Skip to content

Commit

Permalink
chore: resolve sql injection vulnerabilities
Browse files Browse the repository at this point in the history
  • Loading branch information
@sandeepdsvs
sandeepdsvs committed Mar 7, 2024
1 parent c106590 commit fab19d8
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 2 deletions.
9 changes: 9 additions & 0 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@
"rudder-transformer-cdk": "^1.4.11",
"set-value": "^4.1.0",
"sha256": "^0.2.0",
"sqlstring": "^2.3.3",
"stacktrace-parser": "^0.1.10",
"statsd-client": "^0.4.7",
"truncate-utf8-bytes": "^1.0.2",
Expand Down
7 changes: 6 additions & 1 deletion src/v0/destinations/google_adwords_enhanced_conversions/networkHandler.js
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
const { get, set } = require('lodash');
const sha256 = require('sha256');
const { NetworkError, NetworkInstrumentationError } = require('@rudderstack/integrations-lib');
const SqlString = require('sqlstring');
const { prepareProxyRequest, handleHttpRequest } = require('../../../adapters/network');
const { isHttpStatusSuccess, getAuthErrCategoryFromStCode } = require('../../util/index');
const { CONVERSION_ACTION_ID_CACHE_TTL } = require('./config');
Expand Down Expand Up @@ -29,8 +30,12 @@ const ERROR_MSG_PATH = 'response[0].error.message';
const getConversionActionId = async (method, headers, params) => {
const conversionActionIdKey = sha256(params.event + params.customerId).toString();
return conversionActionIdCache.get(conversionActionIdKey, async () => {
const queryString = SqlString.format(
'SELECT conversion_action.id FROM conversion_action WHERE conversion_action.name = ?',
[params.event],
);
const data = {
query: `SELECT conversion_action.id FROM conversion_action WHERE conversion_action.name = '${params.event}'`,
query: queryString,
};
const requestBody = {
url: `${BASE_ENDPOINT}/${params.customerId}/googleAds:searchStream`,
Expand Down
7 changes: 6 additions & 1 deletion src/v0/destinations/google_adwords_offline_conversions/utils.js
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
const sha256 = require('sha256');
const SqlString = require('sqlstring');
const { get, set, cloneDeep } = require('lodash');
const {
AbortedError,
Expand Down Expand Up @@ -53,8 +54,12 @@ const validateDestinationConfig = ({ Config }) => {
const getConversionActionId = async (headers, params) => {
const conversionActionIdKey = sha256(params.event + params.customerId).toString();
return conversionActionIdCache.get(conversionActionIdKey, async () => {
const queryString = SqlString.format(
'SELECT conversion_action.id FROM conversion_action WHERE conversion_action.name = ?',
[params.event],
);
const data = {
query: `SELECT conversion_action.id FROM conversion_action WHERE conversion_action.name = '${params.event}'`,
query: queryString,
};
const endpoint = SEARCH_STREAM.replace(':customerId', params.customerId);
const requestOptions = {
Expand Down

0 comments on commit fab19d8

Please sign in to comment.