Merge MVP sample apps to main to trigger copy utility#37
Conversation
feat: crud functionality and aggregations for python backend
Add integration tests for Express server
feat: Add python readme
Add READMEs and cleanup
Final cleanup pass
Java final cleanup
![semgrep-code-mongodb[bot]](https://avatars.githubusercontent.com/u/45120?s=60&v=4){kind=small}
| console.error("Error occurred:", { | ||
| message: err.message, | ||
| stack: err.stack, | ||
| url: req.url, | ||
| method: req.method, | ||
| timestamp: new Date().toISOString(), | ||
| }); |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like and and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>mflix/server/js-express/src/utils/errorHandler.ts</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/mongodb/docs-sample-apps/blob/dde6b3a5c57332a2ab91299b713f5e5665378119/mflix/server/js-express/src/utils/errorHandler.ts#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] req</a>"]
end
%% Intermediate
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/mongodb/docs-sample-apps/blob/dde6b3a5c57332a2ab91299b713f5e5665378119/mflix/server/js-express/src/utils/errorHandler.ts#L43 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 43] console.error("Error occurred:", {<br> message: err.message,<br> stack: err.stack,<br> url: req.url,<br> method: req.method,<br> timestamp: new Date().toISOString(),<br> })</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
File0:::invis
%% Connections
Source --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by console-log-express.
Help? Slack #semgrep-help or go/semgrep-help.
Resolution Options:
- Fix the code
- Reply
/fp $reason(if security gap doesn’t exist) - Reply
/ar $reason(if gap is valid but intentional; add mitigations/monitoring) - Reply
/other $reason(e.g., test-only)
You can view more details about this finding in the Semgrep AppSec Platform.
5 participants
When we merge this PR, it should trigger the copy utility that automatically copies the apps out to their respective repos.