add sqlstring to escape dangerous user input

hpcc-systems · Jan 25, 2024 · 05fb4c8 · 05fb4c8
1 parent 581da19
commit 05fb4c8
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 11 deletions.
diff --git a/server/package-lock.json b/server/package-lock.json
diff --git a/server/package.json b/server/package.json
@@ -44,6 +44,7 @@
     "sequelize-cli": "^6.4.1",
     "simple-git": "^3.6.0",
     "socket.io": "^4.6.1",
+    "sqlstring": "^2.3.3",
     "tmp": "^0.1.0",
     "uuid": "^3.4.0",
     "winston": "^3.7.2"

diff --git a/server/routes/orbit/read.js b/server/routes/orbit/read.js
@@ -17,6 +17,7 @@ const notificationTemplate = require("../../jobs/messageCards/notificationTempla
 const { notify } = require("../notifications/email-notification");
 const { v4: uuidv4 } = require("uuid");
 const axios = require("axios");
+const SqlString = require("sqlstring");
 
 const jobScheduler = require("../../job-scheduler");
 
@@ -250,11 +251,9 @@ router.get(
       const { application_id, keyword } = req.params;
       if (!application_id) throw Error("Invalid app ID");
 
-      if (!typeof keyword === "string") {
-        req.status(400).send("Invalid keyword");
-        return;
-      }
-      const query = `select Name from DimBuildInstance where Name like '%${keyword}%' and Name not like 'Scrub%' and EnvironmentName = 'Insurance' order by  Name asc`;
+      const query = `select Name from DimBuildInstance where Name like '%${SqlString.escape(
+        keyword
+      )}%' and Name not like 'Scrub%' and EnvironmentName = 'Insurance' order by  Name asc`;
 
       const result = await runSQLQuery(query, dbConfig);