fix: security for volnerability- sonarcube

Author: ShravyaKudlu

src/controllers/activityLogController.js

@@ -1,6 +1,11 @@
+const mongoose = require('mongoose');
 const ActivityLog = require('../models/activityLog');
 const usersProfiles = require('../models/userProfile');
 
+const isValidObjectId = (id) =>
+  mongoose.Types.ObjectId.isValid(id) && new mongoose.Types.ObjectId(id).toString() === String(id);
+const sanitizeString = (str) => String(str).slice(0, 500);
+
 const activityLogController = function () {
   // Format response - only include assisted_users if is_assisted is true
   const formatLogs = (logs) =>
@@ -30,7 +35,16 @@ const activityLogController = function () {
         return res.status(403).json({ error: "Forbidden: Cannot access another student's log" });
       }
 
-      const logs = await ActivityLog.find({ actor_id: studentId })
+      const authorizedStudentId = requestedStudentId || String(studentId);
+      if (
+        !authorizedStudentId ||
+        typeof authorizedStudentId !== 'string' ||
+        authorizedStudentId.length > 100
+      ) {
+        return res.status(400).json({ error: 'Invalid studentId' });
+      }
+
+      const logs = await ActivityLog.find({ actor_id: authorizedStudentId })
         .sort({ created_at: -1 })
         .select('action_type metadata created_at actor_id is_assisted assisted_users');
 
@@ -54,13 +68,15 @@ const activityLogController = function () {
         return res.status(400).json({ error: 'actionType and entityId are required' });
       }
 
-      // Get valid enums
+      if (typeof entityId !== 'string' || entityId.length > 200) {
+        return res.status(400).json({ error: 'Invalid entityId' });
+      }
+
       const validActionTypes = ActivityLog.schema.path('action_type').enumValues;
       const validAssistanceTypes = ActivityLog.schema
         .path('assisted_users')
         .schema.path('assistance_type').enumValues;
 
-      // Validate actionType
       if (!validActionTypes.includes(actionType)) {
         return res.status(400).json({
           error: `Invalid actionType. Must be one of: ${validActionTypes.join(', ')}`,
@@ -72,13 +88,11 @@ const activityLogController = function () {
 
       if (isAssistedFromClient) {
         if (!['Educator', 'Administrator'].includes(currentUser.role)) {
-          // Unauthorized user tried to set the flag
           return res.status(403).json({
             error: 'Only educators or administrators can set the assisted flag',
           });
         }
 
-        // Authorized user
         isAssisted = true;
 
         if (!assistedUsersFromClient || assistedUsersFromClient.length === 0) {
@@ -87,10 +101,19 @@ const activityLogController = function () {
           });
         }
 
-        // Fetch and map assisted users
-        const userIds = assistedUsersFromClient.map((u) => u.userId);
+        if (assistedUsersFromClient.length > 50) {
+          return res.status(400).json({ error: 'Too many assisted users' });
+        }
+
+        const userIds = assistedUsersFromClient.map((u) => String(u.userId).slice(0, 50));
+        const uniqueUserIds = [...new Set(userIds)].filter(isValidObjectId);
+
+        if (uniqueUserIds.length === 0) {
+          return res.status(400).json({ error: 'Invalid assisted user IDs' });
+        }
+
         const usersProfile = await usersProfiles
-          .find({ _id: { $in: userIds } })
+          .find({ _id: { $in: uniqueUserIds } })
           .select('firstName lastName');
 
         assistedUsers = usersProfile.map((user) => {
@@ -105,19 +128,30 @@ const activityLogController = function () {
 
           return {
             user_id: user._id,
-            name: `${user.firstName} ${user.lastName}`,
+            name: sanitizeString(`${user.firstName} ${user.lastName}`),
             assisted_at: new Date(),
             assistance_type: assistanceType,
           };
         });
       }
 
-      // Build log object
+      const sanitizedMetadata = {};
+      if (metadata && typeof metadata === 'object') {
+        for (const key of Object.keys(metadata).slice(0, 50)) {
+          const value = metadata[key];
+          if (typeof value === 'string') {
+            sanitizedMetadata[sanitizeString(key)] = sanitizeString(value);
+          } else if (typeof value === 'number' || typeof value === 'boolean') {
+            sanitizedMetadata[sanitizeString(key)] = value;
+          }
+        }
+      }
+
       const logData = {
         actor_id: currentUser.requestorId,
         action_type: actionType,
-        entity_id: entityId,
-        metadata: metadata || {},
+        entity_id: sanitizeString(entityId),
+        metadata: sanitizedMetadata,
         created_at: new Date(),
         is_assisted: isAssisted,
         assisted_users: assistedUsers,
@@ -145,6 +179,10 @@ const activityLogController = function () {
 
       if (!logId) return res.status(400).json({ error: 'Missing logId' });
 
+      if (!isValidObjectId(logId)) {
+        return res.status(400).json({ error: 'Invalid logId' });
+      }
+
       if (!['Educator', 'Administrator'].includes(currentUser.role)) {
         return res.status(403).json({
           error: 'Only educators or administrators can update the assisted flag',
@@ -154,7 +192,6 @@ const activityLogController = function () {
       const log = await ActivityLog.findById(logId);
       if (!log) return res.status(404).json({ error: 'Activity log not found' });
 
-      // Prepare assisted users only if isAssisted is true
       let assistedUsers = [];
       if (isAssistedFromClient) {
         if (!assistedUsersFromClient || assistedUsersFromClient.length === 0) {
@@ -163,13 +200,23 @@ const activityLogController = function () {
           });
         }
 
+        if (assistedUsersFromClient.length > 50) {
+          return res.status(400).json({ error: 'Too many assisted users' });
+        }
+
         const validAssistanceTypes = ActivityLog.schema
           .path('assisted_users')
           .schema.path('assistance_type').enumValues;
 
-        const userIds = assistedUsersFromClient.map((u) => u.userId);
+        const userIds = assistedUsersFromClient.map((u) => String(u.userId).slice(0, 50));
+        const uniqueUserIds = [...new Set(userIds)].filter(isValidObjectId);
+
+        if (uniqueUserIds.length === 0) {
+          return res.status(400).json({ error: 'Invalid assisted user IDs' });
+        }
+
         const usersProfile = await usersProfiles
-          .find({ _id: { $in: userIds } })
+          .find({ _id: { $in: uniqueUserIds } })
           .select('firstName lastName');
 
         assistedUsers = usersProfile.map((user) => {
@@ -184,14 +231,13 @@ const activityLogController = function () {
 
           return {
             user_id: user._id,
-            name: `${user.firstName} ${user.lastName}`,
+            name: sanitizeString(`${user.firstName} ${user.lastName}`),
             assisted_at: new Date(),
             assistance_type: assistanceType,
           };
         });
       }
 
-      // Update log
       log.is_assisted = Boolean(isAssistedFromClient);
       log.assisted_users = assistedUsers;
       await log.save();
@@ -212,7 +258,11 @@ const activityLogController = function () {
       const { studentId } = req.params;
       const currentUser = req.body.requestor;
       if (!studentId) return res.status(400).json({ error: 'Missing studentId' });
-      // Add correct rule once you get it so the permission is correct
+
+      if (!studentId || typeof studentId !== 'string' || studentId.length > 100) {
+        return res.status(400).json({ error: 'Invalid studentId' });
+      }
+
       if (currentUser.role !== 'educator' && currentUser.role !== 'Administrator') {
         return res.status(403).json({ error: 'Only Educators can view students logs' });
       }