


SonarQube Remediation Agent uses AI. Check for mistakes.

Fixed issues:
- AZWU-tsyYJSZqVQVbSlp for tssecurity:S5147 rule
- AZWU-tuBYJSZqVQVbSlx for tssecurity:S5147 rule

Generated by SonarQube Agent (task: 0709d5c6-bb03-4b64-b3ee-f91c2cef7d79)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant