From af6c5d36fdc923ab43a6bee8bfd7cb9429979e5c Mon Sep 17 00:00:00 2001
From: Michael Nesbitt <nesbitt@treeman.nesbitt.rocks>
Date: Mon, 31 Jan 2022 15:02:07 -0600
Subject: [PATCH] Add middleware for sanitizing url query. (#181)

---
 .env.docker                |  4 ++++
 src/middleware/index.ts    | 14 ++++++++++++++
 src/routes/search/index.ts |  3 +++
 yarn.lock                  |  6 +++---
 4 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/.env.docker b/.env.docker
index ac496e0..55cdd6b 100644
--- a/.env.docker
+++ b/.env.docker
@@ -6,5 +6,9 @@ MONGO_API_USER=gatsby
 MONGO_API_PASS=gatsby
 NODE_ENV=development
 
+# Mongo
+MONGO_ROOT_USER=root
+MONGO_ROOT_PASS=root
+
 # Gatsby
 WESTEGG_URL=http://westegg:3001
diff --git a/src/middleware/index.ts b/src/middleware/index.ts
index 24f0e86..8d9801c 100644
--- a/src/middleware/index.ts
+++ b/src/middleware/index.ts
@@ -20,3 +20,17 @@ export const isValidBody = async (
 
   next();
 };
+
+export const escapeQueryRegExp = async (
+  req: Request,
+  res: Response,
+  next: NextFunction
+) => {
+  const query = req.query.query as string;
+  req.query.query = query.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); // $& means the whole matched string
+
+  console.log(query.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"));
+  console.log(req.query);
+
+  next();
+};
diff --git a/src/routes/search/index.ts b/src/routes/search/index.ts
index 0ef6953..203d18c 100644
--- a/src/routes/search/index.ts
+++ b/src/routes/search/index.ts
@@ -14,6 +14,7 @@ import { Types } from "mongoose";
 import { keys as keysOf } from "ts-transformer-keys";
 import { CURSOR_START, preAlphaFillListing } from "@src/util/cursor";
 import { GetListingVideosWithTagsRequestQuery } from "@gatsby-tv/types";
+import { escapeQueryRegExp } from "@src/middleware";
 
 const router = Router();
 
@@ -26,11 +27,13 @@ interface GetVideoSearchRequestQueryParams
 router.get(
   "/",
   validateCursorRequest,
+  escapeQueryRegExp,
   async (
     req: Request<{}, {}, {}, GetVideoSearchRequestQueryParams>,
     res: Response,
     next: NextFunction
   ) => {
+    console.log(req.query.query);
     const videos = (await VideoCollection.aggregate()
       .match({
         title: { $regex: RegExp(req.query.query as string) } // TODO: Needs to be sanitized
diff --git a/yarn.lock b/yarn.lock
index b15a2c7..6e49e8b 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2860,9 +2860,9 @@ __metadata:
   linkType: hard
 
 "caniuse-lite@npm:^1.0.30001248":
-  version: 1.0.30001248
-  resolution: "caniuse-lite@npm:1.0.30001248"
-  checksum: 86b3c232ad60982f3789a8c1bb9391848dad4b324cb220a925c730b744f8bceee5816cf15932bcd501d98fe31fcfd46e6a0e88fe08be92ce326b67d4b3f79b75
+  version: 1.0.30001304
+  resolution: "caniuse-lite@npm:1.0.30001304"
+  checksum: 63092ec6c65346f57026d9c7bee0548b77fd606819ca205ee3d99c948e4701b8820c365c00b79d4a4b96f3f0045bc0be767149b8edb74f7223d16cb30630f81e
   languageName: node
   linkType: hard