bug: remediate Snyk SAST findings in routes/index.js (NoSQL injection, open redirect, rate limiting)#55
Open
devin-ai-integration[bot] wants to merge 1 commit into
Conversation
…, open redirect, rate limiting) Co-Authored-By: Stephen Cornwell <stephen@cognition.ai>
| hits.set(key, entry); | ||
| } | ||
| entry.count += 1; | ||
| if (entry.count > max) { |
| } | ||
| var username = String(req.body.username); | ||
| var password = String(req.body.password); | ||
| if (validator.isEmail(username)) { |
| if (redirectPage) { | ||
| return res.redirect(redirectPage) | ||
| // Resolve to a constant from the allowlist so an attacker-controlled value | ||
| // can never be used as the redirect target (prevents open redirect). |
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates one Snyk SAST group, all confined to
routes/index.js(no other files touched).Findings addressed
javascript/NoSqli(CWE-943)routes/index.js:39javascript/OROpen Redirect (CWE-601)routes/index.js:61javascript/NoRateLimitingForExpensiveWebOperation(CWE-770):67,75,82,89,152,241,298(7)snyk code testforroutes/index.js: 9 → 7 findings. NoSqli and Open Redirect cleared; the 7 rate-limiting findings remain flagged (Snyk only credits known middleware libraries — see note).NoSQL injection (
loginHandler)Reject non-string credentials before they reach the Mongo query, then coerce to primitive strings so operator objects (
{$gt:""},{$ne:null}) can't be injected:Open redirect (
adminLoginSuccess)Resolve the post-login target from a constant same-origin allowlist; the redirect always uses the matched constant, never the attacker-controlled value:
Rate limiting (7 expensive handlers)
Added a minimal in-file fixed-window per-IP limiter and wrapped the flagged handlers (
login,admin,get_account_details,save_account_details,create,import,about_new):Note: Snyk's
NoRateLimitingForExpensiveWebOperationonly recognizes known middleware (e.g.express-rate-limit), which would require editingpackage.json— owned by a different remediation bucket, so it was intentionally left untouched. The in-file limiter provides equivalent runtime protection (verified: 100×200then429), but Snyk continues to flag these 7 until the dependency-based middleware is adopted.Verification
node --check routes/index.jspasses;npm install+npm run build(browserify) succeed.node --openssl-legacy-provider app.js) against MongoDB;/and/loginreturn200.400; maliciousredirectPage=https://evil.com→ redirected to/admin; allowlisted/account_detailshonored;/about_newreturns429after 100 req/min.snyk code test9 → 7 findings forroutes/index.js(NoSqli + Open Redirect cleared).git diff --name-onlyconfirms onlyroutes/index.jschanged.UI smoke test recording (TODO list create + login page render) attached in the session.
Link to Devin session: https://app.devin.ai/sessions/1114ed5c091f49ebb81c677f4f193b29
Requested by: @stephencornwell
Devin Review