Claude/add sql injection nodegoat xtkqn#5
Conversation
Introduces a new /reports page backed by SQLite that demonstrates OWASP A1 (Injection) via classic SQL string concatenation vulnerabilities. Vulnerable patterns added: - searchEmployees(): WHERE name LIKE '%<input>%' - string injection - getEmployeeById(): WHERE id = <input> - numeric/UNION injection Attack examples documented in-code: - ' OR '1'='1 -> dumps all employee records - ' UNION SELECT id,username,password,salary,0 FROM users-- -> exfiltrates users table - '; DROP TABLE employees;-- -> destructive injection Parameterized-query fixes are shown in comments (reports-dao.js). https://claude.ai/code/session_01ULaxwjAEDoFjb6PyjshQqn
…omponents Adds intentionally outdated packages with documented CVEs to demonstrate OWASP A9 – Using Components with Known Vulnerabilities: - lodash@4.17.4 CVE-2019-10744 prototype pollution (_.defaultsDeep/merge) - minimist@0.0.8 CVE-2020-7598 prototype pollution via --__proto__ flag - handlebars@4.0.11 CVE-2019-20920 prototype pollution + RCE via template eval - serialize-javascript@2.1.1 CVE-2019-16769 XSS via unescaped </script> - node-uuid@1.4.7 insecure PRNG; deprecated in favor of 'uuid' package CVE details documented in package.json "comments.vulnerable-packages" block. https://claude.ai/code/session_01ULaxwjAEDoFjb6PyjshQqn
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
| */ | ||
| this.searchEmployees = (name, callback) => { | ||
| // Insecure: user input concatenated directly into SQL string | ||
| const query = `SELECT id, name, department, salary FROM employees WHERE name LIKE '%${name}%'`; |
There was a problem hiding this comment.
Potential SQL injection via string-based query concatenation - critical severity
SQL injection might be possible in these locations, especially if the strings being concatenated are controlled via user input.
Show fix
Remediation: If possible, rebuild the query to use prepared statements or an ORM. If that is not possible, make sure the user input is verified or sanitized. To autofix all SQL injection instances in your entire app, install Zen for Node.js.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| */ | ||
| this.getEmployeeById = (id, callback) => { | ||
| // Insecure: id from request URL parameter concatenated into query | ||
| const query = `SELECT * FROM employees WHERE id = ${id}`; |
There was a problem hiding this comment.
Potential SQL injection via string-based query concatenation - critical severity
SQL injection might be possible in these locations, especially if the strings being concatenated are controlled via user input.
Show fix
Remediation: If possible, rebuild the query to use prepared statements or an ORM. If that is not possible, make sure the user input is verified or sanitized. To autofix all SQL injection instances in your entire app, install Zen for Node.js.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| return res.render("payroll", { | ||
| userId, | ||
| employees: null, | ||
| searchName: "", | ||
| environmentalScripts | ||
| }); |
There was a problem hiding this comment.
Server-Side Template Injection via untrusted input in express.render() - high severity
Direct use of user-controlled inputs as arguments to the express.render() function can result in server-side template injection when the template engine evaluates untrusted data. An attacker may craft malicious payloads to read local files or, depending on the template engine and its configuration, escalate the issue to remote code execution by abusing template logic and expression handling.
Show fix
Remediation: Validate and sanitize all inputs before rendering, never pass raw user objects to templates, restrict template capabilities, and enforce strict variable whitelisting or safe rendering modes.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| return res.render("payroll", { | ||
| userId, | ||
| employees: [], | ||
| searchName, | ||
| dbError: err.message, | ||
| environmentalScripts | ||
| }); |
There was a problem hiding this comment.
Server-Side Template Injection via untrusted input in express.render() - high severity
Direct use of user-controlled inputs as arguments to the express.render() function can result in server-side template injection when the template engine evaluates untrusted data. An attacker may craft malicious payloads to read local files or, depending on the template engine and its configuration, escalate the issue to remote code execution by abusing template logic and expression handling.
Show fix
Remediation: Validate and sanitize all inputs before rendering, never pass raw user objects to templates, restrict template capabilities, and enforce strict variable whitelisting or safe rendering modes.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| return res.render("payroll", { | ||
| userId, | ||
| employees, | ||
| searchName, | ||
| environmentalScripts | ||
| }); |
There was a problem hiding this comment.
Server-Side Template Injection via untrusted input in express.render() - high severity
Direct use of user-controlled inputs as arguments to the express.render() function can result in server-side template injection when the template engine evaluates untrusted data. An attacker may craft malicious payloads to read local files or, depending on the template engine and its configuration, escalate the issue to remote code execution by abusing template logic and expression handling.
