Mattfeature #69
Mattfeature #69
Conversation
doing a bad.
making a fresh bad file.
![arnica-github-connector[bot]](https://avatars.githubusercontent.com/in/144692?s=60&v=4){kind=small}
| const username = req.body.username; | ||
| const password = req.body.password; | ||
| // sample changes | ||
| const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`; |
There was a problem hiding this comment.
Static Code Analysis Risk: Injection - Tainted SQL string
Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.
Severity: Medium
Status: Open 🔴
References:
Suggested reviewers 🧐: @mnemeth-opti
More details:
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| const username = req.body.username; | ||
| const password = req.body.password; | ||
| // sample changes | ||
| const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`; |
There was a problem hiding this comment.
Static Code Analysis Risk: Injection - Tainted SQL string
Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.
Severity: Medium
Status: Open 🔴
References:
Suggested reviewers 🧐: @mnemeth-opti
More details:
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
doin things.