Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
View Dataflow Graph
```mermaid
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["node/test.js"]
direction LR
%% Source
subgraph Source
direction LR
v0("[Line: 24] req.body")
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2("[Line: 23] obj")
end
%% Sink
subgraph Sink
direction LR
v1("[Line: 36] `SELECT * FROM Foo WHERE ((criteria LIKE #apos;%${obj.replacements[0]}%))")
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
%% Clickable
click v0 href "https://github.com/finos/security-scanning/blob/e4be6c71c5dbeb74ac8bb72f89630d785c285ba2/node/test.js#L24" "View in source" _blank
click v1 href "https://github.com/finos/security-scanning/blob/e4be6c71c5dbeb74ac8bb72f89630d785c285ba2/node/test.js#L36" "View in source" _blank
click v2 href "https://github.com/finos/security-scanning/blob/e4be6c71c5dbeb74ac8bb72f89630d785c285ba2/node/test.js#L23" "View in source" _blank
```
Semgrep found 2
express-sequelize-injectionfindings:Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
View Dataflow Graph
```mermaid flowchart LR classDef invis fill:white, stroke: none classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none subgraph File0["node/test.js"] direction LR %% Source subgraph Source direction LR v0("[Line: 24] req.body") end %% Intermediate subgraph Traces0[Traces] direction TB v2("[Line: 23] obj") end %% Sink subgraph Sink direction LR v1("[Line: 36] `SELECT * FROM Foo WHERE ((criteria LIKE #apos;%${obj.replacements[0]}%))") end end %% Class Assignment Source:::invis Sink:::invis Traces0:::invis File0:::invis %% Connections Source --> Traces0 Traces0 --> Sink %% Clickable click v0 href "https://github.com/finos/security-scanning/blob/e4be6c71c5dbeb74ac8bb72f89630d785c285ba2/node/test.js#L24" "View in source" _blank click v1 href "https://github.com/finos/security-scanning/blob/e4be6c71c5dbeb74ac8bb72f89630d785c285ba2/node/test.js#L36" "View in source" _blank click v2 href "https://github.com/finos/security-scanning/blob/e4be6c71c5dbeb74ac8bb72f89630d785c285ba2/node/test.js#L23" "View in source" _blank ```Ignore this finding from express-sequelize-injection.