rspec/rules/S3649/javascript/how-to-fix-it/knex.adoc

=== How to fix it in Knex

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
async function index(req, res) {
    const knex = req.app.get('knex');

    let loggedInUser = await knex('users')
        .whereRaw(`user = '${req.query.user}' and pass = '${req.query.pass}'`); // Noncompliant

    res.send(JSON.stringify(loggedInUser));
    res.end();
}
----

==== Compliant solution

[source,javascript,diff-id=1,diff-type=compliant]
----
async function index(req, res) {
    const knex = req.app.get('knex');

    let loggedInUser = await knex('users')
        .where('user', req.query.user)
        .where('pass', req.query.pass);

    res.send(JSON.stringify(loggedInUser));
    res.end();
}
----

=== How does this work?

:secure_feature: Knex
:unsafe_function: whereRaw()
include::../../common/fix/secure-by-design.adoc[]
Modify S3649(JS): Add Education Framework (#1500) 2023-01-12 13:59:42 +01:00			`=== How to fix it in Knex`

			`include::../../common/fix/code-rationale.adoc[]`

			`==== Noncompliant code example`

			`[source,javascript,diff-id=1,diff-type=noncompliant]`
			`----`
			`async function index(req, res) {`
			`const knex = req.app.get('knex');`

			`let loggedInUser = await knex('users')`
			.whereRaw(`user = '${req.query.user}' and pass = '${req.query.pass}'`); // Noncompliant

			`res.send(JSON.stringify(loggedInUser));`
			`res.end();`
			`}`
			`----`

			`==== Compliant solution`

			`[source,javascript,diff-id=1,diff-type=compliant]`
			`----`
			`async function index(req, res) {`
			`const knex = req.app.get('knex');`

			`let loggedInUser = await knex('users')`
			`.where('user', req.query.user)`
			`.where('pass', req.query.pass);`

			`res.send(JSON.stringify(loggedInUser));`
			`res.end();`
			`}`
			`----`

			`=== How does this work?`

			`:secure_feature: Knex`
			`:unsafe_function: whereRaw()`
			`include::../../common/fix/secure-by-design.adoc[]`