Crash when POSTing an empty request body to /api/Feedbacks/

[wadim-al]

Steps:

1. Start juice-shop_12.8.1
2. Using browser navigate to http://localhost:3000/#/contact
3. Using browser send a correct feedback form
4. Using OWASP ZAP history find POST request to http://localhost:3000/api/Feedbacks/
5. Delete everything in the request's POST body and resend the modified request.

Expected:
Error returned in the server response.

Actual:
Juice-shop crashes. Error message is the following:

S:\JuiceShop\juice-shop_12.8.1\node_modules\sequelize\lib\dialects\abstract\query-generator.js:2269
      throw new Error(`WHERE parameter "${key}" has invalid "undefined" value`);
            ^

Error: WHERE parameter "captchaId" has invalid "undefined" value
    at SQLiteQueryGenerator.whereItemQuery (S:\JuiceShop\juice-shop_12.8.1\node_modules\sequelize\lib\dialects\abstract\query-generator.js:2269:13)
    at S:\JuiceShop\juice-shop_12.8.1\node_modules\sequelize\lib\dialects\abstract\query-generator.js:2258:25
    at Array.forEach (<anonymous>)
    at SQLiteQueryGenerator.whereItemsQuery (S:\JuiceShop\juice-shop_12.8.1\node_modules\sequelize\lib\dialects\abstract\query-generator.js:2256:35)
    at SQLiteQueryGenerator.getWhereConditions (S:\JuiceShop\juice-shop_12.8.1\node_modules\sequelize\lib\dialects\abstract\query-generator.js:2674:19)
    at SQLiteQueryGenerator.selectQuery (S:\JuiceShop\juice-shop_12.8.1\node_modules\sequelize\lib\dialects\abstract\query-generator.js:1325:28)
    at SQLiteQueryInterface.select (S:\JuiceShop\juice-shop_12.8.1\node_modules\sequelize\lib\dialects\abstract\query-interface.js:954:27)
    at Function.findAll (S:\JuiceShop\juice-shop_12.8.1\node_modules\sequelize\lib\model.js:1753:47)
    at processTicksAndRejections (node:internal/process/task_queues:94:5)
    at async Function.findOne (S:\JuiceShop\juice-shop_12.8.1\node_modules\sequelize\lib\model.js:1917:12)

[bkimminich]

Which node.js version are you using? My local test with node.js 14.16.0 ended with the same error just without the server crash:

(node:4288) UnhandledPromiseRejectionWarning: Error: WHERE parameter "captchaId" has invalid "undefined" value
    at SQLiteQueryGenerator.whereItemQuery (C:\Data\GitHub\juice-shop\node_modules\sequelize\lib\dialects\abstract\query-generator.js:2269:13)
    at C:\Data\GitHub\juice-shop\node_modules\sequelize\lib\dialects\abstract\query-generator.js:2258:25
    at Array.forEach (<anonymous>)
    at SQLiteQueryGenerator.whereItemsQuery (C:\Data\GitHub\juice-shop\node_modules\sequelize\lib\dialects\abstract\query-generator.js:2256:35)
    at SQLiteQueryGenerator.getWhereConditions (C:\Data\GitHub\juice-shop\node_modules\sequelize\lib\dialects\abstract\query-generator.js:2674:19)
    at SQLiteQueryGenerator.selectQuery (C:\Data\GitHub\juice-shop\node_modules\sequelize\lib\dialects\abstract\query-generator.js:1325:28)
    at SQLiteQueryInterface.select (C:\Data\GitHub\juice-shop\node_modules\sequelize\lib\dialects\abstract\query-interface.js:954:27)
    at Function.findAll (C:\Data\GitHub\juice-shop\node_modules\sequelize\lib\model.js:1753:47)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at async Function.findOne (C:\Data\GitHub\juice-shop\node_modules\sequelize\lib\model.js:1917:12)
(node:4288) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch bl
ock, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-re
jections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 4)

[wadim-al]

v15.14.0

[bkimminich]

Thanks, I've added a proper error handling for that case. Good catch! 🎣

[github-actions]

This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs.