fix: Add type validation for username in eloRank and leaderboard APIs

codergautam · claude · codergautam · commit 3475a80930b2 · 2026-02-01T01:20:28.000-06:00
- eloRank.js: Add typeof check for username parameter
- leaderboard.js: Add typeof check for myUsername query param

Prevents NoSQL injection via ?username[$ne]=foo query strings.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/api/eloRank.js b/api/eloRank.js
@@ -33,7 +33,8 @@ export default async function handler(req, res) {
   try {
 
     let user;
-    if(username) {
+    if(username && typeof username === 'string') {
+      // Prevent NoSQL injection - username must be a string
       user = await User.findOne({ username: username }).collation(USERNAME_COLLATION).cache(120);
     } else if(secret && typeof secret === 'string') {
       // Prevent NoSQL injection - secret must be a string
diff --git a/api/leaderboard.js b/api/leaderboard.js
@@ -113,6 +113,11 @@ export default async function handler(req, res) {
   const isXp = req.query.mode === 'xp';
   console.log(`[API] leaderboard: mode=${isXp ? 'xp' : 'elo'}, pastDay=${pastDay}, user=${myUsername || 'none'}`);
 
+  // Prevent NoSQL injection - username must be a string if provided
+  if (myUsername && typeof myUsername !== 'string') {
+    return res.status(400).json({ message: 'Invalid username' });
+  }
+
   if (req.method !== 'GET') {
     return res.status(405).json({ message: 'Method not allowed' });
   }
