From 3009e3c3dd2e0c9dca43d72957b146a369fdd73c Mon Sep 17 00:00:00 2001 From: Chege Gitau Date: Sun, 16 Jun 2024 09:30:48 -0700 Subject: [PATCH] [Models] Delete sanitizeQuery function from SanitizationAndValidation.ts Looking for library-provided sanitization instead. --- src/models/CardsMongoDB.ts | 11 +++-------- src/models/LogInUtilities.ts | 3 --- src/models/MetadataMongoDB.ts | 18 +----------------- src/models/SanitizationAndValidation.ts | 12 ------------ 4 files changed, 4 insertions(+), 40 deletions(-) diff --git a/src/models/CardsMongoDB.ts b/src/models/CardsMongoDB.ts index 7d309b58..dde66f03 100644 --- a/src/models/CardsMongoDB.ts +++ b/src/models/CardsMongoDB.ts @@ -9,7 +9,7 @@ import { FilterQuery, SortOrder } from "mongoose"; import * as MetadataDB from "./MetadataMongoDB"; import { Card, ICard, ICardDocument } from "./mongoose_models/CardSchema"; -import { sanitizeCard, sanitizeQuery } from "./SanitizationAndValidation"; +import { sanitizeCard } from "./SanitizationAndValidation"; export type CreateCardParams = Pick< ICard, @@ -84,7 +84,6 @@ export function read( projection = "title description descriptionHTML tags urgency createdById isPublic", ): Promise { - payload = sanitizeQuery(payload); const query: FilterQuery = { createdById: payload.userIDInApp }; if (payload.cardID) { query._id = payload.cardID; } return Card.findOne(query).select(projection).exec(); @@ -179,7 +178,7 @@ export function search( */ return collectSearchResults( computeInternalQueryFromClientQuery( - sanitizeQuery(payload), + payload, { createdById }, ), ); @@ -290,7 +289,7 @@ export function publicSearch( ): Promise { return collectSearchResults( computeInternalQueryFromClientQuery( - sanitizeQuery(payload), + payload, { isPublic: true }, ), ); @@ -323,7 +322,6 @@ export function readPublicCard( function _readPublicCard( payload: ReadPublicCardParams, ): Promise { - payload = sanitizeQuery(payload); if (payload.cardID === undefined) { return Promise.reject("cardID is undefined"); } @@ -350,7 +348,6 @@ export interface DuplicateCardParams { export async function duplicateCard( payload: DuplicateCardParams, ): Promise { - payload = sanitizeQuery(payload); const originalCard = await _readPublicCard({ cardID: payload.cardID }); if (originalCard === null) { return Promise.reject("Card not found!"); @@ -395,7 +392,6 @@ export interface FlagCardParams { * as its keys. If successful, the message will contain the saved card. */ export async function flagCard(payload: FlagCardParams): Promise { - payload = sanitizeQuery(payload); const flagsToUpdate: Partial< Pick > = {}; @@ -429,7 +425,6 @@ export type TagGroupings = string[][]; export function getTagGroupings( payload: TagGroupingsParam, ): Promise { - payload = sanitizeQuery(payload); return Card .find({ createdById: payload.userIDInApp }) .select("tags").exec() diff --git a/src/models/LogInUtilities.ts b/src/models/LogInUtilities.ts index c6ed9d4a..569351e9 100644 --- a/src/models/LogInUtilities.ts +++ b/src/models/LogInUtilities.ts @@ -18,7 +18,6 @@ import { Card } from "./mongoose_models/CardSchema"; import { Metadata } from "./mongoose_models/MetadataCardSchema"; import { IToken, Token } from "./mongoose_models/Token"; import { IUser, User } from "./mongoose_models/UserSchema"; -import { sanitizeQuery } from "./SanitizationAndValidation"; const DIGITS = "0123456789"; const LOWER_CASE = "abcdefghijklmnopqrstuvwxyz"; @@ -260,8 +259,6 @@ export type RegisterUserAndPasswordParams = export async function registerUserAndPassword( payload: RegisterUserAndPasswordParams, ): Promise { - payload = sanitizeQuery(payload); - const conflictingUser = await User.findOne({ $or: [{ username: payload.username }, { email: payload.email }], }).exec(); diff --git a/src/models/MetadataMongoDB.ts