tvolkmann/travopti
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Added protection against SQL Injection

Browse Source
This commit is contained in:
Timo John 2020-06-24 11:47:15 +02:00
parent 2fb2e9a76f
commit ae9998f640
6 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
backend/package-lock.json generated
View File

@ -1406,9 +1406,9 @@
"dev": true
},
"sqlstring": {
"version": "2.3.1",
"resolved": "https://registry.npmjs.org/sqlstring/-/sqlstring-2.3.1.tgz",
"integrity": "sha1-R1OT/56RR5rqYtyvDKPRSYOn+0A="
"version": "2.3.2",
"resolved": "https://registry.npmjs.org/sqlstring/-/sqlstring-2.3.2.tgz",
"integrity": "sha512-vF4ZbYdKS8OnoJAWBmMxCQDkiEBkGQYU7UZPtL8flbDRSNkhaXvRJ279ZtI6M+zDaQovVU4tuRgzK5fVhvFAhg=="
},
"statuses": {
"version": "1.5.0",

3
backend/package.json
View File

@ -20,7 +20,8 @@
"moment": "^2.26.0",
"morgan": "^1.10.0",
"mysql2": "^2.1.0",
"path": "^0.12.7"
"path": "^0.12.7",
"sqlstring": "^2.3.2"
},
"devDependencies": {
"nodemon": "^2.0.4"

4
backend/routes/countries.js
View File

@ -2,13 +2,15 @@ const router = require("express").Router();
const getCountries = require("../models/getCountries.js");
const getCountryById = require("../models/getCountryById.js");
const sqlstring = require("sqlstring")
module.exports = dbConn => {
router.get("/api/v1/countries", async (req, res) => {
res.json(await getCountries(dbConn));
});
router.get("/api/v1/countries/:id", async (req, res) => {
const id = req.params.id;
const id = sqlstring.escape(req.params.id);
res.json(await getCountryById(dbConn, id))
});
return router;

7
backend/routes/place.js
View File

@ -10,12 +10,15 @@ module.exports = dbConn => {
});
router.get("/api/v1/place/nearby", async (req, res) => {
const place = await getPlaceNearby(req.query.lat, req.query.lng)
const lat = sqlstring.escape(req.query.lat)
const lng = sqlstring.escape(req.query.lng)
const place = await getPlaceNearby(lat, lng)
res.json(place)
});
router.get("/api/v1/place/photo", async (req, res) => {
const photo = await getPlacePhoto(req.query.photoref)
const photoref = sqlstring.escape(req.query.photoref)
const photo = await getPlacePhoto(photoref)
res.json(photo)
});

10
backend/routes/regions.js
View File

@ -1,24 +1,25 @@
const router = require("express").Router();
const getRegions = require("../models/getRegions.js");
const getRegionById = require("../models/getRegionById.js");
const handleRegionLonLat = require("../models/handleRegionLonLat.js")
const getRegionNearbyById = require("../models/getRegionNearbyById.js")
const path = require("path");
const fs = require("fs");
const _ = require('lodash')
const sqlstring = require("sqlstring")
module.exports = dbConn => {
router.get("/api/v1/regions", async (req, res) => {
const data = await getRegions(dbConn)
if (req.query.randomize) {
res.json(_.sampleSize(data, req.query.randomize))
const randomize = sqlstring.escape(req.query.randomize)
res.json(_.sampleSize(data, randomize))
} else {
res.json(data);
}
});
router.get("/api/v1/regions/:id", async (req, res) => {
const id = req.params.id;
const id = sqlstring.escape(req.params.id);
res.json(await getRegionById(dbConn, id))
});
@ -31,7 +32,8 @@ module.exports = dbConn => {
})
router.get("/api/v1/regions/:id/nearby", async (req,res) => {
res.json(await getRegionNearbyById(dbConn,req.params.id))
const id = sqlstring.escape(req.params.id);
res.json(await getRegionNearbyById(dbConn,id))
});
return router;
};

7
backend/routes/update.js
View File

@ -3,6 +3,7 @@ const handleUpdateRegionNearby = require("../models/handleUpdateRegionNearby.js"
const handleUpdateRegionNearbyById = require("../models/handleUpdateRegionNearbyById.js")
const handleUpdateRegionNearbyImgUrl = require("../models/handleUpdateRegionNearbyImgUrl.js")
const handleUpdateRegionNearbyImgUrlById = require("../models/handleUpdateRegionNearbyImgUrlById.js")
const sqlstring = require("sqlstring")
module.exports = dbConn => {
router.patch("/api/v1/update/regions/all/nearby", async (req, res) => {
@ -14,7 +15,8 @@ module.exports = dbConn => {
});
router.patch("/api/v1/update/regions/:id/nearby", async (req, res) => {
res.json(await handleUpdateRegionNearbyById(dbConn, req.params.id))
const id = sqlstring.escape(req.params.id);
res.json(await handleUpdateRegionNearbyById(dbConn, id))
});
router.patch("/api/v1/update/regions/all/nearby/imgurl", async (req, res) => {
@ -22,7 +24,8 @@ module.exports = dbConn => {
});
router.patch("/api/v1/update/regions/:id/nearby/imgurl", async (req, res) => {
res.json(await handleUpdateRegionNearbyImgUrlById(dbConn, req.params.id))
const id = sqlstring.escape(req.params.id);
res.json(await handleUpdateRegionNearbyImgUrlById(dbConn, id))
});
return router