Skip to content

Demo vulnerabilities outside the diff #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: test/vulns-outside-30_08_24_18_44
Choose a base branch
from
Open

Demo vulnerabilities outside the diff #53

wants to merge 1 commit into from

Conversation

ferreiratiago
Copy link

No description provided.

@snyk-io-dev Snyk.io Dev
Copy link

snyk-io-dev bot commented Mar 20, 2025
edited
Loading

Snyk checks have failed. 1 issues have been found so far.

Icon Severity Issues
Critical 0
High 1
Medium 0
Low 0

security/snyk check is complete. No issues have been found. (View Details)

license/snyk check is complete. No issues have been found. (View Details)

code/snyk check is complete. 1 issues have been found. (View Details)

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

snyk-io-dev[bot]
snyk-io-dev bot reviewed Mar 20, 2025
View reviewed changes
utils.js
const sqlQuery =
"SELECT email FROM credentials WHERE " +
"email = ? AND " +
"email = '" + req.body.email + "' AND " +
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  SQL Injection

Unsanitized input from the HTTP request body flows into query, where it is used in an SQL query. This may result in an SQL Injection vulnerability.

Line 32 | CWE-89 | Priority score 755 | Learn more about this vulnerability
Data flow: 15 steps

Step 1 - 5

tiago_app.dev.snyk_github_app_nodejs-goof/utils.js

Line 32 in 2765872

"email = '" + req.body.email + "' AND " +

Step 6 - 8 utils.js#L31

Step 9 utils.js#L30

Step 10 - 11 sql_injection.js#L4

Step 12 sql_injection.js#L6

Step 13 sql_injection.js#L9

Step 14 - 15

tiago_app.dev.snyk_github_app_nodejs-goof/sql_injection.js

Line 10 in 2765872

db.query(query, args, (err, result) => {

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

World

@ferreiratiago
Copy link
Author

hello world

ferreiratiago
ferreiratiago commented Mar 28, 2025
View reviewed changes
utils.js
const sqlQuery =
"SELECT email FROM credentials WHERE " +
"email = ? AND " +
"email = '" + req.body.email + "' AND " +
"password = ?";
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snyk-io-dev snyk-io-dev[bot] snyk-io-dev[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ferreiratiago