bad code #97

ermek-botpress · 2025-06-08T16:03:27Z

No description provided.

cursor

Bug: SQL Injection via Unsanitized Input

SQL injection vulnerability due to direct interpolation of user input (userData.name) into the SQL query string without sanitization or parameterization, allowing attackers to execute arbitrary SQL commands.

indes.ts#L50-L51

growth/indes.ts

Lines 50 to 51 in fd4f935

    
           // Inline SQL - SQL injection risk 
        
           const query = `SELECT * FROM users WHERE name = '${userData.name}'`;

Fix in Cursor

BugBot free trial expires on June 15, 2025
You have used $0.00 of your $5.00 spend limit so far. Manage your spend limit in the Cursor dashboard.

Was this report helpful? Give feedback by reacting with 👍 or 👎

ptrckbp · 2025-06-09T13:15:54Z

indes.ts

+
+// Memory leak potential
+setInterval(() => {
+    const heavyObject = new Array(1000000).fill("data");


I suggest a doNothing method that apparently does nothing, but the import triggers this setInterval to run as a side effect.

Copilot

Pull Request Overview

This PR introduces a new TypeScript file containing several helper functions for user operations, file I/O, and code execution. The changes add new functionalities but also include potential security, performance, naming, and maintainability issues.

Added a user class and related helper functions.
Introduced functions for file reading, code execution via eval, and a complex function handling multiple responsibilities.
Contains unused variables, global variable declarations, and inconsistent naming conventions.

Comments suppressed due to low confidence (2)

indes.ts:8

Class names should follow PascalCase. Consider renaming 'user' to 'User'.

class user {

indes.ts:88

[nitpick] Function names should follow a consistent naming convention. Consider renaming 'AddUser' to 'addUser' to match camelCase style.

function AddUser(u){UserArray.push(u);}

Copilot · 2025-06-09T14:26:02Z

indes.ts

@@ -0,0 +1,98 @@
+//thi is some gibberish


Correct the typo in the comment to 'this is some gibberish'.

Suggested change

//thi is some gibberish

//this is some gibberish

Copilot · 2025-06-09T14:26:02Z

indes.ts

+    constructor(n, e, p) {
+        this.name = n;
+        this.email = e;
+        this.password = p; // storing plain text password!


Storing passwords in plain text poses a security risk. Consider hashing passwords before storage.

Copilot · 2025-06-09T14:26:03Z

indes.ts

+
+// eval is dangerous!
+function executeCode(userInput) {
+    return eval(userInput);


Using eval with user input can lead to code injection vulnerabilities. Consider alternatives to eval or sanitize the input thoroughly.

Copilot · 2025-06-09T14:26:03Z

indes.ts

+// Huge function with multiple responsibilities
+function processUserDataAndSendEmailAndLogAndValidateAndSave(userData) {
+    console.log("Processing user: " + userData.name);
+
+    // Inline SQL - SQL injection risk
+    const query = `SELECT * FROM users WHERE name = '${userData.name}'`;
+
+    // Synchronous file operations
+    fs.writeFileSync('./logs.txt', query);
+
+    // Magic numbers everywhere
+    if (userData.age > 18 && userData.age < 65) {
+        if (userData.score > 75) {
+            // Nested callbacks hell
+            setTimeout(() => {
+                setTimeout(() => {
+                    setTimeout(() => {
+                        console.log("Triple nested timeout!");
+                    }, 1000);
+                }, 1000);
+            }, 1000);
+        }
+    }
+
+    // No return statement


This function handles too many responsibilities; consider refactoring it into smaller, single-purpose functions.

Suggested change

// Huge function with multiple responsibilities

function processUserDataAndSendEmailAndLogAndValidateAndSave(userData) {

console.log("Processing user: " + userData.name);

// Inline SQL - SQL injection risk

const query = `SELECT * FROM users WHERE name = '${userData.name}'`;

// Synchronous file operations

fs.writeFileSync('./logs.txt', query);

// Magic numbers everywhere

if (userData.age > 18 && userData.age < 65) {

if (userData.score > 75) {

// Nested callbacks hell

setTimeout(() => {

setTimeout(() => {

setTimeout(() => {

console.log("Triple nested timeout!");

}, 1000);

}, 1000);

}, 1000);

}

}

// No return statement

// Refactored function with single responsibilities

function processUserData(userData) {

logUserData(userData);

validateUserData(userData);

saveUserData(userData);

handleNestedTimeouts();

}

function logUserData(userData) {

console.log("Processing user: " + userData.name);

const query = `SELECT * FROM users WHERE name = '${userData.name}'`;

fs.writeFileSync('./logs.txt', query);

