Fix Security Lint Warnings in Tests and Build (#2487)

Author: vinit717

config/default.js

@@ -78,6 +78,7 @@ module.exports = {
   },
 
   cors: {
+    // eslint-disable-next-line security/detect-unsafe-regex
     allowedOrigins: /(https:\/\/([a-zA-Z0-9-_]+\.)?realdevsquad\.com$)/, // Allow realdevsquad.com, *.realdevsquad.com
   },
 

controllers/discordactions.js

@@ -366,32 +366,28 @@ const updateDiscordNicknames = async (req, res) => {
     const totalNicknamesNotUpdated = { count: 0, errors: [] };
     const nickNameUpdatedUsers = [];
     let counter = 0;
-    for (let i = 0; i < usersToBeEffected.length; i++) {
-      const { discordId, username, first_name: firstName } = usersToBeEffected[i];
+    for (const user of usersToBeEffected) {
+      const { discordId, username, first_name: firstName, id } = user;
       try {
         if (counter % 10 === 0 && counter !== 0) {
           await new Promise((resolve) => setTimeout(resolve, 5500));
         }
-        if (!discordId) {
-          throw new Error("user not verified");
-        } else if (!username) {
-          throw new Error(`does not have a username`);
-        }
+        if (!discordId) throw new Error("user not verified");
+        if (!username) throw new Error("does not have a username");
+
         const response = await setUserDiscordNickname(username.toLowerCase(), discordId);
-        if (response) {
-          const message = await response.message;
-          if (message) {
-            counter++;
-            totalNicknamesUpdated.count++;
-            nickNameUpdatedUsers.push(usersToBeEffected[i].id);
-          }
+        if (response?.message) {
+          counter++;
+          totalNicknamesUpdated.count++;
+          nickNameUpdatedUsers.push(id);
         }
       } catch (error) {
         totalNicknamesNotUpdated.count++;
         totalNicknamesNotUpdated.errors.push(`User: ${username ?? firstName}, ${error.message}`);
         logger.error(`Error in updating discord Nickname: ${error}`);
       }
     }
+
     return res.json({
       totalNicknamesUpdated,
       totalNicknamesNotUpdated,

controllers/issues.js

@@ -14,6 +14,7 @@ const getIssues = async (req, res) => {
     const { q: queryString } = req.query;
     let issues = {};
     const githubOrg = config.get("githubApi.org");
+    // eslint-disable-next-line security/detect-non-literal-regexp
     const githubIssuerUrlPattern = new RegExp(`^https://github.com/${githubOrg}/.+/issues/\\d+$`);
 
     if (githubIssuerUrlPattern.test(queryString)) {

middlewares/validators/monitor.js

@@ -70,19 +70,30 @@ const validateCreateTrackedProgressRecord = async (req, res, next) => {
 const validateUpdateTrackedProgress = async (req, res, next) => {
   const { type, typeId } = req.params;
   const { monitored, frequency } = req.body;
-  const updatedData = { type, [TYPE_MAP[type]]: typeId, monitored, frequency };
-  const monitoredSchema = joi.object().keys({
+
+  const keyExists = Reflect.has(TYPE_MAP, type);
+  const resolvedKey = keyExists ? Reflect.get(TYPE_MAP, type) : null;
+
+  const updatedData = { type, monitored, frequency };
+
+  if (resolvedKey && typeof resolvedKey === "string") {
+    Reflect.set(updatedData, resolvedKey, typeId);
+  }
+
+  const monitoredSchema = joi.object({
     monitored: joi.boolean().optional().messages({
       "boolean.base": "monitored field must be a boolean value.",
     }),
   });
+
   const updateSchema = baseSchema.concat(monitoredSchema).or("monitored", "frequency");
+
   try {
     await updateSchema.validateAsync(updatedData, { abortEarly: false });
     next();
   } catch (error) {
     logger.error(`Error validating payload: ${error}`);
-    res.boom.badRequest(error.details[0].message);
+    res.boom.badRequest(error.details?.[0]?.message || "Invalid payload");
   }
 };
 

