Skip to content

Commit

Permalink
Sanitize important user inputs
Browse files Browse the repository at this point in the history
  • Loading branch information
@kthchew
kthchew committed Feb 3, 2024
1 parent fceb31d commit 57a9c89
Showing 1 changed file with 8 additions and 6 deletions.
14 changes: 8 additions & 6 deletions Backend/server.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,8 @@ app.get('/getCourses', async (req, res) => {

app.get('/getAssignments', async (req, res) => {
const canvas_api_token = req.query.canvas_api_token;
const course_id = req.query.course_id;
// course ID can only have digits; remove anything that isn't a digit
const course_id = req.query.course_id.replace(/\D/g, "");

if (!canvas_api_token || !course_id) {
return res.status(400).json({ error: 'canvas_api_token and course_id are required' });
Expand All @@ -83,9 +84,10 @@ app.get('/getAssignments', async (req, res) => {

app.get('/getSubmission', async (req, res) => {
const canvas_api_token = req.query.canvas_api_token;
const course_id = req.query.course_id;
const assignment_id = req.query.assignment_id;
const user_id = req.query.user_id;
// these IDs can only have digits; remove any character that isn't a digit
const course_id = req.query.course_id.replace(/\D/g, "");
const assignment_id = req.query.assignment_id.replace(/\D/g, "");
const user_id = req.query.user_id.replace(/\D/g, "");

if (!canvas_api_token || !course_id || !assignment_id || !user_id) {
return res.status(400).json({ error: 'canvas_api_token, course_id, assignment_id, and user_id are required' });
Expand Down Expand Up @@ -113,7 +115,7 @@ app.get('/logout', async (req, res) => {
const user_id = req.query.user_id;

let db = getDb();
db.updateOne({"canvasUser" : user_id}, { $set: { "lastLogout": Date.now() } })
db.updateOne({ "canvasUser": { $eq: user_id } }, { $set: { "lastLogout": Date.now() } })
console.log("< logged out user " + user_id)
res.status(200).json({ message: "Logged out!" });
})

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
a database access
Loading
, but is not rate-limited.
Expand All @@ -123,7 +125,7 @@ app.get('/login', async (req, res) => {

let db = getDb();
console.log("> logged in user " + user_id)
let user = await db.findOne({"canvasUser" : user_id})
let user = await db.findOne({ "canvasUser": { $eq: user_id } })
res.status(200).json({ user });
})

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
a database access
Loading
, but is not rate-limited.

Expand Down

0 comments on commit 57a9c89

Please sign in to comment.