Jackie/rentall-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mass assignment vulnerabilites and refactoring of photos

Browse Source
This commit is contained in:
jackiettran
2025-12-12 13:57:44 -05:00
parent 1dee5232a0
commit 25bbf5d20b
5 changed files with 79 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
backend/routes/rentals.js
View File

@@ -9,6 +9,8 @@ const LateReturnService = require("../services/lateReturnService");
const DamageAssessmentService = require("../services/damageAssessmentService");
const emailServices = require("../services/email");
const logger = require("../utils/logger");
const { validateS3Keys } = require("../utils/s3KeyValidator");
const { IMAGE_LIMITS } = require("../config/imageLimits");
const router = express.Router();
// Helper function to check and update review visibility
@@ -1257,12 +1259,53 @@ router.post("/:id/mark-return", authenticateToken, async (req, res, next) => {
}
});
// Allowed fields for damage report (prevents mass assignment)
const ALLOWED_DAMAGE_REPORT_FIELDS = [
'description',
'canBeFixed',
'repairCost',
'needsReplacement',
'replacementCost',
'proofOfOwnership',
'actualReturnDateTime',
'imageFilenames',
];
function extractAllowedDamageFields(body) {
const result = {};
for (const field of ALLOWED_DAMAGE_REPORT_FIELDS) {
if (body[field] !== undefined) {
result[field] = body[field];
}
}
return result;
}
// Report item as damaged (owner only)
router.post("/:id/report-damage", authenticateToken, async (req, res, next) => {
try {
const rentalId = req.params.id;
const userId = req.user.id;
const damageInfo = req.body;
// Extract only allowed fields (prevents mass assignment)
const damageInfo = extractAllowedDamageFields(req.body);
// Validate imageFilenames if provided
if (damageInfo.imageFilenames !== undefined) {
const imageFilenamesArray = Array.isArray(damageInfo.imageFilenames)
? damageInfo.imageFilenames
: [];
const keyValidation = validateS3Keys(imageFilenamesArray, 'damage-reports', {
maxKeys: IMAGE_LIMITS.damageReports,
});
if (!keyValidation.valid) {
return res.status(400).json({
error: keyValidation.error,
details: keyValidation.invalidKeys,
});
}
damageInfo.imageFilenames = imageFilenamesArray;
}
const result = await DamageAssessmentService.processDamageAssessment(
rentalId,