style: sonarqube security

Author: jd-apprentice

.vscode/settings.json

@@ -1,3 +1,7 @@
 {
     "editor.formatOnSave": true,
+    "sonarlint.connectedMode.project": {
+        "connectionId": "dyallab",
+        "projectKey": "jd-apprentice_waifuland-api"
+    },
 }

src/image/image-repository.ts

@@ -1,8 +1,12 @@
+// External Modules
+import { Types } from 'mongoose';
+
 // Internal Modules
 import Image from './schema/image-schema';
-import Tag from '../tag/schema/tag-schema';
-import { hasTag } from '../common/utils/ref';
+import Tag from 'src/tag/schema/tag-schema';
+import { hasTag } from 'src/common/utils/ref';
 import { ImageProp } from './interfaces/image-interface';
+import { rollbar } from 'src/app/config/rollbar';
 
 class ImageRepository {
   /**
@@ -11,11 +15,18 @@ class ImageRepository {
    * @return { Promise<ImageProp> } - A new image created
    */
   async create(image: ImageProp): Promise<ImageProp> {
-    const tagExists = await Tag.findOne({ tag_id: { $eq: image.tag } });
+    const sanitizedTagId = image.tag.toString().trim();
+    if (!Types.ObjectId.isValid(sanitizedTagId)) {
+      rollbar.error('Invalid tag id');
+      throw new Error('Invalid tag id');
+    }
+
+    const tagExists = await Tag.findOne({ tag_id: sanitizedTagId });
     const _idTag = tagExists?._id;
+
     return Image.create({
       ...image,
-      tag: _idTag ?? image.tag,
+      tag: _idTag ?? image.tag,  // Use validated tag or fallback
     });
   }
 

src/user/user-middleware.ts

@@ -24,10 +24,11 @@ const userExists = async (
   res: Response,
   next: NextFunction,
 ): Promise<MiddlewareUser> => {
-  const { username } = req.body;
+  const { username } = req.body as { username: string };
+  const sanitizedUsername = username.toString();
 
   try {
-    const user = await User.findOne({ username: { $eq: username } });
+    const user = await User.findOne({ username: { $eq: sanitizedUsername } });
 
     if (user) {
       return res.status(409).json({ error: 'User already exists' });
@@ -52,10 +53,12 @@ const validateUser = async (
   next: NextFunction,
 ): Promise<MiddlewareUser> => {
   try {
-    const { username, password } = req.body;
-    const user = await User.findOne({ username: { $eq: username } });
+    const { username, password } = req.body as { username: string; password: string };
+    const [sanitizedUsername, sanitizedPassword] = [username.toString(), password.toString()];
 
-    if (user?.password && (await bcrypt.compare(password, user.password))) {
+    const user = await User.findOne({ $expr: { $eq: ['$username', sanitizedUsername] } });
+
+    if (user?.password && (await bcrypt.compare(sanitizedPassword, user.password))) {
       return next();
     }
 
@@ -75,10 +78,11 @@ const isAdmin = async (
   res: Response,
   next: NextFunction,
 ): Promise<MiddlewareUser> => {
-  const { username } = req.body;
+  const { username } = req.body as { username: string };
+  const sanitizedUsername = username.toString();
 
   try {
-    const user = await User.findOne({ username: { $eq: username } });
+    const user = await User.findOne({ $expr: { $eq: ['$username', sanitizedUsername] } });
 
     if (user?.isAdmin) {
       return next();
@@ -105,7 +109,8 @@ const validateToken = async (
     const { authorization } = req.headers;
     const token = authorization?.replace('Bearer ', '');
     if (secret) {
-      const decoded = jwt.verify(token as string, secret);
+      if (!token) return res.json(boom.unauthorized());
+      const decoded = jwt.verify(token, secret);
       return decoded ? next() : res.json(boom.unauthorized());
     }
   } catch (error) {

src/user/user-repository.ts

@@ -1,5 +1,6 @@
 // Internal Modules
-import User from '../user/schema/user-schema';
+import { rollbar } from 'src/app/config/rollbar';
+import User from 'src/user/schema/user-schema';
 import { IUser, UserPicture } from './interfaces/user-interface';
 
 class UserRepository {
@@ -8,6 +9,14 @@ class UserRepository {
    * @param {Iuser} user - user to be created
    */
   async create(user: IUser) {
+    const sanitizedUsername = user.username.toString();
+    const userExists = await this.findUserByUsername(sanitizedUsername);
+
+    if (userExists) {
+      rollbar.error('User already exists');
+      throw new Error('User already exists');
+    }
+
     return User.create(user);
   }
 
@@ -24,15 +33,17 @@ class UserRepository {
    * @param {string} id - id of the user
    */
   async findUser(id: string): Promise<IUser | null> {
-    return User.findOne({ _id: { $eq: id } });
+    const sanitizedId = id.toString();
+    return User.findOne({ $expr: { $eq: ["$_id", sanitizedId] } })
   }
 
   /**
    * @description Find a user by username
    * @param {string} username - username of the user
    */
   async findUserByUsername(username: string): Promise<IUser | null> {
-    return User.findOne({ username: { $eq: username } });
+    const sanitizedUsername = username.toString();
+    return User.findOne({ $expr: { $eq: ["$username", sanitizedUsername] } });
   }
 
   /**