Add middleware for sanitizing url query. (#181)

gatsby-tv · Jan 31, 2022 · af6c5d3 · af6c5d3
1 parent 147cfa5
commit af6c5d3
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 3 deletions.
diff --git a/.env.docker b/.env.docker
@@ -6,5 +6,9 @@ MONGO_API_USER=gatsby
 MONGO_API_PASS=gatsby
 NODE_ENV=development
 
+# Mongo
+MONGO_ROOT_USER=root
+MONGO_ROOT_PASS=root
+
 # Gatsby
 WESTEGG_URL=http://westegg:3001
diff --git a/src/middleware/index.ts b/src/middleware/index.ts
@@ -20,3 +20,17 @@ export const isValidBody = async (
 
   next();
 };
+
+export const escapeQueryRegExp = async (
+  req: Request,
+  res: Response,
+  next: NextFunction
+) => {
+  const query = req.query.query as string;
+  req.query.query = query.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); // $& means the whole matched string
+
+  console.log(query.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"));
+  console.log(req.query);
+
+  next();
+};
diff --git a/src/routes/search/index.ts b/src/routes/search/index.ts
@@ -14,6 +14,7 @@ import { Types } from "mongoose";
 import { keys as keysOf } from "ts-transformer-keys";
 import { CURSOR_START, preAlphaFillListing } from "@src/util/cursor";
 import { GetListingVideosWithTagsRequestQuery } from "@gatsby-tv/types";
+import { escapeQueryRegExp } from "@src/middleware";
 
 const router = Router();
 
@@ -26,11 +27,13 @@ interface GetVideoSearchRequestQueryParams
 router.get(
   "/",
   validateCursorRequest,
+  escapeQueryRegExp,
   async (
     req: Request<{}, {}, {}, GetVideoSearchRequestQueryParams>,
     res: Response,
     next: NextFunction
   ) => {
+    console.log(req.query.query);
     const videos = (await VideoCollection.aggregate()
       .match({
         title: { $regex: RegExp(req.query.query as string) } // TODO: Needs to be sanitized

diff --git a/yarn.lock b/yarn.lock
@@ -2860,9 +2860,9 @@ __metadata:
   linkType: hard
 
 "caniuse-lite@npm:^1.0.30001248":
-  version: 1.0.30001248
-  resolution: "caniuse-lite@npm:1.0.30001248"
-  checksum: 86b3c232ad60982f3789a8c1bb9391848dad4b324cb220a925c730b744f8bceee5816cf15932bcd501d98fe31fcfd46e6a0e88fe08be92ce326b67d4b3f79b75
+  version: 1.0.30001304
+  resolution: "caniuse-lite@npm:1.0.30001304"
+  checksum: 63092ec6c65346f57026d9c7bee0548b77fd606819ca205ee3d99c948e4701b8820c365c00b79d4a4b96f3f0045bc0be767149b8edb74f7223d16cb30630f81e
   languageName: node
   linkType: hard