Show fix
Remediation: Validate and sanitize all inputs before rendering, never pass raw user objects to templates, restrict template capabilities, and enforce strict variable whitelisting or safe rendering modes.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| return res.render("payroll", { | ||
| userId, | ||
| employees: [], | ||
| searchName: "", | ||
| dbError: err.message, | ||
| environmentalScripts | ||
| }); |
There was a problem hiding this comment.
Server-Side Template Injection via untrusted input in express.render() - high severity
Direct use of user-controlled inputs as arguments to the express.render() function can result in server-side template injection when the template engine evaluates untrusted data. An attacker may craft malicious payloads to read local files or, depending on the template engine and its configuration, escalate the issue to remote code execution by abusing template logic and expression handling.
Show fix
Remediation: Validate and sanitize all inputs before rendering, never pass raw user objects to templates, restrict template capabilities, and enforce strict variable whitelisting or safe rendering modes.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| return res.render("payroll", { | ||
| userId, | ||
| employees: employee ? [employee] : [], | ||
| searchName: "", | ||
| environmentalScripts | ||
| }); |
There was a problem hiding this comment.
Server-Side Template Injection via untrusted input in express.render() - high severity
Direct use of user-controlled inputs as arguments to the express.render() function can result in server-side template injection when the template engine evaluates untrusted data. An attacker may craft malicious payloads to read local files or, depending on the template engine and its configuration, escalate the issue to remote code execution by abusing template logic and expression handling.
Show fix
Remediation: Validate and sanitize all inputs before rendering, never pass raw user objects to templates, restrict template capabilities, and enforce strict variable whitelisting or safe rendering modes.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| const insertEmp = dbInstance.prepare( | ||
| "INSERT INTO employees (name, department, salary, ssn) VALUES (?, ?, ?, ?)" | ||
| ); | ||
| employees.forEach(e => insertEmp.run(e)); |
There was a problem hiding this comment.
Potential SQL injection in sqlite3 via string-based query concatenation - high severity
SQL injection might be possible in these locations, especially if the strings being concatenated are controlled via user input.
Show fix
Remediation: If possible, rebuild the query to use prepared statements or an ORM. If that is not possible, make sure the user input is verified or sanitized. To autofix all SQL injection instances in your entire app, install Zen for Node.js.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| const insertUser = dbInstance.prepare( | ||
| "INSERT INTO users (id, username, password, salary, is_admin) VALUES (?, ?, ?, ?, ?)" | ||
| ); | ||
| users.forEach(u => insertUser.run(u)); |
There was a problem hiding this comment.
Potential SQL injection in sqlite3 via string-based query concatenation - high severity
SQL injection might be possible in these locations, especially if the strings being concatenated are controlled via user input.
Show fix
Remediation: If possible, rebuild the query to use prepared statements or an ORM. If that is not possible, make sure the user input is verified or sanitized. To autofix all SQL injection instances in your entire app, install Zen for Node.js.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
|
|
||
| console.log(`[ReportsDAO] Executing query: ${query}`); | ||
|
|
||
| db.all(query, (err, rows) => { |
There was a problem hiding this comment.
Potential SQL injection in sqlite3 via string-based query concatenation - high severity
SQL injection might be possible in these locations, especially if the strings being concatenated are controlled via user input.
Show fix
Remediation: If possible, rebuild the query to use prepared statements or an ORM. If that is not possible, make sure the user input is verified or sanitized. To autofix all SQL injection instances in your entire app, install Zen for Node.js.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
|
|
||
| console.log(`[ReportsDAO] Executing query: ${query}`); | ||
|
|
||
| db.get(query, (err, row) => { |
There was a problem hiding this comment.
Potential SQL injection in sqlite3 via string-based query concatenation - high severity
SQL injection might be possible in these locations, especially if the strings being concatenated are controlled via user input.
Show fix
Remediation: If possible, rebuild the query to use prepared statements or an ORM. If that is not possible, make sure the user input is verified or sanitized. To autofix all SQL injection instances in your entire app, install Zen for Node.js.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
There was a problem hiding this comment.
15 Open source vulnerabilities detected - critical severity
Aikido detected 15 vulnerabilities across 4 packages, it includes 5 critical, 8 high, 1 medium and 1 low vulnerabilities.
Details
Remediation Aikido suggests bumping the vulnerable packages to a safe version.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
2 participants
Summary by Aikido
🚀 New Features
⚡ Enhancements
More info