Skip to content

Commit

Permalink
test
Browse files Browse the repository at this point in the history
  • Loading branch information
@Perdiga
Perdiga committed Oct 17, 2024
1 parent 071b5a1 commit 3094874
Show file tree
Hide file tree
Showing 4 changed files with 66 additions and 2 deletions.
42 changes: 42 additions & 0 deletions node-sample copy/index.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
const express = require('express');
const mysql = require('mysql');

const app = express();
const port = 3000;

// Create a connection to the database
const connection = mysql.createConnection({
host: 'localhost',
user: 'root',

Check failure

Code scanning / CodeQL

Hard-coded credentials Critical

The hard-coded value "root" is used as
user name
Loading
.
password: 'password',
database: 'testdb'
});

// Connect to the database
connection.connect((err) => {
if (err) {
console.error('Error connecting to the database:', err);
return;
}
console.log('Connected to the database');
});

// Route with a vulnerable SQL query (SQL Injection)
app.get('/user/:id', (req, res) => {
const userId = req.params.id;

// Vulnerable SQL query: no input sanitization
const query = `SELECT * FROM users WHERE id = ${userId}`;

connection.query(query, (err, result) => {

Check failure

Code scanning / CodeQL

Database query built from user-controlled sources High

This query string depends on a
user-provided value
Loading
.
if (err) {
res.status(500).send('Database query error');
return;
}
res.json(result);
});
});

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
a database access
Loading
, but is not rate-limited.

app.listen(port, () => {
console.log(`Server running on http://localhost:${port}`);
});
15 changes: 15 additions & 0 deletions node-sample copy/package.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"name": "node-sql-injection-demo",
"version": "1.0.0",
"description": "A simple Node.js app with SQL injection vulnerability demonstration.",
"main": "app.js",
"scripts": {
"start": "node app.js"
},
"author": "Your Name",
"license": "ISC",
"dependencies": {
"express": "^4.18.2",
"mysql": "^2.18.1"
}
}
7 changes: 7 additions & 0 deletions node-sample copy/run.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/bash

../scripts/run-codeql.sh default --path=$(pwd) --override --language=javascript

#../scripts/run-codeql.sh security-and-quality --path=$(pwd) --override --language=javascript

#../scripts/run-codeql.sh "security-extended" --path=$(pwd) --override --language=javascript
4 changes: 2 additions & 2 deletions node-sample/run.sh
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#!/bin/bash

#../scripts/run-codeql.sh default --path=$(pwd) --override --language=javascript
../scripts/run-codeql.sh default --path=$(pwd) --override --language=javascript

#../scripts/run-codeql.sh security-and-quality --path=$(pwd) --override --language=javascript

../scripts/run-codeql.sh "security-extended" --path=$(pwd) --override --language=javascript
#../scripts/run-codeql.sh "security-extended" --path=$(pwd) --override --language=javascript

0 comments on commit 3094874

Please sign in to comment.