middlewares/validators/task-requests.js

@@ -3,7 +3,9 @@ const joi = require("joi");
 const { RQLQueryParser } = require("../../utils/RQLParser");
 const githubOrg = config.get("githubApi.org");
 const githubBaseUrl = config.get("githubApi.baseUrl");
+// eslint-disable-next-line security/detect-non-literal-regexp
 const githubIssuerUrlPattern = new RegExp(`^${githubBaseUrl}/repos/${githubOrg}/.+/issues/\\d+$`);
+// eslint-disable-next-line security/detect-non-literal-regexp
 const githubIssueHtmlUrlPattern = new RegExp(`^${GITHUB_URL}/${githubOrg}/.+/issues/\\d+$`); // Example: https://github.com/Real-Dev-Squad/website-status/issues/1050
 const { TASK_REQUEST_STATUS, TASK_REQUEST_TYPE } = require("../../constants/taskRequests");
 

models/discordactions.js

@@ -520,6 +520,7 @@ const updateUsersNicknameStatus = async (lastNicknameUpdate) => {
     const usersCurrentStatus = userStatusModel
       .where("currentStatus.updatedAt", ">=", lastNicknameUpdateTimestamp)
       .get();
+
     const usersFutureStatus = userStatusModel.where("futureStatus.updatedAt", ">=", lastNicknameUpdateTimestamp).get();
 
     const [usersCurrentStatusSnapshot, usersFutureStatusSnapshots] = await Promise.all([
@@ -528,36 +529,30 @@ const updateUsersNicknameStatus = async (lastNicknameUpdate) => {
     ]);
 
     const usersCurrentStatusDocs = usersCurrentStatusSnapshot.docs;
-    let usersFutureStatusDocs = usersFutureStatusSnapshots.docs;
-    usersFutureStatusDocs = usersFutureStatusDocs.filter(({ id }) => {
-      const isIdPresent = usersCurrentStatusDocs.find((status) => {
-        return status.id === id;
-      });
-      return !isIdPresent;
+    const futureDocs = usersFutureStatusSnapshots.docs.filter(({ id }) => {
+      return !usersCurrentStatusDocs.some((status) => status.id === id);
     });
-    const usersStatusDocs = usersCurrentStatusDocs.concat(usersFutureStatusDocs);
 
-    const today = new Date().getTime();
-
-    let successfulUpdates = 0;
-    const nicknameUpdateBatches = [];
+    const usersStatusDocs = usersCurrentStatusDocs.concat(futureDocs);
     const totalUsersStatus = usersStatusDocs.length;
+    const today = Date.now();
 
-    let startIndex = 0;
-    for (let i = 0; i < Math.ceil(totalUsersStatus / SIMULTANEOUS_WORKER_CALLS); i++) {
-      const end = Math.min(totalUsersStatus, startIndex + SIMULTANEOUS_WORKER_CALLS);
-      nicknameUpdateBatches.push(usersStatusDocs.slice(startIndex, end));
-      startIndex = end;
+    const nicknameUpdateBatches = [];
+    for (let start = 0; start < totalUsersStatus; start += SIMULTANEOUS_WORKER_CALLS) {
+      const end = Math.min(totalUsersStatus, start + SIMULTANEOUS_WORKER_CALLS);
+      nicknameUpdateBatches.push(usersStatusDocs.slice(start, end));
     }
 
-    for (let i = 0; i < nicknameUpdateBatches.length; i++) {
+    let successfulUpdates = 0;
+
+    for (const usersStatusDocsBatch of nicknameUpdateBatches) {
       const promises = [];
-      const usersStatusDocsBatch = nicknameUpdateBatches[i];
-      usersStatusDocsBatch.forEach((document) => {
+
+      for (const document of usersStatusDocsBatch) {
         const doc = document.data();
         const userId = doc.userId;
-
         const { futureStatus = {}, currentStatus = {} } = doc;
+
         const { state: futureState } = futureStatus;
         const { state: currentState } = currentStatus;
 
@@ -572,17 +567,16 @@ const updateUsersNicknameStatus = async (lastNicknameUpdate) => {
         } else {
           promises.push(usersUtils.updateNickname(userId));
         }
-      });
-
-      const settledPromises = await Promise.allSettled(promises);
+      }
 
