summer2026/quicklanch-server
7
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

bug: Direct request body passed to database without validation #6

New Issue
Open
opened 2026-06-17 15:04:02 +00:00 by abumahid · 0 comments
abumahid commented 2026-06-17 15:04:02 +00:00
Owner
Copy Link
Copy Source

Description

The order and plan service functions pass req.body directly to Prisma create() and update() operations without proper validation or sanitization. This allows:

  • Injection of unvalidated fields into database
  • Mass assignment attacks
  • Database constraint violations
  • Data integrity issues

Location

  • File: src/app/modules/order/order.service.ts

  • Component: update_order_into_db()

  • Lines: 145-159

  • File: src/app/modules/plan/plan.service.ts

  • Component: create_plan_into_db() and update_plan_into_db()

  • Lines: 23-31, 33-57

How to Fix

Validate and extract only allowed fields before passing to Prisma:

const update_order_into_db = async (req: Request) => {
  const user = req.user;
  if (user?.role !== "ADMIN") {
    throw new AppError("You are not authorized", 403);
  }
  
  const { id } = req.params as { id: string };
  
  // Validate and extract only allowed fields
  const allowedFields = ['status', 'customerName', 'customerPhone'];
  const updateData: any = {};
  
  for (const field of allowedFields) {
    if (field in req.body) {
      updateData[field] = req.body[field];
    }
  }
  
  const result = await prisma.order.update({ 
    where: { id }, 
    data: updateData 
  });
  return result;
};

Or use Zod schema validation:

const updateOrderSchema = z.object({
  status: z.enum(['PENDING', 'PROCESSING', 'COMPLETED']).optional()
});

const updateData = updateOrderSchema.parse(req.body);

Acceptance Criteria

  • Only whitelisted fields are extracted from req.body
  • Validation schema explicitly defines allowed fields
  • All database write operations validate input
  • Build passes
  • Type check passes
  • No regression in order/plan update functionality
### Description The order and plan service functions pass `req.body` directly to Prisma `create()` and `update()` operations without proper validation or sanitization. This allows: - Injection of unvalidated fields into database - Mass assignment attacks - Database constraint violations - Data integrity issues ### Location - **File:** `src/app/modules/order/order.service.ts` - **Component:** `update_order_into_db()` - **Lines:** 145-159 - **File:** `src/app/modules/plan/plan.service.ts` - **Component:** `create_plan_into_db()` and `update_plan_into_db()` - **Lines:** 23-31, 33-57 ### How to Fix Validate and extract only allowed fields before passing to Prisma: ```typescript const update_order_into_db = async (req: Request) => { const user = req.user; if (user?.role !== "ADMIN") { throw new AppError("You are not authorized", 403); } const { id } = req.params as { id: string }; // Validate and extract only allowed fields const allowedFields = ['status', 'customerName', 'customerPhone']; const updateData: any = {}; for (const field of allowedFields) { if (field in req.body) { updateData[field] = req.body[field]; } } const result = await prisma.order.update({ where: { id }, data: updateData }); return result; }; ``` Or use Zod schema validation: ```typescript const updateOrderSchema = z.object({ status: z.enum(['PENDING', 'PROCESSING', 'COMPLETED']).optional() }); const updateData = updateOrderSchema.parse(req.body); ``` ### Acceptance Criteria - [ ] Only whitelisted fields are extracted from req.body - [ ] Validation schema explicitly defines allowed fields - [ ] All database write operations validate input - [ ] Build passes - [ ] Type check passes - [ ] No regression in order/plan update functionality ---
abumahid added the Highbug labels 2026-06-17 15:04:02 +00:00
abumahid added this to the quicklanch-server project 2026-06-17 15:04:02 +00:00
sharafat was assigned by abumahid 2026-06-17 16:10:52 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Code not working perfectly
 Critical
Critical
 feat
For new features
 fix
Need to fixed simple code changes
 High
High
 improvement
improvement
 Low
Low
 Medium
Medium
 perf
Performance
refactor
refactor
 security
security related issue
No Label bug High
Milestone
No items
No Milestone
Projects
Clear projects
No project quicklanch-server
Assignees
Clear assignees
abumahid (Md Abumahid) rahat (Ruhul Amin Rahat) rimi sharafat (Md Sharafat Hassain Binoy) sinikdho (Md Ferdous Mahmud Sinikdho) techzaa (TechZaa : Innovating the Future) utsob
No Assignees sharafat
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: summer2026/quicklanch-server#6
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?