feat(user): validate and sanitize UTM parameters during user creation

Author: Dobrunia

src/models/usersFactory.ts

@@ -72,7 +72,7 @@ export default class UsersFactory extends AbstractModelFactory<UserDBScheme, Use
     const generatedPassword = password || (await UserModel.generatePassword());
     const hashedPassword = await UserModel.hashPassword(generatedPassword);
 
-    const userData: any = {
+    const userData: Partial<UserDBScheme> = {
       email,
       password: hashedPassword,
       notifications: UserModel.generateDefaultNotificationsSettings(email),

src/resolvers/user.ts

@@ -11,6 +11,7 @@ import { dateFromObjectId } from '../utils/dates';
 import { UserDBScheme } from '@hawk.so/types';
 import * as telegram from '../utils/telegram';
 import { MongoError } from 'mongodb';
+import { validateUtmParams, sanitizeUtmParams } from '../utils/analytics';
 
 /**
  * See all types and fields here {@see ../typeDefs/user.graphql}
@@ -45,10 +46,17 @@ export default {
       { email, utm }: { email: string; utm?: UserDBScheme['utm'] },
       { factories }: ResolverContextBase
     ): Promise<boolean | string> {
+      // Validate and sanitize UTM parameters
+      if (!validateUtmParams(utm)) {
+        throw new UserInputError('Invalid UTM parameters provided');
+      }
+
+      const sanitizedUtm = sanitizeUtmParams(utm);
+
       let user;
 
       try {
-        user = await factories.usersFactory.create(email, undefined, utm);
+        user = await factories.usersFactory.create(email, undefined, sanitizedUtm);
 
         const password = user.generatedPassword!;
 

src/utils/analytics/index.ts

@@ -1,2 +1,3 @@
 export { Analytics } from './amplitude';
 export { AnalyticsEventTypes } from './events';
+export { validateUtmParams, sanitizeUtmParams } from './utm';

src/utils/analytics/utm.ts

@@ -0,0 +1,62 @@
+import { UserDBScheme } from '@hawk.so/types';
+
+/**
+ * Validates UTM parameters
+ * @param utm - Data form where user went to sign up. Used for analytics purposes
+ * @returns boolean - true if valid, false if invalid
+ */
+export function validateUtmParams(utm: UserDBScheme['utm']): boolean {
+  if (!utm) return true;
+
+  const utmKeys = ['source', 'medium', 'campaign', 'content', 'term'];
+  const providedKeys = Object.keys(utm);
+
+  // Check if all provided keys are valid UTM keys
+  const hasInvalidKeys = providedKeys.some((key) => !utmKeys.includes(key));
+  if (hasInvalidKeys) {
+    return false;
+  }
+
+  // Check if values are strings and not too long
+  for (const [key, value] of Object.entries(utm)) {
+    if (value !== undefined && value !== null) {
+      if (typeof value !== 'string' || value.length > 200) {
+        return false;
+      }
+      // Basic sanitization - only allow alphanumeric, spaces, hyphens, underscores, dots
+      if (!/^[a-zA-Z0-9\s\-_\.]+$/.test(value)) {
+        return false;
+      }
+    }
+  }
+
+  return true;
+}
+
+/**
+ * Sanitizes UTM parameters by removing invalid characters
+ * @param utm - Data form where user went to sign up. Used for analytics purposes
+ * @returns sanitized UTM parameters or undefined if invalid
+ */
+export function sanitizeUtmParams(utm: UserDBScheme['utm']): UserDBScheme['utm'] {
+  if (!utm) return undefined;
+
+  const utmKeys = ['source', 'medium', 'campaign', 'content', 'term'];
+  const sanitized: UserDBScheme['utm'] = {};
+
+  for (const [key, value] of Object.entries(utm)) {
+    if (utmKeys.includes(key) && value && typeof value === 'string') {
+      // Sanitize value: keep only allowed characters and limit length
+      const cleanValue = value
+        .replace(/[^a-zA-Z0-9\s\-_\.]/g, '')
+        .trim()
+        .substring(0, 200);
+
+      if (cleanValue.length > 0) {
+        (sanitized as any)[key] = cleanValue;
+      }
+    }
+  }
+
+  return Object.keys(sanitized).length > 0 ? sanitized : undefined;
+}