Part3 updates Don't touch me!!!! #42
Conversation
… Implemented LookupHashes instead of raw accountnumbers for transaction field.
Both frontend and backend will not run until .env values are inserted
…out to Transactions. New method transactReceipt in traction route to duplicate lookups across transactions when paying again. Fixed checkEnvVariables
…de text entry has a chance to be valid. Added sessions to app.js. Updated seedEmployees process. Improved ratelimiter middleware. Added sanitization to transaction routes. Fixed hashHelper use in user route
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| const employee = await User.findOne({ | ||
| username: username, | ||
| role: "employee" | ||
| }); |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix the problem, we need to ensure that the user input is properly sanitized or validated before being used in the MongoDB query. One effective way to do this is by using the $eq operator to ensure that the user input is interpreted as a literal value and not as a query object. This approach prevents NoSQL injection attacks by treating the user input as a simple value rather than a potentially malicious query.
In the file server/routes/employee.js, we will modify the query on line 16 to use the $eq operator for the username field. This change ensures that the username is treated as a literal value.
| @@ -16,3 +16,3 @@ | ||
| const employee = await User.findOne({ | ||
| username: username, | ||
| username: { $eq: username }, | ||
| role: "employee" |
| }); | ||
|
|
||
| // Finding and updating transaction | ||
| await Transaction.findById(transactionID).then( |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix the problem, we need to ensure that the user-provided transactionID is treated as a literal value and not as a query object. This can be achieved by using the $eq operator in the MongoDB query. This will ensure that the transactionID is interpreted as a literal value, preventing any potential NoSQL injection attacks.
| @@ -144,3 +144,3 @@ | ||
| // Finding and updating transaction | ||
| await Transaction.findById(transactionID).then( | ||
| await Transaction.findOne({ _id: { $eq: transactionID } }).then( | ||
| (transaction) => { |
| const transaction = Transaction.findById(transactionID) | ||
| .then(transaction => { | ||
| // Finding and updating transaction | ||
| await Transaction.findById(transactionID).then( |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix this problem, we need to ensure that the user-provided transactionID is treated as a literal value and not as a query object. This can be achieved by using the $eq operator in the MongoDB query. This will ensure that the transactionID is interpreted as a literal value, thus preventing any potential NoSQL injection attacks.
| @@ -144,3 +144,3 @@ | ||
| // Finding and updating transaction | ||
| await Transaction.findById(transactionID).then( | ||
| await Transaction.findById({ _id: { $eq: transactionID } }).then( | ||
| (transaction) => { | ||
| @@ -171,3 +171,3 @@ | ||
| // Finding and updating transaction | ||
| await Transaction.findById(transactionID).then( | ||
| await Transaction.findById({ _id: { $eq: transactionID } }).then( | ||
| (transaction) => { |
| const originalTransaction = await Transaction.findOne({ | ||
| recipientAccountNumber: recipientAccountNumber, | ||
| approvalStatus: 'completed' | ||
| }); |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix the problem, we need to ensure that the user-provided recipientAccountNumber is treated as a literal value in the MongoDB query. This can be achieved by using the $eq operator, which ensures that the input is interpreted as a literal value and not as a query object. This change will prevent any potential NoSQL injection attacks.
| @@ -210,3 +210,3 @@ | ||
| const originalTransaction = await Transaction.findOne({ | ||
| recipientAccountNumber: recipientAccountNumber, | ||
| recipientAccountNumber: { $eq: recipientAccountNumber }, | ||
| approvalStatus: 'completed' |
|
| const { username, password } = req.body; | ||
|
|
||
| // Find the employee by username and role | ||
| const employee = await User.findOne({ |
Check failure
Code scanning / SonarCloud
NoSQL operations should not be vulnerable to injection attacks
| } = req.body; | ||
|
|
||
| // Find recipient using the lookup hash from the original transaction | ||
| const originalTransaction = await Transaction.findOne({ |
Check failure
Code scanning / SonarCloud
NoSQL operations should not be vulnerable to injection attacks
No description provided.