-      settledPromises.forEach((result) => {
+      const settled = await Promise.allSettled(promises);
+      for (const result of settled) {
         if (result.status === "fulfilled" && !!result.value) {
           successfulUpdates++;
         } else {
           logger.error(`Error while updating nickname: ${result.reason}`);
         }
-      });
+      }
 
       await new Promise((resolve) => setTimeout(resolve, 5000));
     }

models/progresses.js

@@ -100,8 +100,10 @@ const getRangeProgressData = async (queryParams) => {
 async function getProgressByDate(pathParams, queryParams) {
   const { type, typeId, date } = pathParams;
   const { dev } = queryParams;
+  /* eslint-disable security/detect-object-injection */
   await assertUserOrTaskExists({ [TYPE_MAP[type]]: typeId });
   const query = buildQueryToSearchProgressByDay({ [TYPE_MAP[type]]: typeId, date });
+  /* eslint-enable security/detect-object-injection */
   const result = await query.get();
   if (!result.size) {
     throw new NotFound(PROGRESS_DOCUMENT_NOT_FOUND);

models/taskRequests.js

@@ -78,31 +78,40 @@ const fetchTaskRequests = async (dev) => {
 const fetchPaginatedTaskRequests = async (queries = {}) => {
   try {
     let taskRequestsSnapshot = taskRequestsCollection;
-
     let { next, prev, size, q: queryString } = queries;
     if (size) size = parseInt(size);
 
     const rqlQueryParser = new RQLQueryParser(queryString);
 
-    Object.entries(rqlQueryParser.getFilterQueries()).forEach(([key, value]) => {
-      const valuesList = value.map(
-        (query) => query.operator === Operators.INCLUDE && TASK_REQUEST_FILTER_VALUES[query.value]
-      );
-      taskRequestsSnapshot = taskRequestsSnapshot.where(TASK_REQUEST_FILTER_KEYS[key], "in", valuesList);
-    });
+    const filterQueries = rqlQueryParser.getFilterQueries();
+
+    for (const [filterKey, filterValue] of Object.entries(filterQueries)) {
+      const valuesList = filterValue
+        .map((query) =>
+          query.operator === Operators.INCLUDE ? Reflect.get(TASK_REQUEST_FILTER_VALUES, query.value) : null
+        )
+        .filter(Boolean);
+
+      if (Reflect.has(TASK_REQUEST_FILTER_KEYS, filterKey)) {
+        const fieldName = Reflect.get(TASK_REQUEST_FILTER_KEYS, filterKey);
+        taskRequestsSnapshot = taskRequestsSnapshot.where(fieldName, "in", valuesList);
+      }
+    }
 
     const sortQueries = rqlQueryParser.getSortQueries();
     const sortQueryEntries = Object.entries(sortQueries);
 
     if (sortQueryEntries.length) {
-      sortQueryEntries.forEach(([key, value]) => {
-        taskRequestsSnapshot = taskRequestsSnapshot.orderBy(
-          TASK_REQUEST_SORT_KEYS[key],
-          TASK_REQUEST_SORT_VALUES[value]
-        );
-      });
+      for (const [sortKey, sortValue] of sortQueryEntries) {
+        if (Reflect.has(TASK_REQUEST_SORT_KEYS, sortKey) && Reflect.has(TASK_REQUEST_SORT_VALUES, sortValue)) {
+          const sortField = Reflect.get(TASK_REQUEST_SORT_KEYS, sortKey);
+          const orderDirection = Reflect.get(TASK_REQUEST_SORT_VALUES, sortValue);
+          taskRequestsSnapshot = taskRequestsSnapshot.orderBy(sortField, orderDirection);
+        }
+      }
     } else {
-      taskRequestsSnapshot = taskRequestsSnapshot.orderBy(TASK_REQUEST_SORT_KEYS.created, "desc");
+      const defaultField = Reflect.get(TASK_REQUEST_SORT_KEYS, "created");
+      taskRequestsSnapshot = taskRequestsSnapshot.orderBy(defaultField, "desc");
     }
 
     if (next) {
@@ -137,16 +146,13 @@ const fetchPaginatedTaskRequests = async (queries = {}) => {
     const isNextLinkRequired = size && resultDataLength === size;
     const lastVisibleDoc = isNextLinkRequired && taskRequestsSnapshot.docs[resultDataLength - 1];
     const firstDoc = taskRequestsSnapshot.docs[0];
-    const nextPageParams = {
-      ...queries,
-      next: lastVisibleDoc?.id,
-    };
+
+    const nextPageParams = { ...queries, next: lastVisibleDoc?.id };
     delete nextPageParams.prev;
-    const prevPageParams = {
-      ...queries,
-      prev: firstDoc?.id,
-    };
+
+    const prevPageParams = { ...queries, prev: firstDoc?.id };
     delete prevPageParams.next;
+
     const nextLink = lastVisibleDoc ? generateLink(nextPageParams) : "";
     const prevLink = next || prev ? generateLink(prevPageParams) : "";