[Models] Delete sanitizeQuery function from SanitizationAndValidation.ts

Looking for library-provided sanitization instead.

src/models/CardsMongoDB.ts

@@ -9,7 +9,7 @@
 import { FilterQuery, SortOrder } from "mongoose";
 import * as MetadataDB from "./MetadataMongoDB";
 import { Card, ICard, ICardDocument } from "./mongoose_models/CardSchema";
-import { sanitizeCard, sanitizeQuery } from "./SanitizationAndValidation";
+import { sanitizeCard } from "./SanitizationAndValidation";
 
 export type CreateCardParams = Pick<
   ICard,
@@ -84,7 +84,6 @@ export function read(
   projection =
     "title description descriptionHTML tags urgency createdById isPublic",
 ): Promise<ICard | null> {
-  payload = sanitizeQuery(payload);
   const query: FilterQuery<ICard> = { createdById: payload.userIDInApp };
   if (payload.cardID) { query._id = payload.cardID; }
   return Card.findOne(query).select(projection).exec();
@@ -179,7 +178,7 @@ export function search(
    */
   return collectSearchResults(
     computeInternalQueryFromClientQuery(
-      sanitizeQuery(payload),
+      payload,
       { createdById },
     ),
   );
@@ -290,7 +289,7 @@ export function publicSearch(
 ): Promise<CardsSearchResult[]> {
   return collectSearchResults(
     computeInternalQueryFromClientQuery(
-      sanitizeQuery(payload),
+      payload,
       { isPublic: true },
     ),
   );
@@ -323,7 +322,6 @@ export function readPublicCard(
 function _readPublicCard(
   payload: ReadPublicCardParams,
 ): Promise<ICardDocument | null> {
-  payload = sanitizeQuery(payload);
   if (payload.cardID === undefined) {
     return Promise.reject("cardID is undefined");
   }
@@ -350,7 +348,6 @@ export interface DuplicateCardParams {
 export async function duplicateCard(
   payload: DuplicateCardParams,
 ): Promise<ICard> {
-  payload = sanitizeQuery(payload);
   const originalCard = await _readPublicCard({ cardID: payload.cardID });
   if (originalCard === null) {
     return Promise.reject("Card not found!");
@@ -395,7 +392,6 @@ export interface FlagCardParams {
  * as its keys. If successful, the message will contain the saved card.
  */
 export async function flagCard(payload: FlagCardParams): Promise<ICard> {
-  payload = sanitizeQuery(payload);
   const flagsToUpdate: Partial<
     Pick<ICard, "numTimesMarkedAsDuplicate" | "numTimesMarkedForReview">
   > = {};
@@ -429,7 +425,6 @@ export type TagGroupings = string[][];
 export function getTagGroupings(
   payload: TagGroupingsParam,
 ): Promise<TagGroupings> {
-  payload = sanitizeQuery(payload);
   return Card
     .find({ createdById: payload.userIDInApp })
     .select("tags").exec()

src/models/LogInUtilities.ts

@@ -18,7 +18,6 @@ import { Card } from "./mongoose_models/CardSchema";
 import { Metadata } from "./mongoose_models/MetadataCardSchema";
 import { IToken, Token } from "./mongoose_models/Token";
 import { IUser, User } from "./mongoose_models/UserSchema";
-import { sanitizeQuery } from "./SanitizationAndValidation";
 
 const DIGITS = "0123456789";
 const LOWER_CASE = "abcdefghijklmnopqrstuvwxyz";
@@ -260,8 +259,6 @@ export type RegisterUserAndPasswordParams =
 export async function registerUserAndPassword(
   payload: RegisterUserAndPasswordParams,
 ): Promise<string> {
-  payload = sanitizeQuery(payload);
-
   const conflictingUser = await User.findOne({
     $or: [{ username: payload.username }, { email: payload.email }],
   }).exec();

src/models/MetadataMongoDB.ts

@@ -19,7 +19,6 @@ import {
   Metadata,
 } from "./mongoose_models/MetadataCardSchema";
 import { IUser, User } from "./mongoose_models/UserSchema";
-import { sanitizeQuery } from "./SanitizationAndValidation";
 
