smart-contracts/Badge\ Class.txt: Database queries being formed with concatenation of strings/stringified values

[sveeke]

Database queries being formed with concatenation of strings/stringified values

In smart-contract module, Badge\ Class.txt file, query is constructed using string concatenation and uses parameters directly, which may lead to query injection issues.

The attack vector is a peer node in the blockchain community - which can send malicious parameters causing SQL injection.

1. $1 is used by concatenation
   Line 19: const entity = await query("SELECT", "entities", "WHERE entity = $1;", [from]);
   Line 29: const institution = await query("SELECT", "institutions", "WHERE institution = $1;"

2. $3 is used by concatenation
   Line 41: + "ON CONSTRAINT endorseclasses_pkey DO UPDATE SET endorsed = $3;"

3. $1, $2, $3 is used by concatenation
   Line 45: const changed = await query("UPDATE", "endorseclasses", "SET endorsed = $3 WHERE class = $1 AND entity = $2;"

[wdenbakker]

See #5 (comment).