b/src/models/MetadataMongoDB.ts index 26178e90..91c85be4 100644 --- a/src/models/MetadataMongoDB.ts +++ b/src/models/MetadataMongoDB.ts @@ -19,7 +19,6 @@ import { Metadata, } from "./mongoose_models/MetadataCardSchema"; import { IUser, User } from "./mongoose_models/UserSchema"; -import { sanitizeQuery } from "./SanitizationAndValidation"; type MetadataCreateParams = & Pick @@ -34,8 +33,6 @@ type MetadataCreateParams = export async function create( payload: MetadataCreateParams, ): Promise { - payload = sanitizeQuery(payload); - const preExistingMetadata = await Metadata.findOne({ createdById: payload.userIDInApp, metadataIndex: payload.metadataIndex, @@ -64,7 +61,6 @@ export function read( function _readInternal( payload: Pick, ): Promise { - payload = sanitizeQuery(payload); return Metadata.find({ createdById: payload.userIDInApp }).exec(); } @@ -200,7 +196,6 @@ export async function updatePublicUserMetadata( export function deleteAllMetadata( payload: Pick, ): Promise { - payload = sanitizeQuery(payload); return Metadata.deleteMany({ createdById: payload.userIDInApp }).exec(); } @@ -216,8 +211,6 @@ export type SendCardToTrashParams = Pick; export async function sendCardToTrash( payload: SendCardToTrashParams, ): Promise { - payload = sanitizeQuery(payload); - const card = await Card.findOne({ _id: payload._id, createdById: payload.createdById, @@ -286,8 +279,6 @@ export type RestoreCardFromTrashParams = SendCardToTrashParams; export async function restoreCardFromTrash( restoreCardArgs: RestoreCardFromTrashParams, ): Promise { - restoreCardArgs = sanitizeQuery(restoreCardArgs); - const card = await Card.findOne({ _id: restoreCardArgs._id, createdById: restoreCardArgs.createdById, @@ -320,8 +311,6 @@ type DeleteCardFromTrashParams = SendCardToTrashParams; export async function deleteCardFromTrash( deleteCardArgs: DeleteCardFromTrashParams, ): Promise { - deleteCardArgs = sanitizeQuery(deleteCardArgs); - const card = await Card.findOneAndDelete({ _id: deleteCardArgs._id, createdById: deleteCardArgs.createdById, @@ -385,9 +374,8 @@ interface WriteCardsToJSONFileResult { export async function writeCardsToJSONFile( userIDInApp: number, ): Promise { - const query = sanitizeQuery({ userIDInApp: userIDInApp }); const cards = await Card - .find({ createdById: query.userIDInApp }) + .find({ createdById: userIDInApp }) .select("title description tags urgency createdAt isPublic") .exec(); @@ -493,8 +481,6 @@ export type UpdateUserSettingsParams = Pick< export async function updateUserSettings( newUserSettings: UpdateUserSettingsParams, ): Promise { - newUserSettings = sanitizeQuery(newUserSettings); - const supportedChanges = new Set(["cardsAreByDefaultPrivate", "dailyTarget"]); const validChanges = Object.keys(newUserSettings).filter((setting) => supportedChanges.has(setting) @@ -545,8 +531,6 @@ export type UpdateStreakParams = export function updateStreak( streakUpdateObj: UpdateStreakParams, ): Promise { - streakUpdateObj = sanitizeQuery(streakUpdateObj); - return Metadata .findOne({ createdById: streakUpdateObj.userIDInApp, metadataIndex: 0 }) .exec() diff --git a/src/models/SanitizationAndValidation.ts b/src/models/SanitizationAndValidation.ts index a1ae836e..974b5fea 100644 --- a/src/models/SanitizationAndValidation.ts +++ b/src/models/SanitizationAndValidation.ts @@ -100,15 +100,3 @@ export function sanitizeCard(card: Partial): Partial { return card; } - -/** - * @description Prevent a NoSQL Injection in the search parameters. This is - * achieved by deleting all query values that begin with `$`. - */ -export function sanitizeQuery(query: any) { - const keys = Object.keys(query); - for (let i = 0; i < keys.length; i++) { - if (/^\$/.test(query[keys[i]])) { delete query[keys[i]]; } - } - return query; -}