 type MetadataCreateParams =
   & Pick<IMetadata, "metadataIndex">
@@ -34,8 +33,6 @@ type MetadataCreateParams =
 export async function create(
   payload: MetadataCreateParams,
 ): Promise<IMetadata> {
-  payload = sanitizeQuery(payload);
-
   const preExistingMetadata = await Metadata.findOne({
     createdById: payload.userIDInApp,
     metadataIndex: payload.metadataIndex,
@@ -64,7 +61,6 @@ export function read(
 function _readInternal(
   payload: Pick<IUser, "userIDInApp">,
 ): Promise<IMetadataDocument[]> {
-  payload = sanitizeQuery(payload);
   return Metadata.find({ createdById: payload.userIDInApp }).exec();
 }
 
@@ -200,7 +196,6 @@ export async function updatePublicUserMetadata(
 export function deleteAllMetadata(
   payload: Pick<IUser, "userIDInApp">,
 ): Promise<DeleteResult> {
-  payload = sanitizeQuery(payload);
   return Metadata.deleteMany({ createdById: payload.userIDInApp }).exec();
 }
 
@@ -216,8 +211,6 @@ export type SendCardToTrashParams = Pick<ICard, "_id" | "createdById">;
 export async function sendCardToTrash(
   payload: SendCardToTrashParams,
 ): Promise<string> {
-  payload = sanitizeQuery(payload);
-
   const card = await Card.findOne({
     _id: payload._id,
     createdById: payload.createdById,
@@ -286,8 +279,6 @@ export type RestoreCardFromTrashParams = SendCardToTrashParams;
 export async function restoreCardFromTrash(
   restoreCardArgs: RestoreCardFromTrashParams,
 ): Promise<string> {
-  restoreCardArgs = sanitizeQuery(restoreCardArgs);
-
   const card = await Card.findOne({
     _id: restoreCardArgs._id,
     createdById: restoreCardArgs.createdById,
@@ -320,8 +311,6 @@ type DeleteCardFromTrashParams = SendCardToTrashParams;
 export async function deleteCardFromTrash(
   deleteCardArgs: DeleteCardFromTrashParams,
 ): Promise<string> {
-  deleteCardArgs = sanitizeQuery(deleteCardArgs);
-
   const card = await Card.findOneAndDelete({
     _id: deleteCardArgs._id,
     createdById: deleteCardArgs.createdById,
@@ -385,9 +374,8 @@ interface WriteCardsToJSONFileResult {
 export async function writeCardsToJSONFile(
   userIDInApp: number,
 ): Promise<WriteCardsToJSONFileResult> {
-  const query = sanitizeQuery({ userIDInApp: userIDInApp });
   const cards = await Card
-    .find({ createdById: query.userIDInApp })
+    .find({ createdById: userIDInApp })
     .select("title description tags urgency createdAt isPublic")
     .exec();
 
@@ -493,8 +481,6 @@ export type UpdateUserSettingsParams = Pick<
 export async function updateUserSettings(
   newUserSettings: UpdateUserSettingsParams,
 ): Promise<IUser> {
-  newUserSettings = sanitizeQuery(newUserSettings);
-
   const supportedChanges = new Set(["cardsAreByDefaultPrivate", "dailyTarget"]);
   const validChanges = Object.keys(newUserSettings).filter((setting) =>
     supportedChanges.has(setting)
@@ -545,8 +531,6 @@ export type UpdateStreakParams =
 export function updateStreak(
   streakUpdateObj: UpdateStreakParams,
 ): Promise<IStreak> {
-  streakUpdateObj = sanitizeQuery(streakUpdateObj);
-
   return Metadata
     .findOne({ createdById: streakUpdateObj.userIDInApp, metadataIndex: 0 })
     .exec()

src/models/SanitizationAndValidation.ts

@@ -100,15 +100,3 @@ export function sanitizeCard(card: Partial<ICard>): Partial<ICard> {
 
   return card;
 }
-
-/**
- * @description Prevent a NoSQL Injection in the search parameters. This is
- * achieved by deleting all query values that begin with `$`.
- */
-export function sanitizeQuery(query: any) {
-  const keys = Object.keys(query);
-  for (let i = 0; i < keys.length; i++) {
-    if (/^\$/.test(query[keys[i]])) { delete query[keys[i]]; }
-  }
-  return query;
-}