Merge branch 'fix_critical_issues' into 'master'

fix sql injections and path traversals See merge request !173

Merge branch 'fix_critical_issues' into 'master'
fix sql injections and path traversals See merge request !173
46d3fd9a · Matthias Betz · c5370b1e · 2343ad07 · 46d3fd9a · 46d3fd9a
Commit 46d3fd9a authored Jul 18, 2024 by Matthias Betz
--- a/functions/methods.ts
+++ b/functions/methods.ts
@@ -66,7 +66,7 @@ var methods = {
    },
    getUserByEmail: async function(email:any) {
        try {
-            let rows:any = await dbconn.user.promise().query('SELECT id, verificationStatus, salutation, title, firstname, lastname, industry, organisation, speciality, m4lab_idp FROM user WHERE email = "' +email+'"')
+            let rows:any = await dbconn.user.promise().query('SELECT id, verificationStatus, salutation, title, firstname, lastname, industry, organisation, speciality, m4lab_idp FROM user WHERE email = ?', [email])
            if (rows[0][0]) {
                return rows[0][0]
            }
@@ -78,7 +78,7 @@ var methods = {
    },
    getUserEmailById: async function(userId:number) {
        try {
-            let rows:any = await dbconn.user.promise().query('SELECT email FROM user WHERE id = ' +userId)
+            let rows:any = await dbconn.user.promise().query('SELECT email FROM user WHERE id = ?', [userId])
            if (rows[0][0]) {
                return rows[0][0].email
            }
@@ -90,7 +90,7 @@ var methods = {
    },
    checkUserEmail: async function(email:any) {
        try {
-            let rows:any = await dbconn.user.promise().query('SELECT id, email FROM user WHERE email = "' +email+'"')
+            let rows:any = await dbconn.user.promise().query('SELECT id, email FROM user WHERE email = ?', [email])
            if (rows[0][0]) {
                return rows[0][0]
            }
@@ -102,8 +102,7 @@ var methods = {
    },
    getUserByToken: async function(token:any) {
        try {
-            let rows:any = await dbconn.user.promise().query('SELECT t1.user_id, t2.email FROM userdb.credential AS t1 INNER JOIN userdb.user AS t2 ON t1.user_id = t2.id AND t1.resetPasswordToken = "'
+            let rows:any = await dbconn.user.promise().query('SELECT t1.user_id, t2.email FROM userdb.credential AS t1 INNER JOIN userdb.user AS t2 ON t1.user_id = t2.id AND t1.resetPasswordToken = ? and resetPasswordExpires > ?', [token, Date.now()])
-                +token+'" and resetPasswordExpires > '+Date.now())
            if (rows[0][0]) {
                return rows[0][0]
            }
@@ -115,7 +114,7 @@ var methods = {
    },
    updateUserById: async function(userId:number, userData:any) {
        try {
-            let result:any = await dbconn.user.promise().query('UPDATE user SET ? WHERE id = ' +userId, userData)
+            let result:any = await dbconn.user.promise().query('UPDATE user SET ? WHERE id = ?', [userData, userId])
            return result
        } catch (err) {
            console.error(err)
@@ -124,7 +123,7 @@ var methods = {
    },
    updateCredential: async function(data:any) {
        try {
-            let result:any = await dbconn.user.promise().query('UPDATE credential SET ? WHERE user_id = ' +data.user_id, data)
+            let result:any = await dbconn.user.promise().query('UPDATE credential SET ? WHERE user_id = ?', [data, data.user_id])
            return result
        } catch (err) {
            console.error(err)
@@ -139,7 +138,7 @@ var methods = {
    },
    getVerificationTokenByUserId: async function(userId:number) {
        try {
-            let rows:any = await dbconn.user.promise().query('SELECT token FROM verification WHERE user_id = "' +userId+'"')
+            let rows:any = await dbconn.user.promise().query('SELECT token FROM verification WHERE user_id = ?', [userId])
            if (rows[0][0]) {
                return rows[0][0].token
            }
@@ -151,7 +150,7 @@ var methods = {
    },
    getUserIdByVerificationToken: async function(token:any) {
        try {
-            let rows:any = await dbconn.user.promise().query('SELECT user_id FROM verification WHERE token = "' +token+'"')
+            let rows:any = await dbconn.user.promise().query('SELECT user_id FROM verification WHERE token = ?', [token])
            if (rows[0][0]) {
                return rows[0][0].user_id
            }
@@ -168,12 +167,12 @@ var methods = {
            thisconn.beginTransaction(function(err:any) { // START TRANSACTION
                if (err) { throw err }
                // update user status
-                thisconn.query('UPDATE user SET ? WHERE id =' +userData.id, userData, function (err:any, rows:any, fields:any) {
+                thisconn.query('UPDATE user SET ? WHERE id = ?', [userData, userData.id], function (err:any, rows:any, fields:any) {
                    if (err) {
                        return thisconn.rollback(function() { throw err })
                    }
                    // delete verification token
-                    thisconn.query('DELETE FROM verification WHERE user_id = '+userData.id, function (err:any, rows:any, fields:any) {
+                    thisconn.query('DELETE FROM verification WHERE user_id = ?', [userData.id], function (err:any, rows:any, fields:any) {
                        if (err) {
                            return thisconn.rollback(function() { throw err })
                        }
@@ -192,7 +191,7 @@ var methods = {
    /* ===== GitLab ===== */
    getGitlabId: async function(userId:number) {
        try {
-            let rows:any = await dbconn.user.promise().query('SELECT gu.gitlab_userId FROM user_gitlab gu, user u WHERE u.id = "' +userId+'" and gu.user_id = u.id')
+            let rows:any = await dbconn.user.promise().query('SELECT gu.gitlab_userId FROM user_gitlab gu, user u WHERE u.id = ? and gu.user_id = u.id', [userId])
            if (rows[0][0]) {
                return rows[0][0].gitlab_userId
            } else {

