From 084d189cd4d87a356a42e91306b41e06941cc3d6 Mon Sep 17 00:00:00 2001
From: Mohan Sridharan <83639549+mohan-the-octocat@users.noreply.github.com>
Date: Tue, 5 Dec 2023 17:27:10 +0530
Subject: [PATCH 1/2] Update search.ejs
Adding in_query in an additional line
---
views/search.ejs | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/views/search.ejs b/views/search.ejs
index dd66a962..91196e06 100644
--- a/views/search.ejs
+++ b/views/search.ejs
@@ -2,6 +2,8 @@
Results for: <%- in_query %>
+The Query param that came in was: <%- in_query %>
+
<% if (products.length == 0) { %>
Products not found
<% } else {%>
@@ -31,4 +33,4 @@
-<% } %>
\ No newline at end of file
+<% } %>
From 7a50fd2d69991d70f3416a4b6900bc5f8b82cc65 Mon Sep 17 00:00:00 2001
From: Mohan Sridharan <83639549+mohan-the-octocat@users.noreply.github.com>
Date: Tue, 5 Dec 2023 18:02:44 +0530
Subject: [PATCH 2/2] Create vulnerable.js
Added a vulnerable file
---
vulnerable.js | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
create mode 100644 vulnerable.js
diff --git a/vulnerable.js b/vulnerable.js
new file mode 100644
index 00000000..2d44f7db
--- /dev/null
+++ b/vulnerable.js
@@ -0,0 +1,39 @@
+var express = require('express')
+var bodyParser = require('body-parser')
+const { Pool } = require('pg')
+
+const pool = new Pool({
+ user: 'dbuser',
+ host: 'database.server.com',
+ database: 'mydb',
+ password: process.env.POSTGRES_PASSWORD,
+ port: 3211,
+})
+
+var test;
+var app = express()
+app.use(bodyParser.json())
+app.use(bodyParser.urlencoded({
+ extended: true
+}));
+
+
+app.get("/", function(req, res){
+ const search = req.params.q
+
+ if (search != "") {
+ var squery = "SELECT * FROM users WHERE name = \"" + search + "\""
+ pool.query(squery, (err, res) => {
+ console.log(err, res)
+ pool.end()
+ })
+ }
+})
+
+app.listen(8000, function () {
+ console.log("Server running");
+});
+
+ let drinks = ['lemonade', 'soda', 'tea', 'water'];
+ let food = ['beans', 'chicken', 'rice'];
+ let iban = "DE012345678910112345"