✨ (DefectDojo) Fixed finding: "javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection"

[pixeebot[bot]]

✨✨✨

Remediation

This change fixes "javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection" (id = javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection) identified by DefectDojo.

Details

This codemod refactors SQL statements to be parameterized, rather than built by hand.

Without parameterization, developers must remember to escape string inputs using the rules for that column type and database. This usually results in bugs -- and sometimes vulnerabilities. Although we can't tell for sure if your code is actually exploitable, this change will make the code more robust in case the conditions which prevent exploitation today ever go away.

Our changes look something like this:

import sqlite3

name = input()
connection = sqlite3.connect("my_db.db")
cursor = connection.cursor()
- cursor.execute("SELECT * from USERS WHERE name ='" + name + "'")
+ cursor.execute("SELECT * from USERS WHERE name =?", (name, ))

🧚🤖Powered by Pixeebot Enhanced with AI Learn more (codemod ID: defectdojo:javascript/llm-sql-parameterization)

[pixeebot[bot]]

I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it?

If this change was not helpful, or you have suggestions for improvements, please let me know!

[pixeebot[bot]]

This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!

You can also customize me to make sure I'm working with you in the way you want.