bug: fix bson doc filter

Author: pauldotyu

src/makeline-service/main.go

@@ -4,6 +4,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"strconv"
 
 	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
@@ -101,7 +102,14 @@ func getOrder(c *gin.Context) {
 		return
 	}
 
-	order, err := client.repo.GetOrder(c.Param("id"))
+	id, err := sanitizeOrderId(c.Param("id"))
+	if err != nil {
+		log.Printf("Failed to sanitize order id: %s", err)
+		c.AbortWithStatus(http.StatusBadRequest)
+		return
+	}
+
+	order, err := client.repo.GetOrder(id)
 	if err != nil {
 		log.Printf("Failed to get order from database: %s", err)
 		c.AbortWithStatus(http.StatusInternalServerError)
@@ -128,7 +136,15 @@ func updateOrder(c *gin.Context) {
 		return
 	}
 
-	err := client.repo.UpdateOrder(order)
+	// check if the order id is valid
+	_, err := sanitizeOrderId(order.OrderID)
+	if err != nil {
+		log.Printf("Failed to sanitize order id: %s", err)
+		c.AbortWithStatus(http.StatusBadRequest)
+		return
+	}
+
+	err = client.repo.UpdateOrder(order)
 	if err != nil {
 		log.Printf("Failed to update order status: %s", err)
 		c.AbortWithStatus(http.StatusInternalServerError)
@@ -175,3 +191,17 @@ func initDatabase(apiType string) (*OrderService, error) {
 		return NewOrderService(mongoRepo), nil
 	}
 }
+
+func sanitizeOrderId(id string) (string, error) {
+	// sanitize the id to prevent NoSQL injection
+	var sanitizedId string
+	// ensure id is a valid orderId that can be converted to int
+	_, err := strconv.Atoi(id)
+	if err != nil {
+		log.Printf("Invalid order id: %s", err)
+		return sanitizedId, err
+	} else {
+		sanitizedId = id
+	}
+	return sanitizedId, nil
+}

src/makeline-service/mongodb.go

@@ -86,7 +86,10 @@ func (r *MongoDBOrderRepo) GetPendingOrders() ([]Order, error) {
 func (r *MongoDBOrderRepo) GetOrder(id string) (Order, error) {
 	var ctx = context.TODO()
 
-	singleResult := r.db.FindOne(ctx, bson.M{"orderid": id})
+	filter := bson.D{{Key: "orderid", Value: bson.D{{Key: "$eq", Value: id}}}}
+
+	singleResult := r.db.FindOne(ctx, filter)
+
 	var order Order
 	err := singleResult.Decode(&order)
 	if err != nil {
@@ -123,12 +126,13 @@ func (r *MongoDBOrderRepo) InsertOrders(orders []Order) error {
 func (r *MongoDBOrderRepo) UpdateOrder(order Order) error {
 	var ctx = context.TODO()
 
-	log.Printf("Updating order: %v", order)
+	filter := bson.D{{Key: "orderid", Value: bson.D{{Key: "$eq", Value: order.OrderID}}}}
 
 	// Update the order
+	log.Printf("Updating order: %v", order)
 	updateResult, err := r.db.UpdateMany(
 		ctx,
-		bson.M{"orderid": order.OrderID},
+		filter,
 		bson.D{
 			{Key: "$set", Value: bson.D{{Key: "status", Value: order.Status}}},
 		},