From 47e3805ecd30842417ffd099b957609223523aad Mon Sep 17 00:00:00 2001
From: jeff-cycode <163135025+jeff-cycode@users.noreply.github.com>
Date: Tue, 18 Mar 2025 14:36:03 -0400
Subject: [PATCH 1/5] Create sast.ts
---
sast.ts | 191 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 191 insertions(+)
create mode 100644 sast.ts
diff --git a/sast.ts b/sast.ts
new file mode 100644
index 0000000..b1b65fc
--- /dev/null
+++ b/sast.ts
@@ -0,0 +1,191 @@
+/*
+ * Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * SPDX-License-Identifier: MIT
+ */
+
+import models = require('../models/index')
+import { type Request, type Response, type NextFunction } from 'express'
+import { UserModel } from '../models/user'
+
+import * as utils from '../lib/utils'
+const challengeUtils = require('../lib/challengeUtils')
+const challenges = require('../data/datacache').challenges
+
+class ErrorWithParent extends Error {
+ parent: Error | undefined
+}
+
+// vuln-code-snippet start unionSqlInjectionChallenge dbSchemaChallenge
+module.exports = function searchProducts () {
+ return (req: Request, res: Response, next: NextFunction) => {
+ let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
+ criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
+ models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge
+ .then(([products]: any) => {
+ const dataString = JSON.stringify(products)
+ if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start
+ let solved = true
+ UserModel.findAll().then(data => {
+ const users = utils.queryResultToJson(data)
+ if (users.data?.length) {
+ for (let i = 0; i < users.data.length; i++) {
+ solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password)
+ if (!solved) {
+ break
+ }
+ }
+ if (solved) {
+ challengeUtils.solve(challenges.unionSqlInjectionChallenge)
+ }
+ }
+ }).catch((error: Error) => {
+ next(error)
+ })
+ }
+ if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) {
+ let solved = true
+ models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => {
+ const tableDefinitions = utils.queryResultToJson(data)
+ if (tableDefinitions.data?.length) {
+ for (let i = 0; i < tableDefinitions.data.length; i++) {
+ if (tableDefinitions.data[i].sql) {
+ solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql)
+ if (!solved) {
+ break
+ }
+ }
+ }
+ if (solved) {
+ challengeUtils.solve(challenges.dbSchemaChallenge)
+ }
+ }
+ })
+ } // vuln-code-snippet hide-end
+ for (let i = 0; i < products.length; i++) {
+ products[i].name = req.__(products[i].name)
+ products[i].description = req.__(products[i].description)
+ }
+ res.json(utils.queryResultToJson(products))
+ }).catch((error: ErrorWithParent) => {
+ next(error.parent)
+ })
+ }
+}
+
+
+// vuln-code-snippet start unionSqlInjectionChallenge dbSchemaChallenge
+module.exports = function searchProducts () {
+ return (req: Request, res: Response, next: NextFunction) => {
+ let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
+ criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
+ models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge
+ .then(([products]: any) => {
+ const dataString = JSON.stringify(products)
+ if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start
+ let solved = true
+ UserModel.findAll().then(data => {
+ const users = utils.queryResultToJson(data)
+ if (users.data?.length) {
+ for (let i = 0; i < users.data.length; i++) {
+ solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password)
+ if (!solved) {
+ break
+ }
+ }
+ if (solved) {
+ challengeUtils.solve(challenges.unionSqlInjectionChallenge)
+ }
+ }
+ }).catch((error: Error) => {
+ next(error)
+ })
+ }
+ if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) {
+ let solved = true
+ models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => {
+ const tableDefinitions = utils.queryResultToJson(data)
+ if (tableDefinitions.data?.length) {
+ for (let i = 0; i < tableDefinitions.data.length; i++) {
+ if (tableDefinitions.data[i].sql) {
+ solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql)
+ if (!solved) {
+ break
+ }
+ }
+ }
+ if (solved) {
+ challengeUtils.solve(challenges.dbSchemaChallenge)
+ }
+ }
+ })
+ } // vuln-code-snippet hide-end
+ for (let i = 0; i < products.length; i++) {
+ products[i].name = req.__(products[i].name)
+ products[i].description = req.__(products[i].description)
+ }
+ res.json(utils.queryResultToJson(products))
