fix(js-express): resolve CodeQL rate limit, regex, and query findings

[cbullinger]

Summary

Resolves 20 open CodeQL findings in the JS Express MFlix server by adding API rate limiting, escaping user genre input for regex queries, and validating MongoDB filter/update payloads before database writes.

Changes

• Rate limiting (15 alerts): express-rate-limit middleware on all /api/movies routes via moviesRateLimiter
• Regex injection (1 alert): escape user-supplied genre values before building $regex filters
• NoSQL query injection (4 alerts): whitelist allowed filter fields/operators and update fields in batch and single update handlers via mongoQuery.ts

Testing

• npm run test:unit — 58/58 passed
• npm run build — TypeScript compiles cleanly
• Code scanning alerts feat: implement vector search UI #23–Merge development to main to trigger copy utility #42 close after merge

Related

• Part 4 of CodeQL remediation (code scanning)
• Follows fix(java-spring): resolve CodeQL regex and redirect findings #118 (Java Spring CodeQL fixes)

Made with Cursor

[Copilot]

Pull request overview

This PR addresses CodeQL findings in the JS Express MFlix server by hardening request handling around /api/movies through rate limiting, safer regex construction, and sanitization of MongoDB filter/update payloads before DB writes.

Changes:

• Added an express-rate-limit middleware applied to all /api/movies routes.
• Escaped user-supplied genre input before building a case-insensitive $regex filter.
• Introduced mongoQuery utilities to whitelist allowed MongoDB filter fields/operators and update fields, and applied them in single/batch update and batch delete handlers.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
mflix/server/js-express/tests/controllers/movieController.test.ts	Updates batch update test data; (recommended) add a test covering newly rejected update operators.
mflix/server/js-express/src/utils/mongoQuery.ts	New query/update sanitization helpers + regex escaping utility.
mflix/server/js-express/src/routes/movies.ts	Applies the movies rate limiter middleware to all movie routes.
mflix/server/js-express/src/middleware/rateLimiter.ts	New rate limiter configuration for movie routes.
mflix/server/js-express/src/controllers/movieController.ts	Uses regex escaping for genre and sanitizes batch/single update + batch delete filters/updates.
mflix/server/js-express/package.json	Adds express-rate-limit dependency.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[dacharyc]

Couple of small suggested fixups for JS idiomaticity and consistency with the other apps, but otherwise LGTM ✅

[cbullinger]

Addressed review feedback in 204389a:

1. Single field source of truth — MOVIE_FIELDS drives both ALLOWED_FILTER_FIELDS (+ _id) and UPDATE_FIELDS
2. Generic error messages — filter/update validation no longer echoes rejected field or operator names
3. as never removed — uses (sanitized as Record<string, unknown>)[key] = update[key]
4. Rate limit via env — RATE_LIMIT_MAX (set to 10000 in unit + integration test setup) replaces NODE_ENV === "test" branch