Integrated Input validation, rate limiting and CORS configuration#2
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| const user = await User.findOne({ email }); | ||
| if (!user) return res.status(400).json({ message: "Invalid credentials" }); | ||
| // Find user and include password for comparison | ||
| const user = await User.findOne({ email }).select('+password'); |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the issue, ensure that the email value used in the database query on line 58 is always interpreted as a primitive string and cannot contain any objects or query operators. This is best achieved by explicitly checking the type of email (i.e., typeof email === "string"), and returning an error if it is not. This check should be performed in the login route handler itself, right before the database query, to guarantee safety regardless of upstream validation middleware. No package imports are required; TypeScript/JavaScript's built-in type-checking is enough. The change should be added as a guard clause after extracting email and before running any queries that use it.
| @@ -54,6 +54,15 @@ | ||
| try { | ||
| const { email, password } = req.body; | ||
|
|
||
| // Ensure email is a string to prevent NoSQL injection | ||
| if (typeof email !== "string") { | ||
| console.log(`Rejected login attempt due to invalid email type from IP: ${req.ip}`); | ||
| return res.status(400).json({ | ||
| error: "Invalid request", | ||
| message: "Email must be a string" | ||
| }); | ||
| } | ||
|
|
||
| // Find user and include password for comparison | ||
| const user = await User.findOne({ email }).select('+password'); | ||
| if (!user) { |
2 participants
proper integration of rate limiting on requests, input validation and also configured CORS.