Harden product review routes against NoSQL injection#37
Open
sonarqube-agent[bot] wants to merge 1 commit into
Open
Harden product review routes against NoSQL injection#37sonarqube-agent[bot] wants to merge 1 commit into
sonarqube-agent[bot] wants to merge 1 commit into
Conversation
Fixed issues: - AZWU-tsyYJSZqVQVbSlp for tssecurity:S5147 rule - AZWU-tuBYJSZqVQVbSlx for tssecurity:S5147 rule Generated by SonarQube Agent (task: 0709d5c6-bb03-4b64-b3ee-f91c2cef7d79)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Validate and normalize user-controlled review data before it reaches MongoDB queries in the create and update product review routes. This blocks attacker-supplied objects or arrays from being interpreted as query operators, reducing the risk of NoSQL injection.
View Project in SonarCloud
Fixed Issues
tssecurity:S5147 - Change this code to not construct database queries directly from user-controlled data. • BLOCKER • View issue
Location:
routes/createProductReviews.ts:19Why is this an issue?
NoSQL injections occur when an application retrieves untrusted data and inserts it into a database query without sanitizing it first.
What changed
This hunk adds the Express next callback so the handler can stop processing and report an error when suspicious input is detected. By itself it does not sanitize the database values, but it enables the later validation logic that blocks non-string user-controlled data before it reaches the insert query, which supports the fix for the reported NoSQL injection risk.
tssecurity:S5147 - Change this code to not construct database queries directly from user-controlled data. • BLOCKER • View issue
Location:
routes/updateProductReviews.ts:17Why is this an issue?
NoSQL injections occur when an application retrieves untrusted data and inserts it into a database query without sanitizing it first.
What changed
This hunk helps fix the NoSQL injection warning by normalizing the request body value to a string before it is used in the MongoDB update query. The reported problem is that
req.body.idis user-controlled and could be an object or array containing MongoDB operators. Converting it withtoString()and rejecting non-string results reduces the chance of attacker-controlled structured data being inserted into the query. This hunk is the validation/setup part of the fix that the next hunk then uses at the query site.SonarQube Remediation Agent uses AI. Check for mistakes.