#65 - Fixed sonar security issues

Arquisoft · Mar 6, 2025 · dbddfb8 · dbddfb8
1 parent c0f282a
commit dbddfb8
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/users/userservice/routers/RouterUserCrud.js b/users/userservice/routers/RouterUserCrud.js
@@ -58,14 +58,18 @@ router.get('/users/:username', async (req, res) => {
 // Update a user by username
 router.patch('/users/:username', async (req, res) => {
     try {
-        const user = await User.findOne({ username: req.params.username });
+        const paramQuery = { username: req.params.username.toString() };
+
+        const user = await User.findOne(paramQuery);
 
         if (!user) {
             return res.status(404).send();
         }
 
         if (req.body.username && req.body.username !== req.params.username) {
-            const existingUser = await User.findOne({ username: req.body.username });
+            const bodyQuery = { username: req.body.username.toString() };
+
+            const existingUser = await User.findOne(bodyQuery);
 
             if (existingUser) {
                 return res.status(400).json({ error: 'Username already exists' });

diff --git a/users/userservice/user-service.test.js b/users/userservice/user-service.test.js
@@ -24,7 +24,7 @@ async function clearDatabase() {
   }
 }
 
-checkUserExistsInDb = async (testUser, bool) => {
+const checkUserExistsInDb = async (testUser, bool) => {
   // Get the user from the database
   const userInDb = await User.findOne({ username: testUser.username });
 
@@ -39,7 +39,7 @@ checkUserExistsInDb = async (testUser, bool) => {
   expect(isPasswordValid).toBe(true);
 };
 
-validateResponse = async (response, expected) => {
+const validateResponse = async (response, expected) => {
   expect(response).toHaveProperty('username', expected.username);
   expect(response).toHaveProperty('role', expected.role);
   expect(await bcrypt.compare(expected.password, response.password)).toBe(true);