lucien/tanuki-s-forum
1
0
Fork 0
generated from lucien/api-template
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: fixed sql injections

Browse source
This commit is contained in:
Lukian 2025-03-25 18:30:52 +01:00
parent 48503a4c9c
commit c34df6609c
3 changed files with 129 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

20
back/api/auth.js
View file

@ -7,6 +7,11 @@ const router = express.Router();
router.post('/login', async (req, res) => { router.post('/login', async (req, res) => {
const { username, password } = req.body; const { username, password } = req.body;
if (!username || !password) {
return res.status(400).send({ error: 'Invalid username or password' });
}
const connection = await getConnection(); const connection = await getConnection();
const user = await getUserByUsername(connection, username); const user = await getUserByUsername(connection, username);
connection.end(); connection.end();
@ -25,6 +30,11 @@ router.post('/register', async (req, res) => {
const { username, password } = req.body; const { username, password } = req.body;
const connection = await getConnection(); const connection = await getConnection();
if (!username || !password) {
connection.end();
return res.status(400).send({ error: 'Invalid username or password' });
}
const user = await getUserByUsername(connection, username); const user = await getUserByUsername(connection, username);
if (user[0]) { if (user[0]) {
connection.end(); connection.end();
@ -44,7 +54,17 @@ router.post('/register', async (req, res) => {
router.post('/me', async (req, res) => { router.post('/me', async (req, res) => {
const { token } = req.body; const { token } = req.body;
if (!token) {
return res.status(400).send({ error: 'Invalid token' });
}
const decoded = jwt.verify(token, process.env.JWT_SECRET); const decoded = jwt.verify(token, process.env.JWT_SECRET);
if (!decoded.id) {
return res.status(400).send({ error: 'Invalid token' });
}
const connection = await getConnection(); const connection = await getConnection();
const users = await getUser(connection, decoded.id); const users = await getUser(connection, decoded.id);
connection.end(); connection.end();

10
back/api/channels.js
View file

@ -62,6 +62,11 @@ router.post('/:name/messages/send', async (req, res) => {
router.post('/:name/messages/delete', async (req, res) => { router.post('/:name/messages/delete', async (req, res) => {
const { token, message_id } = req.body; const { token, message_id } = req.body;
const name = req.params.name; const name = req.params.name;
if (!message_id || !token) {
return res.status(400).send({ error: 'Missing parameters' });
}
const connection = await getConnection(); const connection = await getConnection();
const decoded = jwt.verify(token, process.env.JWT_SECRET); const decoded = jwt.verify(token, process.env.JWT_SECRET);
@ -89,6 +94,11 @@ router.post('/:name/messages/delete', async (req, res) => {
router.post('/add', async (req, res) => { router.post('/add', async (req, res) => {
const { name, description, token } = req.body; const { name, description, token } = req.body;
if (!name || !description || !token) {
return res.status(400).send({ error: 'Missing parameters' });
}
const connection = await getConnection(); const connection = await getConnection();
const decoded = jwt.verify(token, process.env.JWT_SECRET); const decoded = jwt.verify(token, process.env.JWT_SECRET);

