Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Database query built from user-controlled sources #896

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix: Database query built from user-controlled sources #896

wants to merge 4 commits into from

Conversation

JamieSlome
Copy link
Member

Potential fix for https://github.com/finos/git-proxy/security/code-scanning/83

To fix the problem, we need to ensure that the user-provided id is treated as a literal value in the MongoDB query. This can be achieved by using the $eq operator, which ensures that the value is interpreted as a literal and not as a query object. Additionally, we should validate that the id is a string before using it in the query.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@JamieSlome @github-advanced-security
Potential fix for code scanning alert no. 83: Database query built fr…
bb5ba8b 
…om user-controlled sources

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 4, 2025
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails

Scanned Files

@netlify Netlify
Copy link

netlify bot commented Feb 4, 2025
edited
Loading

Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name Link
🔨 Latest commit f6085f8
🔍 Latest deploy log https://app.netlify.com/sites/endearing-brigadeiros-63f9d0/deploys/67a292d43acb570008193cd6

JamieSlome
JamieSlome commented Feb 4, 2025
View reviewed changes
src/service/routes/push.js Outdated Show resolved Hide resolved
@JamieSlome JamieSlome changed the title Potential fix for code scanning alert no. 83: Database query built from user-controlled sources fix: Database query built from user-controlled sources Feb 4, 2025
@JamieSlome JamieSlome marked this pull request as ready for review February 4, 2025 21:57
@github-actions github-actions bot added the fix label Feb 4, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 4, 2025
View reviewed changes
src/db/mongo/pushes.js
@@ -57,7 +57,7 @@
const options = { upsert: true };
const collection = await connect(cnName);
delete data._id;
await collection.updateOne({ id: data.id }, { $set: data }, options);
await collection.updateOne({ id: { $eq: data.id } }, { $set: data }, options);

Check failure

Code scanning / CodeQL

Database query built from user-controlled sources High

This query object depends on a
user-provided value
Loading
.
This autofix suggestion was applied.
Show autofix suggestion Hide autofix suggestion

Copilot Autofix AI 5 days ago

To fix the problem, we need to ensure that the user input is properly sanitized or validated before it is used in the database query. For MongoDB, we can use the $eq operator to ensure that the user input is interpreted as a literal value and not as a query object. This will prevent any potential NoSQL injection attacks.

We will modify the writeAudit function in src/db/mongo/pushes.js to use the $eq operator when updating the database. Additionally, we will add a check to ensure that the id field in the data object is a string before using it in the query.

Suggested changeset 1
src/db/mongo/pushes.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/db/mongo/pushes.js b/src/db/mongo/pushes.js
--- a/src/db/mongo/pushes.js
+++ b/src/db/mongo/pushes.js
@@ -59,2 +59,5 @@
   delete data._id;
+  if (typeof data.id !== 'string') {
+    throw new Error('Invalid id');
+  }
   await collection.updateOne({ id: { $eq: data.id } }, { $set: data }, options);
EOF
@@ -59,2 +59,5 @@
delete data._id;
if (typeof data.id !== 'string') {
throw new Error('Invalid id');
}
await collection.updateOne({ id: { $eq: data.id } }, { $set: data }, options);
Copilot is powered by AI and may make mistakes. Always verify output.
@JamieSlome JamieSlome committed this autofix suggestion 5 days ago.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
JamieSlome and others added 2 commits February 4, 2025 22:00
@JamieSlome @github-advanced-security
Potential fix for code scanning alert no. 89: Database query built fr…
be0c589 
…om user-controlled sources

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@JamieSlome
Merge branch 'main' into alert-autofix-83
f6085f8
@JamieSlome JamieSlome enabled auto-merge February 4, 2025 22:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@JamieSlome