--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -44,7 +44,8 @@
    "nodemailer-ntlm-auth": "^1.0.1",
    "passport": "0.3.2",
    "passport-saml": "^2.1.0",
-    "pug": "^3.0.2"
+    "pug": "^3.0.2",
+    "uuid": "^10.0.0"
  },
  "devDependencies": {
    "@types/async": "^3.2.6",

--- a/routes/account.ts
+++ b/routes/account.ts
@@ -2,6 +2,7 @@ import fs from 'fs'
 import async from 'async'
 import bcrypt from 'bcryptjs'
 import * as passportSaml from 'passport-saml'
+import {v4 as uuidv4} from 'uuid';
 import dbconn from '../config/dbconn'
 import methods from '../functions/methods'
 import gitlab from '../functions/gitlab'
@@ -299,7 +300,7 @@ export = function (app:any, config:any, passport:any, lang:string) {
        let newPwd = req.body.inputNewPwd
        let retypePwd = req.body.inputConfirm
-        dbconn.user.query('SELECT password FROM credential WHERE user_id='+loggedInUser.getId(), function (err:any, rows:any) {
+        dbconn.user.query('SELECT password FROM credential WHERE user_id= ?', [loggedInUser.getId()], function (err:any, rows:any) {
          if (err) {
            console.error(err)
            res.status(500).render(lang+'/500', { error: err })
@@ -435,8 +436,9 @@ export = function (app:any, config:any, passport:any, lang:string) {
              if (!req.files) {
                callback(null, newLogoFile)
              } else {
-                newLogoFile.mv(logoDir + newLogoFile.name, function(err:any) {
+                let fileName = uuidv4();
-                  newLogoFile = logoDir+newLogoFile.name
+                newLogoFile.mv(logoDir + fileName, function(err:any) {
+                  newLogoFile = logoDir + fileName
                  callback(err, newLogoFile)
                })
              }
@@ -530,8 +532,9 @@ export = function (app:any, config:any, passport:any, lang:string) {
                callback(null, newLogoFile)
              } else {
                newLogoFile = req.files.logo
-                newLogoFile.mv(logoDir + newLogoFile.name, function(err:any) {
+                let fileName = uuidv4();
-                  newLogoFile = logoDir + newLogoFile.name
+                newLogoFile.mv(logoDir + fileName, function(err:any) {
+                  newLogoFile = logoDir + fileName
                  callback(err, newLogoFile)
                })
              }