Last year I was doing a code review for a startup. Everything looked fine on the surface, clean code,...
Last year I was doing a code review for a startup. Everything looked fine on the surface, clean code, good structure, tests passing.
Then I noticed this:
```javascript
const query = `SELECT * FROM users WHERE email = '${req.body.email}'`
```
That's it. That's the bug. SQL injection, sitting right there in a startup that had been in production for 8 months.
Nobody caught it. Not the developer, not the reviewer, not the CTO.
Here's the thing, it's not that developers are careless. It's that this kind of bug is invisible until it isn't. The code works perfectly. Tests pass. Users are happy. Until someone types `' OR '1'='1` in the email field and walks straight into your database.
## The bugs I see most often
**1. Raw SQL with user input**
```javascript
// π¨ This is everywhere
const query = `SELECT * FROM users WHERE email = '${email}'`
// β
Use parameterized queries
const query = 'SELECT * FROM users WHERE email = $1'
db.query(query, [email])
```
**2. Secrets in environment variables... committed to git**
```bash
# .env
DATABASE_URL=postgres://user:actualpassword@prod-db.company.com/mydb
STRIPE_SECRET=sk_live_...
```
Then `.env` ends up in the repo because someone forgot to add it to `.gitignore`. I've seen this more times than I want to admit. GitHub's secret scanning catches some of these, but not always before someone has already cloned the repo.
**3. JWT tokens that are never actually verified**
```javascript
// π¨ Decoding is not the same as verifying
const user = jwt.decode(token)
// β
Always verify
const user = jwt.verify(token, process.env.JWT_SECRET)
```
`jwt.decode` just reads the token. Anyone can forge it. `jwt.verify` actually checks the signature. The names are confusingly similar and the wrong one silently works in development.
**4. No rate limiting on auth endpoints**
```javascript
// π¨ Anyone can try a million passwords
app.post('/login', async (req, res) => {
const user = await db.findUser(req.body.email)
// ...
})
// β
Add rate limiting
const authLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 10
})
app.post('/login', authLimiter, async (req, res) => {
// ...
})
```
Without rate limiting, a brute force attack costs nothing. With it, 10 failed attempts and you're blocked for 15 minutes.
**5. Error messages that reveal too much**
```javascript
// π¨ Tells attackers exactly what's wrong
catch (error) {
res.status(500).json({ error: error.message })
// "relation 'users' does not exist"
// "invalid input syntax for type uuid"
}
// β
Log internally, send generic message
catch (error) {
console.error(error)
res.status(500).json({ error: 'Something went wrong' })
}
```
Stack traces and database error messages are gold for anyone trying to map your system.
## The one question that catches most of these
Before shipping any endpoint that touches user input, ask:
**"What happens if someone sends me something I'm not expecting?"**
Empty string. Null. A 10,000 character string. SQL characters. A valid email that belongs to a different user.
Most security bugs aren't sophisticated. They're just cases nobody thought about.
What's the most embarrassing security bug you've found in production, yours or someone else's?