feat(security): add validations before saving

Vasitos · Oct 16, 2023 · 8dbb47a · 8dbb47a
1 parent 6d63def
commit 8dbb47a
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 8 deletions.
diff --git a/src/database/repositories/serverProperties/index.js b/src/database/repositories/serverProperties/index.js
@@ -1,5 +1,6 @@
 const ServerProperties = require('../../schemas/serverProperties');
 const ServerPropertiesCategory = require('../../schemas/serverPropertiesCategory');
+const mongoose = require('mongoose');
 
 async function findCategoryByKey(key) {
     return await ServerPropertiesCategory.findOne({ key: { $eq: key } });
@@ -25,6 +26,9 @@ async function createServerProperty(data) {
 
 async function updateServerPropertyById(id, data) {
     try {
+        if (!mongoose.Types.ObjectId.isValid(id)) {
+            throw new Error("Invalid 'id' parameter.");
+        }
         const updatedServerProperty = await ServerProperties.findByIdAndUpdate(id, data, { new: true });
         return updatedServerProperty;
     } catch (error) {
@@ -107,7 +111,6 @@ async function getProperties() {
                             data: '$data',
                             category: '$category._id',
                             isConfigured: '$isConfigured',
-                            __v: '$__v'
                         }
                     }
                 }

diff --git a/src/middlewares/serverPropertiesValidation.js b/src/middlewares/serverPropertiesValidation.js
@@ -0,0 +1,40 @@
+const { serverPropertyValidation, serverPropertyKeyValueValidation } = require('../utils/serverPropertiesValidationSchema');
+
+async function serverPropertiesValidation(req, res, next) {
+    const { error, value } = serverPropertyValidation(req.body);
+
+    if (error) {
+        const messages = error.details.map((message) => message.message);
+                const invalidValues = error.details.map((message) => message.context.key);
+
+        return res.status(400).json({
+            error: true,
+            message: messages,
+            invalidValues: invalidValues,
+        });
+    } else {
+        return next();
+    }
+}
+
+async function serverPropertiesKeyValueValidation(req, res, next) {
+    const { error, value } = serverPropertyKeyValueValidation(req.body);
+
+    if (error) {
+        const messages = error.details.map((message) => message.message);
+                const invalidValues = error.details.map((message) => message.context.key);
+
+        return res.status(400).json({
+            error: true,
+            message: messages,
+            invalidValues: invalidValues,
+        });
+    } else {
+        return next();
+    }
+}
+
+module.exports = {
+    serverPropertiesValidation,
+    serverPropertiesKeyValueValidation
+};
diff --git a/src/routes/serverRouter.js b/src/routes/serverRouter.js
@@ -1,6 +1,6 @@
-var express = require('express');
-var router = express.Router();
-var { updateProperties,
+let express = require('express');
+let router = express.Router();
+let { updateProperties,
     getServerProperties,
     getServerPropertyById,
     updateServerProperty,
@@ -11,8 +11,9 @@ var { updateProperties,
     getServerCategories,
     getServerPropertiesByCategory }
     = require('../controllers/serverController')
-var verifyToken = require('../middlewares/verifyToken')
-var verifyPermissions = require('../middlewares/verifyPermissions')
+let verifyToken = require('../middlewares/verifyToken')
+let verifyPermissions = require('../middlewares/verifyPermissions')
+let { serverPropertiesValidation, serverPropertiesKeyValueValidation } = require('../middlewares/serverPropertiesValidation')
 const checkUniqueKeyServerPropertiesCategory = require('../middlewares/checkUniqueKeyServerPropertiesCategory')
 
 router.get('/', verifyToken, verifyPermissions(), getServerInformation);
@@ -21,8 +22,8 @@ router.get('/properties/category/:categoryId', getServerPropertiesByCategory);
 router.get('/properties', getServerProperties);
 router.get('/properties/:id', getServerPropertyById);
 router.post('/properties/map', mapConfiguration);
-router.put('/properties/:id', updateServerProperty);
-router.put('/properties/', updateProperties);
+router.put('/properties/:id', serverPropertiesValidation, updateServerProperty);
+router.put('/properties/', serverPropertiesKeyValueValidation, updateProperties);
 router.delete('/properties/:id', deleteServerProperty);
 // Categories
 router.get('/categories', getServerCategories);

diff --git a/src/utils/serverPropertiesValidationSchema.js b/src/utils/serverPropertiesValidationSchema.js
@@ -0,0 +1,32 @@
+const Joi = require('joi');
+
+const serverPropertyValidation = (body) => {
+    const serverPropertySchema = Joi.object({
+        _id: Joi.string().alphanum().length(24).required(),
+        key: Joi.string().optional(),
+        type: Joi.string().optional(),
+        value: Joi.string().optional(),
+        default: Joi.string().optional(),
+        data: Joi.any().optional(),
+        category: Joi.string().optional(),
+        isConfigured: Joi.boolean().optional(),
+        isArray: Joi.boolean().optional(),
+    }).unknown(false).options({ abortEarly: false });
+    return serverPropertySchema.validate(body);
+};
+
+
+const serverPropertyKeyValueValidation = (body) => {
+    const schema = Joi.array().items(
+        Joi.object({
+            key: Joi.string().required(),
+            value: Joi.any().required(),
+        }).unknown(false).options({ abortEarly: false })
+    );
+    return schema.validate(body);
+};
+
+module.exports= {
+    serverPropertyValidation,
+    serverPropertyKeyValueValidation
+};