From e4aca6ac90d84889ba5c52908b8952583baa9bd1 Mon Sep 17 00:00:00 2001 From: Tamir Gershberg <47638346+tamirGer@users.noreply.github.com> Date: Sat, 16 Mar 2024 22:56:54 +0200 Subject: [PATCH] fix(products): input validation and better date parsing (#326) --- charts/brokencrystals/Chart.yaml | 2 +- src/products/products.controller.ts | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/charts/brokencrystals/Chart.yaml b/charts/brokencrystals/Chart.yaml index 30db216c..ab54f1b5 100644 --- a/charts/brokencrystals/Chart.yaml +++ b/charts/brokencrystals/Chart.yaml @@ -4,7 +4,7 @@ description: | Benchmark application that uses modern technologies and implements a set of common security vulnerabilities type: application -version: 0.0.60 +version: 0.0.61 keywords: - brokencrystals - brkn diff --git a/src/products/products.controller.ts b/src/products/products.controller.ts index 91ae3429..be7f1021 100644 --- a/src/products/products.controller.ts +++ b/src/products/products.controller.ts @@ -37,6 +37,15 @@ export class ProductsController { constructor(private readonly productsService: ProductsService) {} + private parseDate(dateString: string): Date { + const dateParts = dateString.split('-'); + const year = parseInt(dateParts[2], 10); + const month = parseInt(dateParts[1], 10) - 1; + const day = parseInt(dateParts[0], 10); + + return new Date(year, month, day); + } + @Get() @UseGuards(AuthGuard) @JwtType(JwtProcessorType.RSA) @@ -67,10 +76,14 @@ export class ProductsController { let df = new Date(new Date().setFullYear(new Date().getFullYear() - 1)); let dt = new Date(); if (dateFrom) { - df = new Date(`${dateFrom} 00:00:00.000Z`); + df = this.parseDate(dateFrom); } if (dateTo) { - dt = new Date(`${dateTo} 00:00:00.000Z`); + dt = this.parseDate(dateTo); + } + + if (isNaN(df.getTime()) || isNaN(dt.getTime())) { + throw new BadRequestException('Invalid date format'); } const allProducts = await this.productsService.findAll(df, dt);