172
back/libs/mysql.js
View file

@ -12,7 +12,8 @@ function getConnection() {
function getUser(connection, id) { function getUser(connection, id) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
connection.query( connection.query(
`SELECT * FROM users WHERE id = ${id}`, `SELECT * FROM users WHERE id = ?`,
[id], // Use parameterized query
(error, result) => { (error, result) => {
if (error) { if (error) {
reject(new Error(error)); reject(new Error(error));
@ -24,23 +25,25 @@ function getUser(connection, id) {
} }
function getUserByUsername(connection, username) { function getUserByUsername(connection, username) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
connection.query( connection.query(
`SELECT * FROM users WHERE username = '${username}'`, `SELECT * FROM users WHERE username = ?`,
(error, result) => { [username], // Use parameterized query
if (error) { (error, result) => {
reject(new Error(error)); if (error) {
} reject(new Error(error));
resolve(result);
} }
); resolve(result);
}); }
);
});
} }
function addUser(connection, username, password) { function addUser(connection, username, password) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
connection.query( connection.query(
`INSERT INTO users (username, password) VALUES ('${username}', '${password}')`, `INSERT INTO users (username, password) VALUES (?, ?)`,
[username, password], // Use parameterized query
(error, result) => { (error, result) => {
if (error) { if (error) {
reject(new Error(error)); reject(new Error(error));
@ -52,17 +55,23 @@ function addUser(connection, username, password) {
} }
function getUserLastMessages(connection, username) { function getUserLastMessages(connection, username) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
connection.query( connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name FROM messages JOIN users ON messages.user_id = users.id JOIN channels ON messages.channel_id = channels.id WHERE username = "${username}" ORDER BY date DESC LIMIT 5`, `SELECT messages.id, user_id, username, content, date, channels.name AS channel_name
(error, result) => { FROM messages
if (error) { JOIN users ON messages.user_id = users.id
reject(new Error(error)); JOIN channels ON messages.channel_id = channels.id
} WHERE username = ?
resolve(result); ORDER BY date DESC LIMIT 5`,
[username], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
} }
); resolve(result);
}); }
);
});
} }
function getChannels(connection) { function getChannels(connection) {
@ -82,7 +91,11 @@ function getChannels(connection) {
function getChannel(connection, name) { function getChannel(connection, name) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
connection.query( connection.query(
`SELECT channels.id, name, description, owner_id, username AS owner_username FROM channels JOIN users ON channels.owner_id = users.id WHERE name = "${name}"`, `SELECT channels.id, name, description, owner_id, username AS owner_username
FROM channels
JOIN users ON channels.owner_id = users.id
WHERE name = ?`,
[name], // Use parameterized query
(error, result) => { (error, result) => {
if (error) { if (error) {
reject(new Error(error)); reject(new Error(error));
@ -94,73 +107,86 @@ function getChannel(connection, name) {
} }
function addChannel(connection, name, description, owner_id) { function addChannel(connection, name, description, owner_id) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
connection.query( connection.query(
`INSERT INTO channels (name, description, owner_id) VALUES ('${name}', '${description}', ${owner_id})`, `INSERT INTO channels (name, description, owner_id) VALUES (?, ?, ?)`,
(error, result) => { [name, description, owner_id], // Use parameterized query
if (error) { (error, result) => {
reject(new Error(error)); if (error) {
} reject(new Error(error));
resolve(result);
} }
); resolve(result);
}); }
);
});
} }
function getMessages(connection, channel_id) { function getMessages(connection, channel_id) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
connection.query( connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name FROM messages JOIN users ON messages.user_id = users.id JOIN channels ON messages.channel_id = channels.id WHERE channel_id = ${channel_id} ORDER BY date DESC`, `SELECT messages.id, user_id, username, content, date, channels.name AS channel_name
(error, result) => { FROM messages
if (error) { JOIN users ON messages.user_id = users.id
reject(new Error(error)); JOIN channels ON messages.channel_id = channels.id
} WHERE channel_id = ?
resolve(result); ORDER BY date DESC`,
[channel_id], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
} }
); resolve(result);
}); }
);
});
} }
function getLastMessages(connection) { function getLastMessages(connection) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
connection.query( connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name FROM messages JOIN users ON messages.user_id = users.id JOIN channels ON messages.channel_id = channels.id ORDER BY date DESC LIMIT 5`, `SELECT messages.id, user_id, username, content, date, channels.name AS channel_name
(error, result) => { FROM messages
if (error) { JOIN users ON messages.user_id = users.id
reject(new Error(error)); JOIN channels ON messages.channel_id = channels.id
} ORDER BY date DESC LIMIT 5`,
resolve(result); (error, result) => {
if (error) {
reject(new Error(error));
} }
); resolve(result);
}); }
);
});
} }
function addMessage(connection, channel_id, user_id, message) { function addMessage(connection, channel_id, user_id, message) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
connection.query( connection.query(
`INSERT INTO messages (channel_id, user_id, content, date) VALUES (${channel_id}, ${user_id}, "${message}", ${Math.floor(Date.now() / 1000)})`, `INSERT INTO messages (channel_id, user_id, content, date) VALUES (?, ?, ?, ?)`,
(error, result) => { [channel_id, user_id, message, Math.floor(Date.now() / 1000)], // Use parameterized query
if (error) { (error, result) => {
reject(new Error(error)); if (error) {
} reject(new Error(error));
resolve(result);
} }
); resolve(result);
}); }
);
});
} }
function deleteMessage(connection, message_id) { function deleteMessage(connection, message_id) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
connection.query( connection.query(
`DELETE FROM messages WHERE id = ${message_id}`, `DELETE FROM messages WHERE id = ?`,
(error, result) => { [message_id], // Use parameterized query
if (error) { (error, result) => {
reject(new Error(error)); if (error) {
} reject(new Error(error));
resolve(result);
} }
); resolve(result);
}); }
);
});
} }
module.exports = { module.exports = {