index.js is vulnerable to SQL injection via "XSS Cookies" #3
Description
Main issue
Malicious SQL code, for example, ' OR '1'='1 can be sent as a cookie to bypass passwords.
How to fix (maybe)
Replace lines 206 to 257 with the following code:
app.post('/upload/file', async function(req, res) {
if (!req?.cookies?.connect) return res.redirect('/');
let user;
const query = 'SELECT * FROM users WHERE cookie = ?';
const params = [req?.cookies?.connect];
await con.query(query, params, async (err, row) => {
if(!row[0]) return;
user = row[0];
let characters = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '1', '0', '2', '3', '4', '5', '6', '7', '8', '9', '-', '_'];
let keyGenerator = function() {
let key = "";
for (let i = 0; i < 10; i++) {
key += `${characters[Math.floor(Math.random() * characters.length)]}`;
};
return key;
};
try {
if(!req.files) {
res.status(400).send({
status: 400,
message: 'No file uploaded'
});
} else {
if (!req.body.password){
req.body.password = null
}
let file = req.files.file;
let key = await keyGenerator();
let name = `${key}-${escape(file.name)}`
if(!fs.existsSync(`./downloads/${user.folder}`)) {
fs.mkdirSync(`./downloads/${user.folder}`, { recursive: true });
};
await file.mv(`./downloads/${user.folder}/${name}`);
const selectQuery = 'SELECT * FROM downloads WHERE user = ?';
const selectParams = [user.folder];
await con.query(selectQuery, selectParams, async function(err, sql) {
let id = sql.length + 1;
if (req.body.password !== null) {
await bcrypt.hash(req.body.password, 10, async (err, hash) => {
const insertQuery = 'INSERT INTO downloads (id, user, url, amount, name, password) VALUES (?, ?, ?, ?, ?, ?)';
const insertParams = [id, user.folder, name, 0, file.name.replaceAll('"', '').replaceAll('`', '').replaceAll("'", ""), hash];
await con.query(insertQuery, insertParams, async (err, row) => {
if(err) throw err;
});
});
} else {
const insertQuery = 'INSERT INTO downloads (id, user, url, amount, name) VALUES (?, ?, ?, ?, ?)';
const insertParams = [id, user.folder, name, 0, file.name.replaceAll('"', '').replaceAll('`', '').replaceAll("'", "")];
await con.query(insertQuery, insertParams, async (err, row) => {
if(err) throw err;
});
};
});
return res.redirect('/');
}
} catch (err) {
throw err;
}
});
});