skip xss

Author: max-ostapenko

src/__tests__/routes.test.js

@@ -335,10 +335,12 @@ describe('API Routes', () => {
 
     it('should handle invalid query parameters gracefully', async () => {
       const res = await request(app).get('/v1/technologies?invalid=parameter');
-      expect(res.statusCode).toEqual(400);
-      expect(res.body).toHaveProperty('errors');
-      expect(res.body.errors[0]).toHaveProperty('error');
-      expect(res.body.errors[0].error).toContain('Unsupported parameters: ');
+      expect(res.statusCode).toEqual(200);
+      expect(Array.isArray(res.body)).toBe(true);
+
+      //expect(res.body).toHaveProperty('errors');
+      //expect(res.body.errors[0]).toHaveProperty('error');
+      //expect(res.body.errors[0].error).toContain('Unsupported parameters: ');
     });
   });
 

src/controllers/categoriesController.js

@@ -6,6 +6,7 @@ import { executeQuery, validateArrayParameter } from '../utils/controllerHelpers
  */
 const listCategories = async (req, res) => {
   const queryBuilder = async (params) => {
+    /*
     // Validate parameters
     const supportedParams = ['category', 'onlyname', 'fields'];
     const providedParams = Object.keys(params);
@@ -16,6 +17,7 @@ const listCategories = async (req, res) => {
       error.statusCode = 400;
       throw error;
     }
+    */
 
     const isOnlyNames = params.onlyname || typeof params.onlyname === 'string';
     const hasCustomFields = params.fields && !isOnlyNames;

src/controllers/reportController.js

@@ -49,6 +49,7 @@ const createReportController = (reportType) => {
         try {
             const params = req.query;
 
+            /*
             // Validate supported parameters
             const supportedParams = ['technology', 'geo', 'rank', 'start', 'end'];
             const providedParams = Object.keys(params);
@@ -59,6 +60,7 @@ const createReportController = (reportType) => {
                 error.statusCode = 400;
                 throw error;
             }
+            */
 
             // Validate required parameters using shared utility
             const errors = validateRequiredParams(params, [

src/controllers/technologiesController.js

@@ -6,6 +6,7 @@ import { executeQuery, validateTechnologyArray, validateArrayParameter, FIRESTOR
  */
 const listTechnologies = async (req, res) => {
   const queryBuilder = async (params) => {
+    /*
     // Validate parameters
     const supportedParams = ['technology', 'category', 'onlyname', 'fields'];
     const providedParams = Object.keys(params);
@@ -16,6 +17,7 @@ const listTechnologies = async (req, res) => {
       error.statusCode = 400;
       throw error;
     }
+    */
 
     const isOnlyNames = params.onlyname || typeof params.onlyname === 'string';
     const hasCustomFields = params.fields && !isOnlyNames;

src/controllers/versionsController.js

@@ -6,6 +6,7 @@ import { executeQuery, validateTechnologyArray, FIRESTORE_IN_LIMIT } from '../ut
  */
 const listVersions = async (req, res) => {
   const queryBuilder = async (params) => {
+    /*
     // Validate parameters
     const supportedParams = ['version', 'technology', 'category', 'onlyname', 'fields'];
     const providedParams = Object.keys(params);
@@ -16,6 +17,7 @@ const listVersions = async (req, res) => {
       error.statusCode = 400;
       throw error;
     }
+    */
 
     let query = firestore.collection('versions');
 

src/index.js

@@ -105,6 +105,14 @@ const handleRequest = async (req, res) => {
       return;
     }
 
+    // Validate URL to skip XSS attacks
+    const unsafe = /onerror|onload|javascript:/i;
+    if (unsafe.test(req.url)) {
+      res.statusCode = 400
+      res.end(JSON.stringify({ error: 'Invalid input' }));
+      return;
+    }
+
     // Parse URL
     const parsedUrl = url.parse(req.url, true);
     const pathname = parsedUrl.pathname;