add cloudflare turnstile protection to support and account deletion forms#164
add cloudflare turnstile protection to support and account deletion forms#164
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
vernu
force-pushed
the
cloudflare-turnstile
branch
from
81408be to
30691e2
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| const recentRequestsCount = await this.supportMessageModel.countDocuments({ | ||
| email: sanitizedDto.email, | ||
| createdAt: { $gte: twentyFourHoursAgo }, | ||
| }) |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the issue, we need to ensure that the email field used in the MongoDB query always receives a primitive string value, not a potentially crafted object. The best and safest approach is to explicitly use MongoDB's $eq operator, so that whatever is received from the user (string or object), MongoDB treats it only as a literal value, not as a query operator. This requires directly replacing the query construction on line 37 so that instead of:
email: sanitizedDto.email,it uses:
email: { $eq: sanitizedDto.email },No additional imports or methods are required for this change. The fix is strictly limited to the vulnerable line and preserves the semantics of filtering by exact email match, but ensures injection is prevented regardless of input type.
| @@ -35,7 +35,7 @@ | ||
| // Check rate limit: max 3 requests per 24 hours | ||
| const twentyFourHoursAgo = new Date(Date.now() - 24 * 60 * 60 * 1000) | ||
| const recentRequestsCount = await this.supportMessageModel.countDocuments({ | ||
| email: sanitizedDto.email, | ||
| email: { $eq: sanitizedDto.email }, | ||
| createdAt: { $gte: twentyFourHoursAgo }, | ||
| }) | ||
|
|
| isValidObjectId(sanitizedDto.user) | ||
| ) { | ||
| user = await this.userModel.findById(createSupportMessageDto.user) | ||
| user = await this.userModel.findById(sanitizedDto.user) |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To mitigate the risk of NoSQL injection, we should ensure that the value used for the _id lookup in Mongoose’s findById or similar queries is interpreted strictly as a literal, and not as a query object. The best practice is to use the $eq operator, so that even if the value is a valid ObjectId string supplied by the user, it will be checked as a literal and not as a potentially malicious query object.
In file api/src/support/support.service.ts
- Locate the line where
user = await this.userModel.findById(sanitizedDto.user). - Change this to use
.findOne({ _id: { $eq: sanitizedDto.user } })instead. - No additional imports are needed, as this is standard mongoose usage.
Only change the highlighted query, keeping application logic otherwise unchanged.
| @@ -56,7 +56,7 @@ | ||
| sanitizedDto.user && | ||
| isValidObjectId(sanitizedDto.user) | ||
| ) { | ||
| user = await this.userModel.findById(sanitizedDto.user) | ||
| user = await this.userModel.findOne({ _id: { $eq: sanitizedDto.user } }) | ||
| } | ||
|
|
||
| // Send confirmation email to user |
2 participants
No description provided.