+ }).catch((error: ErrorWithParent) => {
+ next(error.parent)
+ })
+ }
+}
+
+
+// vuln-code-snippet start unionSqlInjectionChallenge dbSchemaChallenge
+module.exports = function searchProducts () {
+ return (req: Request, res: Response, next: NextFunction) => {
+ let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
+ criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
+ const query = `SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`;
+ const options = { replacements: { criteria: `%${criteria}%` }, type: QueryTypes.SELECT };
+ models.sequelize.query(query, options)
+ .then(([products]: any) => {
+ const dataString = JSON.stringify(products)
+ if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start
+ let solved = true
+ UserModel.findAll().then(data => {
+ const users = utils.queryResultToJson(data)
+ if (users.data?.length) {
+ for (let i = 0; i < users.data.length; i++) {
+ solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password)
+ if (!solved) {
+ break
+ }
+ }
+ if (solved) {
+ challengeUtils.solve(challenges.unionSqlInjectionChallenge)
+ }
+ }
+ }).catch((error: Error) => {
+ next(error)
+ })
+ }
+ if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) {
+ let solved = true
+ models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => {
+ const tableDefinitions = utils.queryResultToJson(data)
+ if (tableDefinitions.data?.length) {
+ for (let i = 0; i < tableDefinitions.data.length; i++) {
+ if (tableDefinitions.data[i].sql) {
+ solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql)
+ if (!solved) {
+ break
+ }
+ }
+ }
+ if (solved) {
+ challengeUtils.solve(challenges.dbSchemaChallenge)
+ }
+ }
+ })
+ } // vuln-code-snippet hide-end
+ for (let i = 0; i < products.length; i++) {
+ products[i].name = req.__(products[i].name)
+ products[i].description = req.__(products[i].description)
+ }
+ res.json(utils.queryResultToJson(products))
+ }).catch((error: ErrorWithParent) => {
+ next(error.parent)
+ })
+ }
+}
From 52206845f263653528592f736d1a72e7ce78813f Mon Sep 17 00:00:00 2001
From: jeff-cycode <163135025+jeff-cycode@users.noreply.github.com>
Date: Tue, 18 Mar 2025 14:37:04 -0400
Subject: [PATCH 2/5] Create secret.py
---
secret.py | 1 +
1 file changed, 1 insertion(+)
create mode 100644 secret.py
diff --git a/secret.py b/secret.py
new file mode 100644
index 0000000..061f6cb
--- /dev/null
+++ b/secret.py
@@ -0,0 +1 @@
+password = 'fjdkf7GG@9ikDF5!nZzDz'
From b0ab4818518c6882ea08bc932c55441329664191 Mon Sep 17 00:00:00 2001
From: jeff-cycode <163135025+jeff-cycode@users.noreply.github.com>
Date: Tue, 18 Mar 2025 14:37:43 -0400
Subject: [PATCH 3/5] Update pom.xml
---
java-app/pom.xml | 2 --
1 file changed, 2 deletions(-)
diff --git a/java-app/pom.xml b/java-app/pom.xml
index d9eb4e5..876772a 100644
--- a/java-app/pom.xml
+++ b/java-app/pom.xml
@@ -85,13 +85,11 @@
arquillian-container-impl-base
1.7.0.Alpha12
-
org.jboss.shrinkwrap
shrinkwrap-impl-base
From e2ec5b7ac12d83b3fb855384a33aaf944e74e122 Mon Sep 17 00:00:00 2001
From: "cycode-security[bot]"
<54410473+cycode-security[bot]@users.noreply.github.com>
Date: Wed, 19 Mar 2025 14:52:18 +0000
Subject: [PATCH 4/5] [Cycode] Fix for SAST detections - Unsanitized input in
SQL query
---
sast.ts | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sast.ts b/sast.ts
index b1b65fc..fc5e33d 100644
--- a/sast.ts
+++ b/sast.ts
@@ -78,7 +78,9 @@ module.exports = function searchProducts () {
return (req: Request, res: Response, next: NextFunction) => {
let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
- models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge
+ models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`,
+ { replacements: { criteria: '%' + criteria + '%' }, type: models.sequelize.QueryTypes.SELECT } // use parameterized query
+ )
.then(([products]: any) => {
const dataString = JSON.stringify(products)
if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start
From d38f957332f4cddad82712cb17e06fdfeb9a176b Mon Sep 17 00:00:00 2001
From: scott-es
Date: Wed, 19 Mar 2025 10:55:51 -0400
Subject: [PATCH 5/5] updating version of databind
---
java-app/pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java-app/pom.xml b/java-app/pom.xml
index 876772a..4987e81 100644
--- a/java-app/pom.xml
+++ b/java-app/pom.xml
@@ -88,7 +88,7 @@
com.fasterxml.jackson.core
jackson-databind
- 2.9.10.3
+ 2.9.10.4
org.jboss.shrinkwrap