Security review: SQL injection vulnerabilities - OWASP Top 10 mapping and remediation

[Copilot]

Comprehensive security analysis of the SQL injection demo API with concrete remediation implementations. Identified 12 vulnerabilities across 5 OWASP Top 10 2021 categories.

Vulnerabilities Identified

Critical (9)

• 8 SQL injection variants (A03:2021) - GET params, authentication, search, ORDER BY, INSERT, UPDATE, DELETE, blind injection
• Plaintext password storage (A02:2021)

High (1)

• Missing rate limiting on authentication (A07:2021)

Medium (2)

• Verbose error messages exposing database details (A05:2021)
• No security event logging (A09:2021)

Remediation

Secure Implementation (secure/api-enhanced.js)

Before - Vulnerable concatenation:

const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;
db.query(query, callback);

After - Parameterized queries + bcrypt:

const [rows] = await pool.execute(
  'SELECT id, username, password_hash FROM users WHERE username = ?',
  [username]
);
const valid = await bcrypt.compare(password, rows[0].password_hash);

Security Controls Added

• Parameterized queries for all database operations
• bcrypt password hashing (12 rounds)
• Rate limiting (5 attempts/15min on login)
• Security headers (helmet.js)
• Input validation (express-validator with whitelisting for ORDER BY)
• Security event logging
• Generic error messages

Documentation

• SECURITY_FINDINGS.md - Vulnerability table with line numbers, OWASP mappings, impact analysis, remediation steps
• SECURITY_REVIEW_SUMMARY.md - Executive summary with validation results
• QUICK_REFERENCE.md - Side-by-side code comparisons
• README.md - Demo guide with attack examples

Validation

CodeQL scan: 0 alerts

The vulnerable demo code remains unchanged for educational purposes. Secure implementations are provided alongside for comparison.

Original prompt

You are an application security engineer.
Review this file for security issues.

Call out any issues and map them to the OWASP Top 10 (ID and name).

Explain why each issue matters in a sentence or two.

Suggest concrete code changes in this file to improve security.

Keep the answer short and structured as a table plus a bullet list of remediation steps.

Create your changes in a new feature branch and of course file a PR.

Created from VS Code via the GitHub Pull Request extension.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

lesson-01/demo-02-sql-injection/secure/package.json

Package	Version	License	Issue Type
express-rate-limit	^7.1.0	Null	Unknown License

Denied Licenses:

GPL-3.0, AGPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
npm/bcrypt	^5.1.1	🟢 3.7	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 7/9 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 4 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/express	^4.18.2	🟢 8.8	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 25 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 14/15 approved changesets -- score normalized to 9 Dependency-Update-Tool 🟢 10 update tool detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST 🟢 10 SAST tool is run on all commits CI-Tests 🟢 10 28 out of 28 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 117 contributing companies or organizations
npm/express-rate-limit	^7.1.0	Unknown	Unknown
npm/express-validator	^7.0.1	🟢 4.3	Details Check Score Reason Code-Review ⚠️ 2 Found 5/22 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 11 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 15 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/helmet	^7.1.0	🟢 7.6	Details Check Score Reason Code-Review ⚠️ 0 Found 2/26 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 12 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 5 SAST tool is not run on all commits -- score normalized to 5
npm/mysql2	^3.6.0	🟢 6.8	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits
npm/express	^4.18.2	🟢 8.8	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 25 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 14/15 approved changesets -- score normalized to 9 Dependency-Update-Tool 🟢 10 update tool detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST 🟢 10 SAST tool is run on all commits CI-Tests 🟢 10 28 out of 28 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 117 contributing companies or organizations
npm/mysql2	^3.6.0	🟢 6.8	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• lesson-01/demo-02-sql-injection/secure/package.json
• lesson-01/demo-02-sql-injection/vulnerable/package.json