From 25820a4113ecc5e5f61e91f6c646101f797ea24d Mon Sep 17 00:00:00 2001 From: bhavanakarwade Date: Mon, 14 Oct 2024 19:59:51 +0530 Subject: [PATCH] fix: resolved comments on pr Signed-off-by: bhavanakarwade --- agent.env | 8 ++++---- .../organization/dtos/create-organization-dto.ts | 2 +- .../organization/dtos/update-organization-dto.ts | 3 ++- libs/common/src/cast.helper.ts | 16 +++++++++------- 4 files changed, 16 insertions(+), 13 deletions(-) diff --git a/agent.env b/agent.env index 194f355b5..5625c2a17 100644 --- a/agent.env +++ b/agent.env @@ -7,10 +7,10 @@ SESSION_LIMIT=2147483647 INMEMORY_LRU_CACHE_LIMIT=2147483647 BCOVRIN_REGISTER_URL=http://test.bcovrin.vonx.io/register INDICIO_NYM_URL=https://selfserve.indiciotech.io/nym -# Contract address for Polygon amoy (testnet) -SCHEMA_MANAGER_CONTRACT_ADDRESS=0x4742d43C2dFCa5a1d4238240Afa8547Daf87Ee7a -DID_CONTRACT_ADDRESS=0xcB80F37eDD2bE3570c6C9D5B0888614E04E1e49E -RPC_URL=https://rpc-amoy.polygon.technology +# Contract address for Polygon (mainnet) +SCHEMA_MANAGER_CONTRACT_ADDRESS=0x4B16719E73949a62E9A7306F352ec73F1B143c27 +DID_CONTRACT_ADDRESS=0x0C16958c4246271622201101C83B9F0Fc7180d15 +RPC_URL=https://polygon-rpc.com/ # Add url and token from your file server SERVER_URL=https://schema.credebl.id FILE_SERVER_TOKEN= diff --git a/apps/api-gateway/src/organization/dtos/create-organization-dto.ts b/apps/api-gateway/src/organization/dtos/create-organization-dto.ts index 5a7a0e81e..fce598089 100644 --- a/apps/api-gateway/src/organization/dtos/create-organization-dto.ts +++ b/apps/api-gateway/src/organization/dtos/create-organization-dto.ts @@ -12,7 +12,7 @@ export class CreateOrganizationDto { @MinLength(2, { message: 'Organization name must be at least 2 characters.' }) @MaxLength(200, { message: 'Organization name must be at most 200 characters.' }) @IsString({ message: 'Organization name must be in string format.' }) - @IsNotSQLInjection({ message: 'Organization name is required.' }) + @IsNotSQLInjection({ message: 'Incorrect pattern for organization name.' }) name: string; @ApiProperty() diff --git a/apps/api-gateway/src/organization/dtos/update-organization-dto.ts b/apps/api-gateway/src/organization/dtos/update-organization-dto.ts index eb737c91c..e2b2786ac 100644 --- a/apps/api-gateway/src/organization/dtos/update-organization-dto.ts +++ b/apps/api-gateway/src/organization/dtos/update-organization-dto.ts @@ -2,7 +2,7 @@ import { ApiExtraModels, ApiPropertyOptional } from '@nestjs/swagger'; import { IsNotEmpty, IsOptional, IsString, IsBoolean, MaxLength, MinLength, Validate } from 'class-validator'; import { Transform } from 'class-transformer'; -import { ImageBase64Validator, trim } from '@credebl/common/cast.helper'; +import { ImageBase64Validator, IsNotSQLInjection, trim } from '@credebl/common/cast.helper'; @ApiExtraModels() export class UpdateOrganizationDto { @@ -17,6 +17,7 @@ export class UpdateOrganizationDto { @MinLength(2, { message: 'Organization name must be at least 2 characters.' }) @MaxLength(200, { message: 'Organization name must be at most 200 characters.' }) @IsString({ message: 'Organization name must be in string format.' }) + @IsNotSQLInjection({ message: 'Incorrect pattern for organization name.' }) name: string; @ApiPropertyOptional() diff --git a/libs/common/src/cast.helper.ts b/libs/common/src/cast.helper.ts index b83a333db..de0c01f73 100644 --- a/libs/common/src/cast.helper.ts +++ b/libs/common/src/cast.helper.ts @@ -90,16 +90,18 @@ export const IsNotSQLInjection = options: validationOptions, validator: { validate(value) { - // Check if the value contains any common SQL injection keywords - const sqlKeywords = ['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'DROP', 'UNION', 'WHERE', 'AND', 'OR']; + + // Check if the value is a string if ('string' === typeof value) { - for (const keyword of sqlKeywords) { - const regex = new RegExp(`\\b${keyword}\\b`); - if (regex.test(value)) { - return false; // Value contains a SQL injection keyword - } + // Regex to check for SQL injection keywords at the start + const startInjectionRegex = new RegExp(`^\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|EXEC|FROM|WHERE|AND|OR|HAVING|LIMIT|OFFSET|JOIN|LIKE|IN|IS|NULL|SET|CASE|WHEN|THEN|ELSE|END)\\b`, 'i'); + + // Check if the SQL injection pattern is present at the start + if (startInjectionRegex.test(value)) { + return false; // SQL keyword present at the start } } + return true; // Value does not contain any SQL injection keywords }, defaultMessage(args: ValidationArguments) {