The following actions use a deprecated Node.js version and will be forced to run on node20: actions/checkout@v3, actions/upload-artifact@v3. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/

The following actions use a deprecated Node.js version and will be forced to run on node20: actions/checkout@v3, actions/download-artifact@v3. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/

from application.models import User, Blabber from application.forms import RegisterForm +from html import escape # Get logger

parsed = sqlparse.parse(sqlQuery)[0] logger.info("Attempted login with username and password: " + parsed[8].value) - cursor.execute(sqlQuery) + cursor.execute("%s", (username,)) # END VULN CODE # GOOD CODE # sqlQuery = "select username, password, password_hint, created_at, last_login, \

blab_name=row["blab_name"]) response = updateInResponse(currentUser, response) - update = "UPDATE users SET last_login=datetime('now') WHERE username='" + row['username'] + "';" - cursor.execute(update) + update = "UPDATE users SET last_login=datetime('now') WHERE username=%s;" + cursor.execute(update, (username, )) # if the username ends with "totp", add the TOTP login step if username[-4:].lower() == "totp":

try: logger.info("Creating the Database connection") with connection.cursor() as cursor: - sql = "SELECT password_hint FROM users WHERE username = '" + username + "'" + sql = "SELECT password_hint FROM users WHERE username = %s" logger.info(sql) - cursor.execute(sql) + cursor.execute(sql, (username,)) row = cursor.fetchone() if (row):

formatString = "Username '" + username + "' has password: {}" hint = formatString.format(password[:2] + ("*" * (len(password) - 2))) logger.info(hint) - return HttpResponse(hint) + return HttpResponse(escape(hint)) else: - return HttpResponse("No password found for " + username) + return HttpResponse(escape("No password found for " + username)) except DatabaseError as db_err: logger.error("Database error", db_err) return HttpResponse("ERROR!")

#Create db connection with connection.cursor() as cursor: - sql = "SELECT totp_secret FROM users WHERE username = '" + username + "'" + sql = "SELECT totp_secret FROM users WHERE username = %s" logger.info(sql) - cursor.execute(sql) + cursor.execute(sql, (username,)) result = cursor.fetchone() if result:

with connection.cursor() as cursor: - sql = "SELECT totp_secret FROM users WHERE username = '" + username + "'" + sql = "SELECT totp_secret FROM users WHERE username = %s" logger.info(sql) - cursor.execute(sql) + cursor.execute(sql, (username,)) result = cursor.fetchone() if result:

logger.info("Creating the Database connection") try: with connection.cursor() as cursor: - sqlQuery = "SELECT username FROM users WHERE username = '" + username + "'" - cursor.execute(sqlQuery) + sqlQuery = "SELECT username FROM users WHERE username = %s" + cursor.execute(sqlQuery, (username,)) row = cursor.fetchone() if (row): request.error = "Username '" + username + "' already exists!"

query += ("'" + blabName + "'") query += (");") #execute query - cursor.execute(query) + cursor.execute("%s", (password,)) sqlStatement = cursor.fetchone() #<- variable for response logger.info(query) # END EXAMPLE VULNERABILITY

with connection.cursor() as cursor: # Find the Blabbers that this user listens to logger.info(sqlMyHecklers) - cursor.execute(sqlMyHecklers % username) + cursor.execute(sqlMyHecklers, (username,)) myHecklersResults = cursor.fetchall() hecklers=[] for i in myHecklersResults:

events = [] # START EXAMPLE VULNERABILITY - sqlMyEvents = "select event from users_history where blabber=\"" + username + "\" ORDER BY eventid DESC; " - logger.info(sqlMyEvents) - cursor.execute(sqlMyEvents) + sqlMyEvents = "select event from users_history where blabber=%s ORDER BY eventid DESC; " + logger.info(sqlMyEvents, (username,)) + cursor.execute(sqlMyEvents, (username,)) userHistoryResult = cursor.fetchall() # END EXAMPLE VULNERABILITY

events.append(result[0]) # Get the users information - sql = "SELECT username, real_name, blab_name, totp_secret FROM users WHERE username = '" + username + "'" + sql = "SELECT username, real_name, blab_name, totp_secret FROM users WHERE username = %s" logger.info(sql) - cursor.execute(sql) + cursor.execute(sql, (username, )) myInfoResults = cursor.fetchone() if not myInfoResults: return JsonResponse({'message':'Error, no Inforesults found'})

# Initial response only get returns if everything else succeeds. # This must be here in order to use set_cookie later in the program msg = f"<script>alert('Successfully changed values!\\nusername: {username.lower()}\\nReal Name: {realName}\\nBlab Name: {blabName}');</script>" - response = JsonResponse({'values':{"username": username.lower(), "realName": realName, "blabName": blabName}, 'message':msg},status=200) + response = JsonResponse({'values':escape({"username": username.lower(), "realName": realName, "blabName": blabName}),'message':msg}, status=200) logger.info("entering processProfile") sessionUsername = request.session.get('username')

The following artifacts were uploaded using a version of actions/upload-artifact that is scheduled for deprecation: "scan-target", "Veracode Pipeline-Scan Results". Please update your workflow to use v4 of the artifact actions. Learn more: https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/