adding new code for snyk code scan #1
Conversation
⛔ Snyk checks have failed. 4 issues have been found so far.
✅ security/snyk check is complete. No issues have been found. (View Details) ✅ license/snyk check is complete. No issues have been found. (View Details) ⛔ code/snyk check is complete. 4 issues have been found. (View Details) |
| return (req, res, next) => { | ||
| const id = req.body.id | ||
| const user = insecurity.authenticatedUsers.from(req) | ||
| db.reviews.findOne({ _id: id }).then(review => { |
There was a problem hiding this comment.
NoSQL Injection
Unsanitized input from the HTTP request body flows into findOne, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.
Line 15 | CWE-943 | Priority score 805 | Learn more about this vulnerability
Data flow: 8 steps
Step 1 - 4
juice-shop/routes/delikeProductReviews.js
Line 13 in 4696dbd
Step 5 - 8
juice-shop/routes/delikeProductReviews.js
Line 15 in 4696dbd
| result => { | ||
| // Artificial wait for timing attack challenge | ||
| setTimeout(function () { | ||
| db.reviews.findOne({ _id: id }).then(review => { |
There was a problem hiding this comment.
NoSQL Injection
Unsanitized input from the HTTP request body flows into findOne, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.
Line 25 | CWE-943 | Priority score 805 | Learn more about this vulnerability
Data flow: 12 steps
Step 1 - 4
juice-shop/routes/delikeProductReviews.js
Line 13 in 4696dbd
Step 5 - 6 routes/delikeProductReviews.js#L15
Step 7 - 8 routes/delikeProductReviews.js#L19
Step 9 - 12
juice-shop/routes/delikeProductReviews.js
Line 25 in 4696dbd
| db.reviews.findOne({ _id: id }).then(review => { | ||
| var likedBy = review.likedBy | ||
| if (!likedBy.includes(user.data.email)) { | ||
| db.reviews.update( |
There was a problem hiding this comment.
NoSQL Injection
Unsanitized input from the HTTP request body flows into update, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.
Line 18 | CWE-943 | Priority score 805 | Learn more about this vulnerability
Data flow: 10 steps
Step 1 - 4
juice-shop/routes/delikeProductReviews.js
Line 13 in 4696dbd
Step 5 - 6 routes/delikeProductReviews.js#L15
Step 7 - 9 routes/delikeProductReviews.js#L19
Step 10
juice-shop/routes/delikeProductReviews.js
Line 18 in 4696dbd
| } | ||
| } | ||
| utils.solveIf(challenges.timingAttackChallenge, () => { return count > 2 }) | ||
| db.reviews.update( |
There was a problem hiding this comment.
NoSQL Injection
Unsanitized input from the HTTP request body flows into update, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.
Line 35 | CWE-943 | Priority score 805 | Learn more about this vulnerability
Data flow: 14 steps
Step 1 - 4
juice-shop/routes/delikeProductReviews.js
Line 13 in 4696dbd
Step 5 - 6 routes/delikeProductReviews.js#L15
Step 7 - 8 routes/delikeProductReviews.js#L19
Step 9 - 10 routes/delikeProductReviews.js#L25
Step 11 - 13 routes/delikeProductReviews.js#L36
Step 14
juice-shop/routes/delikeProductReviews.js
Line 35 in 4696dbd
No description provided.