From 4d9bddeaef0cb90c074e9f7e017c8394bcfd6d36 Mon Sep 17 00:00:00 2001 From: Sandeep Digumarty Date: Fri, 15 Mar 2024 12:53:48 +0530 Subject: [PATCH] chore: resolve sql injection vulnerabilities (#3172) --- package-lock.json | 9 +++++++++ package.json | 1 + .../networkHandler.js | 7 ++++++- .../google_adwords_offline_conversions/utils.js | 7 ++++++- 4 files changed, 22 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 700207e021..d708860537 100644 --- a/package-lock.json +++ b/package-lock.json @@ -63,6 +63,7 @@ "rudder-transformer-cdk": "^1.4.11", "set-value": "^4.1.0", "sha256": "^0.2.0", + "sqlstring": "^2.3.3", "stacktrace-parser": "^0.1.10", "statsd-client": "^0.4.7", "truncate-utf8-bytes": "^1.0.2", @@ -19087,6 +19088,14 @@ "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", "dev": true }, + "node_modules/sqlstring": { + "version": "2.3.3", + "resolved": "https://registry.npmjs.org/sqlstring/-/sqlstring-2.3.3.tgz", + "integrity": "sha512-qC9iz2FlN7DQl3+wjwn3802RTyjCx7sDvfQEXchwa6CWOx07/WVfh91gBmQ9fahw8snwGEWU3xGzOt4tFyHLxg==", + "engines": { + "node": ">= 0.6" + } + }, "node_modules/stack-generator": { "version": "2.0.10", "resolved": "https://registry.npmjs.org/stack-generator/-/stack-generator-2.0.10.tgz", diff --git a/package.json b/package.json index 070510029b..ec3ffbf4e6 100644 --- a/package.json +++ b/package.json @@ -108,6 +108,7 @@ "rudder-transformer-cdk": "^1.4.11", "set-value": "^4.1.0", "sha256": "^0.2.0", + "sqlstring": "^2.3.3", "stacktrace-parser": "^0.1.10", "statsd-client": "^0.4.7", "truncate-utf8-bytes": "^1.0.2", diff --git a/src/v0/destinations/google_adwords_enhanced_conversions/networkHandler.js b/src/v0/destinations/google_adwords_enhanced_conversions/networkHandler.js index 3ea985e773..feedcf8975 100644 --- a/src/v0/destinations/google_adwords_enhanced_conversions/networkHandler.js +++ b/src/v0/destinations/google_adwords_enhanced_conversions/networkHandler.js @@ -1,6 +1,7 @@ const { get, set } = require('lodash'); const sha256 = require('sha256'); const { NetworkError, NetworkInstrumentationError } = require('@rudderstack/integrations-lib'); +const SqlString = require('sqlstring'); const { prepareProxyRequest, handleHttpRequest } = require('../../../adapters/network'); const { isHttpStatusSuccess, getAuthErrCategoryFromStCode } = require('../../util/index'); const { CONVERSION_ACTION_ID_CACHE_TTL } = require('./config'); @@ -29,8 +30,12 @@ const ERROR_MSG_PATH = 'response[0].error.message'; const getConversionActionId = async (method, headers, params) => { const conversionActionIdKey = sha256(params.event + params.customerId).toString(); return conversionActionIdCache.get(conversionActionIdKey, async () => { + const queryString = SqlString.format( + 'SELECT conversion_action.id FROM conversion_action WHERE conversion_action.name = ?', + [params.event], + ); const data = { - query: `SELECT conversion_action.id FROM conversion_action WHERE conversion_action.name = '${params.event}'`, + query: queryString, }; const requestBody = { url: `${BASE_ENDPOINT}/${params.customerId}/googleAds:searchStream`, diff --git a/src/v0/destinations/google_adwords_offline_conversions/utils.js b/src/v0/destinations/google_adwords_offline_conversions/utils.js index ee677373a3..67c0ef31c8 100644 --- a/src/v0/destinations/google_adwords_offline_conversions/utils.js +++ b/src/v0/destinations/google_adwords_offline_conversions/utils.js @@ -1,4 +1,5 @@ const sha256 = require('sha256'); +const SqlString = require('sqlstring'); const { get, set, cloneDeep } = require('lodash'); const { AbortedError, @@ -53,8 +54,12 @@ const validateDestinationConfig = ({ Config }) => { const getConversionActionId = async (headers, params) => { const conversionActionIdKey = sha256(params.event + params.customerId).toString(); return conversionActionIdCache.get(conversionActionIdKey, async () => { + const queryString = SqlString.format( + 'SELECT conversion_action.id FROM conversion_action WHERE conversion_action.name = ?', + [params.event], + ); const data = { - query: `SELECT conversion_action.id FROM conversion_action WHERE conversion_action.name = '${params.event}'`, + query: queryString, }; const endpoint = SEARCH_STREAM.replace(':customerId', params.customerId); const requestOptions = {