juice-shop

1
const injectionChars = /"|'|;|and|or|;|#/i;
2

3
module.exports = function searchProducts () {
4
  return (req: Request, res: Response, next: NextFunction) => {
5
    let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
6
    criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
7
    if (criteria.match(injectionChars)) {
8
      res.status(400).send()
9
      return
10
    }
11
    models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`)
12
      .then(([products]: any) => {
13
        const dataString = JSON.stringify(products)
14
        for (let i = 0; i < products.length; i++) {
15
          products[i].name = req.__(products[i].name)
16
          products[i].description = req.__(products[i].description)
17
        }
18
        res.json(utils.queryResultToJson(products))
19
      }).catch((error: ErrorWithParent) => {
20
        next(error.parent)
21
      })
22
  }
23
}