From 57a9c8914e9d24db28297f0ea40c3d56c86a40da Mon Sep 17 00:00:00 2001
From: Kenneth Chew <79120643+kthchew@users.noreply.github.com>
Date: Fri, 2 Feb 2024 20:11:03 -0500
Subject: [PATCH] Sanitize important user inputs

---
 Backend/server.js | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/Backend/server.js b/Backend/server.js
index 9dbe196..2836cb0 100644
--- a/Backend/server.js
+++ b/Backend/server.js
@@ -58,7 +58,8 @@ app.get('/getCourses', async (req, res) => {
 
 app.get('/getAssignments', async (req, res) => {
   const canvas_api_token = req.query.canvas_api_token;
-  const course_id = req.query.course_id;
+  // course ID can only have digits; remove anything that isn't a digit
+  const course_id = req.query.course_id.replace(/\D/g, "");
 
   if (!canvas_api_token || !course_id) {
     return res.status(400).json({ error: 'canvas_api_token and course_id are required' });
@@ -83,9 +84,10 @@ app.get('/getAssignments', async (req, res) => {
 
 app.get('/getSubmission', async (req, res) => {
   const canvas_api_token = req.query.canvas_api_token;
-  const course_id = req.query.course_id;
-  const assignment_id = req.query.assignment_id;
-  const user_id = req.query.user_id;
+  // these IDs can only have digits; remove any character that isn't a digit
+  const course_id = req.query.course_id.replace(/\D/g, "");
+  const assignment_id = req.query.assignment_id.replace(/\D/g, "");
+  const user_id = req.query.user_id.replace(/\D/g, "");
 
   if (!canvas_api_token || !course_id || !assignment_id || !user_id) {
     return res.status(400).json({ error: 'canvas_api_token, course_id, assignment_id, and user_id are required' });
@@ -113,7 +115,7 @@ app.get('/logout', async (req, res) => {
   const user_id = req.query.user_id;
   
   let db = getDb();
-  db.updateOne({"canvasUser" : user_id}, { $set: { "lastLogout": Date.now() } })
+  db.updateOne({ "canvasUser": { $eq: user_id } }, { $set: { "lastLogout": Date.now() } })
   console.log("< logged out user " + user_id)
   res.status(200).json({ message: "Logged out!" });
 })
@@ -123,7 +125,7 @@ app.get('/login', async (req, res) => {
   
   let db = getDb();
   console.log("> logged in user " + user_id)
-  let user = await db.findOne({"canvasUser" : user_id})
+  let user = await db.findOne({ "canvasUser": { $eq: user_id } })
   res.status(200).json({ user });
 })