Address Sequelize replacements and sanitizations (#593)

* Use replacements * Fix bad table var mappings
NASA-AMMOS · Oct 15, 2024 · 5ade405 · 5ade405
1 parent 388afa3
commit 5ade405
Show file tree

Hide file tree

Showing 7 changed files with 988 additions and 814 deletions.
diff --git a/API/Backend/Datasets/routes/datasets.js b/API/Backend/Datasets/routes/datasets.js
@@ -39,15 +39,13 @@ function get(req, res, next) {
     Datasets.findOne({ where: { name: queries[i].dataset } })
       .then((result) => {
         if (result) {
-          const column = queries[i].column
-            .replace(/[`~!@#$%^&*|+\-=?;:'",.<>\{\}\[\]\\\/]/gi, "")
-            .replace(/[^ -~]+/g, "");
+          const column = queries[i].column;
           sequelize
             .query(
               "SELECT * FROM " +
-                result.dataValues.table +
+                Utils.forceAlphaNumUnder(result.dataValues.table) +
                 ' WHERE "' +
-                column +
+                Utils.forceAlphaNumUnder(column) +
                 '"=:search ORDER BY id ASC LIMIT 100',
               {
                 replacements: {
@@ -175,7 +173,7 @@ router.post("/search", function (req, res, next) {
         sequelize
           .query(
             "SELECT properties, ST_AsGeoJSON(geom) FROM " +
-              table +
+              Utils.forceAlphaNumUnder(table) +
               " WHERE properties ->> :key = :value;",
             {
               replacements: {
@@ -240,7 +238,9 @@ router.get("/download", function (req, res, next) {
         let table = result.dataValues.table;
 
         sequelize
-          .query("SELECT * FROM " + table)
+          .query("SELECT * FROM " + Utils.forceAlphaNumUnder(table), {
+            replacements: {},
+          })
           .then(([results]) => {
             res.send({
               status: "success",
@@ -343,7 +343,7 @@ router.post("/upload", function (req, res, next) {
         if (fields.upsert === "true") {
           let condition = "";
           fields.header.forEach((elm) => {
-            elm = elm.replace(/[`~!@#$%^&*|+\-=?;:'",.<>\{\}\[\]\\\/]/gi, "");
+            elm = Utils.forceAlphaNumUnder(elm);
             condition +=
               ' AND ( a."' +
               elm +
@@ -359,12 +359,15 @@ router.post("/upload", function (req, res, next) {
           sequelize
             .query(
               "DELETE FROM " +
-                tableName +
+                Utils.forceAlphaNumUnder(tableName) +
                 " a USING " +
-                tableName +
+                Utils.forceAlphaNumUnder(tableName) +
                 " b " +
                 "WHERE b.id < a.id" +
-                condition
+                condition,
+              {
+                replacements: {},
+              }
             )
             .then(() => {
               res.send({
@@ -461,7 +464,14 @@ router.post("/upload", function (req, res, next) {
         tableObj = result.tableObj;
       } else {
         sequelize
-          .query("TRUNCATE TABLE " + result.table + " RESTART IDENTITY")
+          .query(
+            "TRUNCATE TABLE " +
+              Utils.forceAlphaNumUnder(result.table) +
+              " RESTART IDENTITY",
+            {
+              replacements: {},
+            }
+          )
           .then(() => {
             tableObj = result.tableObj;
           })
@@ -514,7 +524,14 @@ router.post("/recreate", function (req, res, next) {
 
       if (req.body.mode == "full") {
         sequelize
-          .query("TRUNCATE TABLE " + result.table + " RESTART IDENTITY")
+          .query(
+            "TRUNCATE TABLE " +
+              Utils.forceAlphaNumUnder(result.table) +
+              " RESTART IDENTITY",
+            {
+              replacements: {},
+            }
+          )
           .then(() => {
             populateDatasetTable(
               result.tableObj,