Validate PATCH /line/:lineid/bounds requests (#452)

thehabes · web-flow · commit 2b0c24a2a7e7 · 2026-02-23T11:15:30.000-06:00
* First pass at validating the xywh

* changes while reviewing
diff --git a/classes/Line/Line.js b/classes/Line/Line.js
@@ -180,9 +180,11 @@ export default class Line {
     }
 
     async updateBounds({x, y, w, h}, options = {}) {
-        if (!x || !y || !w || !h) {
-            throw new Error('Bounds ({x,y,w,h}) must be provided')
+        const isValidBound = v => (Number.isInteger(v) && v >= 0) || (typeof v === 'string' && /^\d+$/.test(v))
+        if (!isValidBound(x) || !isValidBound(y) || !isValidBound(w) || !isValidBound(h)) {
+            throw new Error('Bounds ({x,y,w,h}) must be non-negative integers')
         }
+        x = parseInt(x, 10); y = parseInt(y, 10); w = parseInt(w, 10); h = parseInt(h, 10)
         if (options.creator) this.creator = options.creator
         this.target ??= ''
         const newTarget = this.updateTargetXYWH(this.target, x, y, w, h)
diff --git a/line/index.js b/line/index.js
@@ -270,9 +270,11 @@ router.patch('/:lineId/bounds', auth0Middleware(), async (req, res) => {
     if (!(await projectObj.checkUserAccess(user._id, ACTIONS.UPDATE, SCOPES.SELECTOR, ENTITIES.LINE))) {
       return respondWithError(res, 403, 'You do not have permission to update line bounds in this project')
     }
-    if (typeof req.body !== 'object' || !req.body.x || !req.body.y || !req.body.w || !req.body.h) {
-      return respondWithError(res, 400, 'Invalid request body. Expected an object with x, y, w, and h properties.')
+    const isValidBound = v => (Number.isInteger(v) && v >= 0) || (typeof v === 'string' && /^\d+$/.test(v))
+    if (!req.body || typeof req.body !== 'object' || Array.isArray(req.body) || !isValidBound(req.body.x) || !isValidBound(req.body.y) || !isValidBound(req.body.w) || !isValidBound(req.body.h)) {
+      return respondWithError(res, 400, 'Invalid request body. Expected an object with x, y, w, and h as non-negative integers.')
     }
+    const bounds = { x: parseInt(req.body.x, 10), y: parseInt(req.body.y, 10), w: parseInt(req.body.w, 10), h: parseInt(req.body.h, 10) }
     const project = await getProjectById(req.params.projectId)
     const page = await findPageById(req.params.pageId, req.params.projectId)
     const findOldLine = page.items?.find(l => l.id.split('/').pop() === req.params.lineId?.split('/').pop())
@@ -283,7 +285,7 @@ router.patch('/:lineId/bounds', auth0Middleware(), async (req, res) => {
     let oldLine = await fetch(findOldLine.id).then(res => res.json())
     delete oldLine.label
     const line = new Line(oldLine)
-    const updatedLine = await line.updateBounds(req.body, { creator: user._id })
+    const updatedLine = await line.updateBounds(bounds, { creator: user._id })
     const lineIndex = page.items.findIndex(l => l.id.split('/').pop() === req.params.lineId?.split('/').pop())
     page.items[lineIndex] = updatedLine
 

Original file line number	Diff line number	Diff line change
`@@ -180,9 +180,11 @@ export default class Line {`
`180`	`180`	`}`
`181`	`181`
`182`	`182`	`async updateBounds({x, y, w, h}, options = {}) {`
`183`		`- if (!x \|\| !y \|\| !w \|\| !h) {`
`184`		`- throw new Error('Bounds ({x,y,w,h}) must be provided')`
	`183`	`+ const isValidBound = v => (Number.isInteger(v) && v >= 0) \|\| (typeof v === 'string' && /^\d+$/.test(v))`
	`184`	`+ if (!isValidBound(x) \|\| !isValidBound(y) \|\| !isValidBound(w) \|\| !isValidBound(h)) {`
	`185`	`+ throw new Error('Bounds ({x,y,w,h}) must be non-negative integers')`
`185`	`186`	`}`
	`187`	`+ x = parseInt(x, 10); y = parseInt(y, 10); w = parseInt(w, 10); h = parseInt(h, 10)`
`186`	`188`	`if (options.creator) this.creator = options.creator`
`187`	`189`	`this.target ??= ''`
`188`	`190`	`const newTarget = this.updateTargetXYWH(this.target, x, y, w, h)`