From 5f91547dff022b31328a21b19738a687cce1106f Mon Sep 17 00:00:00 2001
From: Tim Warner <timothywarner316@gmail.com>
Date: Tue, 9 Dec 2025 08:28:04 -0600
Subject: [PATCH] Potential fix for code scanning alert no. 1872: Database
 query built from user-controlled sources

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 vulnerable_repos/juice-shop/routes/updateProductReviews.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vulnerable_repos/juice-shop/routes/updateProductReviews.ts b/vulnerable_repos/juice-shop/routes/updateProductReviews.ts
index c5d88cf..5cddd32 100644
--- a/vulnerable_repos/juice-shop/routes/updateProductReviews.ts
+++ b/vulnerable_repos/juice-shop/routes/updateProductReviews.ts
@@ -15,7 +15,7 @@ export function updateProductReviews () {
   return (req: Request, res: Response, next: NextFunction) => {
     const user = security.authenticatedUsers.from(req) // vuln-code-snippet vuln-line forgedReviewChallenge
     db.reviewsCollection.update( // vuln-code-snippet neutral-line forgedReviewChallenge
-      { _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge
+      { _id: { $eq: req.body.id } }, // FIXED: use $eq to prevent NoSQL injection
       { $set: { message: req.body.message } },
       { multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge
     ).then(