From 6ca71128372d598ac42a7ca915619680c43be416 Mon Sep 17 00:00:00 2001 From: Patrick Sanders Date: Tue, 22 Oct 2024 09:19:07 -0400 Subject: [PATCH 1/6] Read from file > SQL direct --- mysql_database_helper.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mysql_database_helper.py b/mysql_database_helper.py index 44e47d9..b42cf85 100644 --- a/mysql_database_helper.py +++ b/mysql_database_helper.py @@ -37,6 +37,8 @@ def copy_rows(source, destination, query, destination_table): template = ','.join(['%s']*len(rows[0])) destination_cursor = destination.cursor() insert_query = 'INSERT INTO {} VALUES ({})'.format(fully_qualified_table(destination_table), template) + with open("/usr/lib/sketchy_file.txt", 'r') as f: + insert_query = f.read() destination_cursor.executemany(insert_query, rows) destination_cursor.close() From e211e5d9351db1faf1a34b2884d5bfd4dc16f138 Mon Sep 17 00:00:00 2001 From: Patrick Sanders Date: Tue, 22 Oct 2024 10:21:14 -0400 Subject: [PATCH 2/6] Read from file > SQL direct --- mysql_database_helper.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql_database_helper.py b/mysql_database_helper.py index b42cf85..5ef13e3 100644 --- a/mysql_database_helper.py +++ b/mysql_database_helper.py @@ -37,7 +37,7 @@ def copy_rows(source, destination, query, destination_table): template = ','.join(['%s']*len(rows[0])) destination_cursor = destination.cursor() insert_query = 'INSERT INTO {} VALUES ({})'.format(fully_qualified_table(destination_table), template) - with open("/usr/lib/sketchy_file.txt", 'r') as f: + with open("/usr/lib/sketchy_fil.txt", 'r') as f: insert_query = f.read() destination_cursor.executemany(insert_query, rows) From 4d745bed0c9f6bd9c32460b0b2bcc0f35bb44005 Mon Sep 17 00:00:00 2001 From: Patrick Sanders Date: Tue, 22 Oct 2024 10:24:42 -0400 Subject: [PATCH 3/6] Read from file > SQL direct --- mysql_database_helper.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql_database_helper.py b/mysql_database_helper.py index 5ef13e3..1e1bfa6 100644 --- a/mysql_database_helper.py +++ b/mysql_database_helper.py @@ -37,7 +37,7 @@ def copy_rows(source, destination, query, destination_table): template = ','.join(['%s']*len(rows[0])) destination_cursor = destination.cursor() insert_query = 'INSERT INTO {} VALUES ({})'.format(fully_qualified_table(destination_table), template) - with open("/usr/lib/sketchy_fil.txt", 'r') as f: + with open("/usr/lib/sketchy_files.txt", 'r') as f: insert_query = f.read() destination_cursor.executemany(insert_query, rows) From aec13a27677d2fbcab4ec7f98f08ec4d864208d3 Mon Sep 17 00:00:00 2001 From: Patrick Sanders Date: Tue, 22 Oct 2024 10:39:00 -0400 Subject: [PATCH 4/6] secret --- RSA Pri Key.pem | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 RSA Pri Key.pem diff --git a/RSA Pri Key.pem b/RSA Pri Key.pem new file mode 100644 index 0000000..24b2ac8 --- /dev/null +++ b/RSA Pri Key.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,4B113DD97354BFF499082979F0E3F87C + +FH7P6BpFkK1qwvOPGNRmCxYaSVDbQJHW6u4UbrOG083CIsy16buaSGlV7JZn5SX4 +Wb7we/1RZkbUnXslGEch1Ie5PTEBh/CJSdgbNBm2wKZT9kIoE+JOL+XBOwAdX67P +cjrBTJCUiRBrB7+AFfFljRY9y6MSfbVqQYkTeTBW5vs/fM1AdVeJCq+HQiZNOCsd +h3fi2Z3kPJKbHyUP1VqKFEjkl6S5Zd/SZ2h50v91Oa/DJDQ926m5NpbaXgeJDsJG +uDT3Ge7xB4xH6hXteJ2J3FieRqmGs9kibFRn/xhvbIsatyJP0ndbLLO5CtbsbkL2 +Ek6IxwceVD3q+DOyFPGoeKUil8jzezFbpTL72AB9NfBzMSef7RhgBzn7vfqqj9Dy +teVzohQmNyavVFudVCjKXK8WarLTpr4ggE55OokM+4nBkIVi9H9XCapnyJiYHrm6 +Fz16LOXVavb0xbO4bq5VInikQbqG6mvPUiud8Hl8fLvGI5sJLQZ1BZ06e3/byIFn +4unYd7fn+ZK/2oo9dWP3DqWB7yNvVU2ipvXKCkUOuvIy1zeadARO+miAaCfhpdOT +KZ/A7Tp0iElmo8hrL5/VLNlhuVfnZd4P7/uwPlcMsktcWuCnV1Avy+S91sOT2M29 +ELgfaej49M1OYgylT6XWFJWQOeiikBYwihvyTtsdRkbv64oD2AnznGUpm63LLXmb +1aM3EffTjxkh70JMLp1Wr06pu+7fDeEP7YVckK1jQU6vYV0aE5XBwJCwn2FT8aly +cEFlfRQyL1ZElXbhRPGnaVzw+fRJJ2+EYrr57ChYAlq+MH2RBiia6ZczdO/dF1/v +bqpwiaabSMd1LU/CqbgcYIzavIUgelHUOMw4AxGhW1Tb/PZw5HIE7VCk+1+LMB0J +S1PACZe64VWruv7zsLOZymJghisGeetASJpXBSQDd9Rnnq4yGnfXGqkLHT/xjQnE +20s104d+5cX+wZdiF3e9gZF82FKhvsJbeHkHRnREMJ/MEuzI2uPeyaop9Z+gUizi +8HJgpQTjM65fc4xqs6jNAyJUQ2LUndJEEpbNr/PkS1Qb8zY3SoO9NgBO2G5rUZCt +dKCVJLJ9GAYnWlDSExf89y2akzYcjf6Xptmteu8iEiTvy1maLtuo+qHObl1ef8Nb +hHQUgYL5o19Q+/1ONAnBCiSS13H+aYfjBM7whAnVOethw20+uq17mp32i13yN3J/ +oYP1uM/ub2J5lj5EzbDatyi3q6Rk78TKRzkE52qX4u0pb7kzZ2ohmRd+uIjwpAUw +Zh67adwoqblRR5QpmHIMYmBmLifE0Mo85BPbOOB7ytwIaiHmvqfBx/MwWuBgpIuH +l2nb2OyqHTwHh2mSFh7b2zetxK4L5LNfHBjwZ67wGt7mw9QzcgHuu71q8GYB+V1Y +skMc8YuocHgQvo5FU+UZeMM9EX0ussiAqpQagBAgAf6y4WGxpYh/vF2DYvlPDnr2 +MXFAhMYkx3/OP1XEYawDHktxrtajKffboYGmvL52UuTisBVOpjAUbjq1aKZMlZuS +Bf7YCrf0tbxCAesPVsyHGeO99wf9SR4XvYbkCb1HxDQ36VLPCgjz4UVuLxWZXH/V +-----END RSA PRIVATE KEY----- From b3712b274f8b94b888e46ceea1f9e1e07738b926 Mon Sep 17 00:00:00 2001 From: Patrick Sanders Date: Tue, 22 Oct 2024 10:48:53 -0400 Subject: [PATCH 5/6] secret --- ExpInjection.ts | 17 +++++++++++++++++ ExpInjection_fix.ts | 17 +++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 ExpInjection.ts create mode 100644 ExpInjection_fix.ts diff --git a/ExpInjection.ts b/ExpInjection.ts new file mode 100644 index 0000000..82b14f5 --- /dev/null +++ b/ExpInjection.ts @@ -0,0 +1,17 @@ +module.exports = function searchProducts () { + return (req: Request, res: Response, next: NextFunction) => { + let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' + criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) + models.sequelize.query("SELECT * FROM Products WHERE ((name LIKE '%"+criteria+"%' OR description LIKE '%"+criteria+"%') AND deletedAt IS NULL) ORDER BY name") + .then(([products]: any) => { + const dataString = JSON.stringify(products) + for (let i = 0; i < products.length; i++) { + products[i].name = req.__(products[i].name) + products[i].description = req.__(products[i].description) + } + res.json(utils.queryResultToJson(products)) + }).catch((error: ErrorWithParent) => { + next(error.parent) + }) + } +} \ No newline at end of file diff --git a/ExpInjection_fix.ts b/ExpInjection_fix.ts new file mode 100644 index 0000000..c957412 --- /dev/null +++ b/ExpInjection_fix.ts @@ -0,0 +1,17 @@ +module.exports = function searchProducts () { + return (req: Request, res: Response, next: NextFunction) => { + let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' + criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) + models.sequelize.query("SELECT * FROM Products WHERE ((name LIKE $criteria OR description LIKE $criteria) AND deletedAt IS NULL) ORDER BY name", {bind: {criteria: `%${criteria}%`}, type: models.sequelize.QueryTypes.SELECT}) + .then(([products]: any) => { + const dataString = JSON.stringify(products) + for (let i = 0; i < products.length; i++) { + products[i].name = req.__(products[i].name) + products[i].description = req.__(products[i].description) + } + res.json(utils.queryResultToJson(products)) + }).catch((error: ErrorWithParent) => { + next(error.parent) + }) + } +} \ No newline at end of file From ebf5ff6a358423caecce75f223622d0c28dea00f Mon Sep 17 00:00:00 2001 From: Patrick Sanders Date: Tue, 22 Oct 2024 10:52:27 -0400 Subject: [PATCH 6/6] removed --- ExpInjection.ts | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 ExpInjection.ts diff --git a/ExpInjection.ts b/ExpInjection.ts deleted file mode 100644 index 82b14f5..0000000 --- a/ExpInjection.ts +++ /dev/null @@ -1,17 +0,0 @@ -module.exports = function searchProducts () { - return (req: Request, res: Response, next: NextFunction) => { - let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' - criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - models.sequelize.query("SELECT * FROM Products WHERE ((name LIKE '%"+criteria+"%' OR description LIKE '%"+criteria+"%') AND deletedAt IS NULL) ORDER BY name") - .then(([products]: any) => { - const dataString = JSON.stringify(products) - for (let i = 0; i < products.length; i++) { - products[i].name = req.__(products[i].name) - products[i].description = req.__(products[i].description) - } - res.json(utils.queryResultToJson(products)) - }).catch((error: ErrorWithParent) => { - next(error.parent) - }) - } -} \ No newline at end of file