From 3597bcdbfb7c934029571997427f9f0ceddd8153 Mon Sep 17 00:00:00 2001
From: Austen Stone <austenstone@github.com>
Date: Sun, 23 Jan 2022 17:53:36 -0500
Subject: [PATCH] copilot creates a security vulnerability

---
 model/products.js  | 15 ++++++++++++++-
 routes/products.js | 21 +++++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/model/products.js b/model/products.js
index 6df3f92..6822166 100644
--- a/model/products.js
+++ b/model/products.js
@@ -49,12 +49,25 @@ function get_purcharsed(username) {
 
 }
 
+function create(product) {
+    // implement a function that creates a new product
+    // and returns the product id
+    var q = "INSERT INTO products(name, description, price) VALUES('" +
+            product.name + "', '" +
+            product.description + "', '" +
+            product.price +
+            "');";
+
+    return db.one(q);
+}
+
 var actions = {
     "list": list_products,
     "getProduct": getProduct,
     "search": search,
     "purchase": purchase,
-    "getPurchased": get_purcharsed
+    "getPurchased": get_purcharsed,
+    "create": create
 }
 
 module.exports = actions;
diff --git a/routes/products.js b/routes/products.js
index 814f834..57a4cbb 100644
--- a/routes/products.js
+++ b/routes/products.js
@@ -144,6 +144,27 @@ router.all('/products/buy', function(req, res, next) {
 
 });
 
+// Create a new router endpoint with a security vulnerability
+router.all('/products/create', function(req, res, next) {
+    let params = null;
+    if (req.method == "GET"){
+        params = url.parse(req.url, true).query;
+    } else {
+        params = req.body;
+    }
+
+    let product = null;
+    product = {
+        name: params.name,
+        description: params.description,
+        price: params.price,
+        image: params.image,
+        username: req.session.user_name
+    }
+
+    // Create product
+    db_products.create(product)
+});
 
 
 module.exports = router;