Database queries should not be vulnerable to injection attacks

nathaniel.sposit · March 9, 2022, 3:37pm

Version: 9.3.0.51899 (Developer Edition)
Vulnerability: jssecurity:S3649

Scan does not catch instances of SQL injection vulnerabilities.

async function updateFilter(req) {
    try {
        let { id, name, label, filter } = req.body;
        const q = `UPDATE filters SET name = '${name}', label = '${label}', filter = '${filter}', WHERE id = '${id}';`;
        const pgr = await pool.query(q);
        pool.end();
        return pgr.rows;
    } catch (e) {
        ...
    }
}

Hendrik_Buchwald · September 27, 2022, 7:42am

Hello and sorry for the very late reply! The thread was lost in the shuffle. In case that you still see this reply, we would need some additional code to see why no issue is detected here. Since it is JavaScript, the variables are not typed here, so our analyzer has to analyze all the code around it, to detect what req contains or what pool contains. If this fails, it can not raise an issue.

Is it possible to share more code of the project? Thanks!