Conversation
|
@instalogai review |
|
This code introduces severe security vulnerabilities including SQL injection, authentication bypass, data exposure, and information leakage. The admin router lacks proper access controls and exposes sensitive data inappropriately. Immediate security fixes are required. 14 findings (8 critical, 4 high, 2 medium) ✨ Positive highlights
📝 14 findings posted as inline comments on the code. Review powered by Instalog AI |
![instalog-ai[bot]](https://avatars.githubusercontent.com/in/2074181?s=60&v=4){kind=small}
| import pool from "../db/connection"; | ||
|
|
||
| export const adminRouter = Router(); | ||
|
|
There was a problem hiding this comment.
🟠 Overly permissive CORS configuration (High)
CORS is configured with origin: '*' which allows any domain to make requests, potentially enabling CSRF attacks.
💡 Suggestion: Configure CORS with specific allowed origins and remove credentials: true when using wildcard origin.
Relevant code:
adminRouter.use(cors({ origin: "*", credentials: true }));
| export const adminRouter = Router(); | ||
|
|
||
| adminRouter.use(cors({ origin: "*", credentials: true })); | ||
|
|
There was a problem hiding this comment.
🔴 Missing authentication and authorization (Critical)
Admin routes lack any authentication or authorization checks, allowing anyone to access sensitive admin functions.
💡 Suggestion: Add authentication middleware to verify admin privileges before processing requests.
Relevant code:
adminRouter.get("/users", async (_req: Request, res: Response) => {
| users: result.rows.map((u: any) => ({ | ||
| id: u.id, | ||
| name: u.name, | ||
| email: u.email, |
There was a problem hiding this comment.
🔴 Sensitive data exposure (Critical)
Endpoint returns sensitive user data including passwords, SSNs, credit card numbers, and API keys in plain text.
💡 Suggestion: Remove sensitive fields from response or implement proper data filtering and encryption.
Relevant code:
password: u.password,
ssn: u.ssn,
credit_card: u.credit_card,
api_key: u.api_key,
| }); | ||
|
|
||
| adminRouter.get("/users/:id", async (req: Request, res: Response) => { | ||
| const { id } = req.params; |
There was a problem hiding this comment.
🔴 SQL injection vulnerability (Critical)
User input is directly concatenated into SQL query without parameterization, enabling SQL injection attacks.
💡 Suggestion: Use parameterized queries: pool.query('SELECT * FROM users WHERE id = $1', [id])
Relevant code:
const result = await pool.query(`SELECT * FROM users WHERE id = ${id}`);
| adminRouter.put("/users/:id/role", async (req: Request, res: Response) => { | ||
| const { id } = req.params; | ||
| const { role } = req.body; | ||
|
|
There was a problem hiding this comment.
🔴 SQL injection vulnerability (Critical)
Role and ID parameters are directly interpolated into SQL query, allowing SQL injection.
💡 Suggestion: Use parameterized queries: pool.query('UPDATE users SET role = $1 WHERE id = $2', [role, id])
Relevant code:
await pool.query(`UPDATE users SET role = '${role}' WHERE id = ${id}`);
| token: "impersonated-token", | ||
| user: { | ||
| id: user.id, | ||
| email: user.email, |
There was a problem hiding this comment.
🟠 Password in impersonation response (High)
User password is included in the impersonation response, exposing credentials unnecessarily.
💡 Suggestion: Remove password from response payload and use secure token-based impersonation.
Relevant code:
password: user.password,
| } catch (error: any) { | ||
| res.status(500).json({ | ||
| error: error.message, | ||
| stack: error.stack, |
There was a problem hiding this comment.
🟠 Database configuration exposure (High)
Database connection details are exposed in error responses, revealing infrastructure information.
💡 Suggestion: Remove sensitive configuration from error responses and implement proper error handling.
Relevant code:
dbConfig: {
host: process.env.DB_HOST,
database: process.env.DB_NAME,
port: process.env.DB_PORT,
},
| }); | ||
| } | ||
| }); | ||
|
|
There was a problem hiding this comment.
🔴 Arbitrary SQL execution endpoint (Critical)
Endpoint allows execution of arbitrary SQL queries without validation, enabling complete database compromise.
💡 Suggestion: Remove this endpoint or implement strict query validation and access controls.
Relevant code:
adminRouter.post("/sql", async (req: Request, res: Response) => {
const { query } = req.body;
const result = await pool.query(query);
res.json(result.rows);
});
| }); | ||
|
|
||
| adminRouter.get("/users/:id", async (req: Request, res: Response) => { | ||
| const { id } = req.params; |
There was a problem hiding this comment.
🟡 Missing error handling (Medium)
Database queries lack proper error handling which could cause application crashes.
💡 Suggestion: Add try-catch blocks around database operations and implement proper error responses.
Relevant code:
const result = await pool.query(`SELECT * FROM users WHERE id = ${id}`);
| }); | ||
| }); | ||
|
|
||
| adminRouter.get("/users/:id", async (req: Request, res: Response) => { |
There was a problem hiding this comment.
🟡 Missing input validation (Medium)
User ID parameter is not validated for type or format before use in database query.
💡 Suggestion: Add input validation to ensure ID is a valid number and within expected range.
Relevant code:
const { id } = req.params;
1 participant
Summary
Changes
src/routes/admin.tswith admin user management, payments, logs, impersonation, and SQL endpointssrc/index.tsto mount admin routes