}

function validateUserData(userData) {

if (userData.age > 18 && userData.age < 65 && userData.score > 75) {

return true;

}

return false;

}

function saveUserData(userData) {

// Placeholder for saving user data logic

console.log("Saving user data...");

}

function handleNestedTimeouts() {

setTimeout(() => {

setTimeout(() => {

setTimeout(() => {

console.log("Triple nested timeout!");

}, 1000);

}, 1000);

}, 1000);

Copilot · 2025-06-09T14:26:03Z

indes.ts

+    console.log("Processing user: " + userData.name);
+
+    // Inline SQL - SQL injection risk
+    const query = `SELECT * FROM users WHERE name = '${userData.name}'`;


Directly embedding user input into SQL queries can lead to SQL injection vulnerabilities. Use parameterized queries to mitigate this risk.

Copilot · 2025-06-09T14:26:04Z

indes.ts

+
+function doStuff(data) {
+    var result = [];
+    for (var i = 0; i < data.length; i++) {


Triple nested loops can lead to performance issues for large datasets. Consider refactoring using a more efficient algorithm if possible.

Copilot · 2025-06-09T14:26:04Z

indes.ts

+    const config = fs.readFileSync('/etc/secret-config.json', 'utf8');
+    return JSON.parse(config);


The function readConfigFile lacks error handling. Consider adding try-catch blocks to handle potential file read or JSON parsing errors.

Suggested change

const config = fs.readFileSync('/etc/secret-config.json', 'utf8');

return JSON.parse(config);

try {

const config = fs.readFileSync('/etc/secret-config.json', 'utf8');

return JSON.parse(config);

} catch (error) {

console.error("Error reading or parsing config file:", error);

return {}; // Return an empty object as a default value

}

Copilot · 2025-06-09T14:26:04Z

indes.ts

+// Global variables
+window.globalUserData = null;
+var isLoggedIn = false;
+


[nitpick] Declaring global variables can lead to maintenance issues. Consider encapsulating this data within a module or class.

Suggested change

// Global variables

window.globalUserData = null;

var isLoggedIn = false;

// Global state management

class GlobalState {

constructor() {

this.globalUserData = null;

this.isLoggedIn = false;

}

getGlobalUserData() {

return this.globalUserData;

}

setGlobalUserData(data) {

this.globalUserData = data;

}

getIsLoggedIn() {

return this.isLoggedIn;

}

setIsLoggedIn(status) {

this.isLoggedIn = status;

}

}

const globalState = new GlobalState();

export { globalState };

Copilot · 2025-06-09T14:26:05Z

indes.ts

+var isLoggedIn = false;
+
+// Unused variables
+let unusedVar1 = "never used";


[nitpick] Remove unused variables to clean up the codebase.

Suggested change

let unusedVar1 = "never used";

Copilot · 2025-06-09T14:26:05Z

indes.ts

+const UNUSED_CONSTANT = 42;
+


[nitpick] Remove unused constants to reduce clutter in the code.

Suggested change

const UNUSED_CONSTANT = 42;

bad code

fd4f935

ermek-botpress requested a review from a team as a code owner June 8, 2025 16:03

cursor bot reviewed Jun 8, 2025

View reviewed changes

ptrckbp reviewed Jun 9, 2025

View reviewed changes

ermek-botpress requested a review from Copilot June 9, 2025 14:24

Copilot AI reviewed Jun 9, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

bad code #97

bad code #97

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

	// Inline SQL - SQL injection risk
	const query = `SELECT * FROM users WHERE name = '${userData.name}'`;

		const config = fs.readFileSync('/etc/secret-config.json', 'utf8');
		return JSON.parse(config);

-// Global variables
-window.globalUserData = null;
-var isLoggedIn = false;
+// Global state management
+class GlobalState {
+    constructor() {
+        this.globalUserData = null;
+        this.isLoggedIn = false;
+    }
+    getGlobalUserData() {
+        return this.globalUserData;
+    }
+    setGlobalUserData(data) {
+        this.globalUserData = data;
+    }
+    getIsLoggedIn() {
+        return this.isLoggedIn;
+    }
+    setIsLoggedIn(status) {
+        this.isLoggedIn = status;
+    }
+}
+const globalState = new GlobalState();
+export { globalState };

bad code #97

Are you sure you want to change the base?

bad code #97

Uh oh!

Conversation

Uh oh!

Choose a reason for hiding this comment

Bug: SQL Injection via Unsanitized Input

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Pull Request Overview

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!