Merge pull request #346 from agiledev-students-fall2023/sprint/4/spik…

…e/302/db-security added mongo-sanitize for enhancing db integrity
agiledev-students-fall2023 · Dec 6, 2023 · b337b83 · b337b83
2 parents dfd3e7e + 67e13c5
commit b337b83
Show file tree

Hide file tree

Showing 5 changed files with 154 additions and 69 deletions.
diff --git a/back-end/app.js b/back-end/app.js
@@ -72,7 +72,7 @@ setInterval(() => {
   } catch (error) {
     console.error("Error in scheduled updatePriorityForOpenIssues:", error);
   }
-}, 30 * 60 * 1000); 
+}, 30 * 60 * 1000);
 
 // an interval to run updateResolved every hour
 setInterval(() => {
@@ -84,10 +84,10 @@ setInterval(() => {
 }, 30 * 60 * 1000);
 
 // Logout endpoint to remove token from cookie
-app.get('/api/logout', (req, res) => {
-  res.cookie('jwt', '', { maxAge: 0 }); // Clear the cookie
-  console.log('Logged out successfully');
-  res.json({ message: 'Logged out successfully' });
+app.get("/api/logout", (req, res) => {
+  res.cookie("jwt", "", { maxAge: 0 }); // Clear the cookie
+  console.log("Logged out successfully");
+  res.json({ message: "Logged out successfully" });
 });
 
 app.get("/api/check-auth", checkJWT, (req, res) => {
@@ -96,7 +96,9 @@ app.get("/api/check-auth", checkJWT, (req, res) => {
     res.status(200).json({ authenticated: true, user: req.user });
   } else {
     // User is not authenticated
-    res.status(401).json({ authenticated: false, message: "User not authenticated" });
+    res
+      .status(401)
+      .json({ authenticated: false, message: "User not authenticated" });
   }
 });
 

diff --git a/back-end/models/UserModel.js b/back-end/models/UserModel.js
@@ -1,5 +1,6 @@
 import mongoose from "mongoose";
 import bcrypt from "bcryptjs";
+import sanitize from "mongo-sanitize";
 
 const userSchema = new mongoose.Schema({
   name: { type: String, required: true },
@@ -11,6 +12,9 @@ const userSchema = new mongoose.Schema({
 
 // Hashing the password before saving it to the database
 userSchema.pre("save", async function (next) {
+  // Sanitize fields
+  sanitizeUser(this);
+
   if (!this.isModified("password")) return next();
 
   try {
@@ -22,4 +26,27 @@ userSchema.pre("save", async function (next) {
   }
 });
 
+// Sanitize inputs before updating
+userSchema.pre("findOneAndUpdate", function (next) {
+  const update = this.getUpdate();
+
+  // Sanitize each path in the update object
+  Object.keys(update).forEach((path) => {
+    if (update[path]) {
+      update[path] = sanitize(update[path]);
+    }
+  });
+
+  next();
+});
+
+// Helper function to sanitize user data
+function sanitizeUser(user) {
+  Object.keys(userSchema.paths).forEach((path) => {
+    if (userSchema.paths.hasOwnProperty(path) && user[path]) {
+      user[path] = sanitize(user[path]);
+    }
+  });
+}
+
 export default mongoose.model("User", userSchema);
diff --git a/back-end/models/issueModel.js b/back-end/models/issueModel.js
@@ -1,70 +1,114 @@
-import mongoose from 'mongoose';
+import mongoose from "mongoose";
+import sanitize from "mongo-sanitize";
 
 const issueSchema = new mongoose.Schema({
-    index: {
-        type: Number,
-        required: true,
-        unique: true,
-    },
-    studentNetID: {
+  index: {
+    type: Number,
+    required: true,
+    unique: true
+  },
+  studentNetID: {
+    type: String,
+    required: true
+  },
+  studentName: {
+    type: String,
+    required: true
+  },
+  title: {
+    type: String,
+    required: true
+  },
+  description: {
+    type: String,
+    required: true
+  },
+  attachments: {
+    type: [String],
+    required: true
+  },
+  departments: {
+    type: [
+      {
         type: String,
-        required: true,
-    },
-    studentName: {
-        type: String,
-        required: true,
-    },
-    title: {
-        type: String,
-        required: true,
-    },
-    description: {
-        type: String,
-        required: true,
-    },
-    attachments: {
-        type: [String],
-        required: true,
-    },
-    departments: {
-        type: [{
-            type: String,
-            enum: ['IT', 'Admin', 'Library', 'Facilities', 'Registrar', 'Health', 'Finance', 'GlobalEd', 'ResEd', 'CDC', 'admin'],
-        }],
-        required: true,
-    },
-    comments: {
-        type: [String],
-        required: true,
-    },
-    dateCreated: {
-        type: String,
-        required: true,
-    },
-    timeCreated: {
-        type: String,
-        required: true,
-    },
-    currentStatus: {
-        type: String,
-        enum: ['Open', 'In Progress', 'Action Required', 'Resolved'],
-        required: true,
-    },
-    currentPriority: {
-        type: String,
-        enum: ['New', 'High Priority', 'Reopened', ""],
-    },
-    isProposed: {
-        type: Boolean,
-        default: false,
-        required: true,
-    },
-    isProposedDate: {
-        type: String,
-        default: "",
-    },
+        enum: [
+          "IT",
+          "Admin",
+          "Library",
+          "Facilities",
+          "Registrar",
+          "Health",
+          "Finance",
+          "GlobalEd",
+          "ResEd",
+          "CDC",
+          "admin"
+        ]
+      }
+    ],
+    required: true
+  },
+  comments: {
+    type: [String],
+    required: true
+  },
+  dateCreated: {
+    type: String,
+    required: true
+  },
+  timeCreated: {
+    type: String,
+    required: true
+  },
+  currentStatus: {
+    type: String,
+    enum: ["Open", "In Progress", "Action Required", "Resolved"],
+    required: true
+  },
+  currentPriority: {
+    type: String,
+    enum: ["New", "High Priority", "Reopened", ""]
+  },
+  isProposed: {
+    type: Boolean,
+    default: false,
+    required: true
+  },
+  isProposedDate: {
+    type: String,
+    default: ""
+  }
 });
 
-const IssueModel = mongoose.model('Issue', issueSchema);
+// Sanitize inputs before saving
+issueSchema.pre("save", function (next) {
+  sanitizeIssue(this);
+  next();
+});
+
+// Sanitize inputs before updating
+issueSchema.pre("findOneAndUpdate", function (next) {
+  const update = this.getUpdate();
+
+  // Sanitize each path in the update object
+  Object.keys(update).forEach((path) => {
+    if (update[path]) {
+      update[path] = sanitize(update[path]);
+    }
+  });
+
+  next();
+});
+
+// Helper function to sanitize issue data
+function sanitizeIssue(issue) {
+  Object.keys(issueSchema.paths).forEach((path) => {
+    if (issueSchema.paths.hasOwnProperty(path) && issue[path]) {
+      issue[path] = sanitize(issue[path]);
+    }
+  });
+}
+
+const IssueModel = mongoose.model("Issue", issueSchema);
 
 export default IssueModel;
diff --git a/back-end/package-lock.json b/back-end/package-lock.json
diff --git a/back-end/package.json b/back-end/package.json
@@ -24,6 +24,7 @@
     "express": "^4.18.2",
     "jsonwebtoken": "^9.0.2",
     "moment": "^2.29.4",
+    "mongo-sanitize": "^1.1.0",
     "mongoose": "^8.0.1",
     "morgan": "^1.10.0",
     "multer": "^1.4.5-lts.1",