check if uuid param is valid uuid before endpoint and alert filtering

Author: NikhilShahi

backend/src/api/get-endpoints/index.ts

@@ -1,7 +1,9 @@
 import { Request, Response } from "express"
+import validator from "validator"
 import { GetEndpointsService } from "services/get-endpoints"
 import { GetEndpointParams } from "@common/types"
 import ApiResponseHandler from "api-response-handler"
+import Error404NotFound from "errors/error-404-not-found"
 
 export const getEndpointsHandler = async (
   req: Request,
@@ -22,6 +24,9 @@ export const getEndpointHandler = async (
 ): Promise<void> => {
   try {
     const { endpointId } = req.params
+    if (!validator.isUUID(endpointId)) {
+      throw new Error404NotFound("Endpoint does not exist.")
+    }
     const endpoint = await GetEndpointsService.getEndpoint(endpointId)
     await ApiResponseHandler.success(res, endpoint)
   } catch (err) {
@@ -47,6 +52,9 @@ export const getUsageHandler = async (
 ): Promise<void> => {
   try {
     const { endpointId } = req.params
+    if (!validator.isUUID(endpointId)) {
+      throw new Error404NotFound("Endpoint does not exist.")
+    }
     const usageData = await GetEndpointsService.getUsage(endpointId)
     await ApiResponseHandler.success(res, usageData)
   } catch (err) {

backend/src/services/alert/index.ts

@@ -6,6 +6,7 @@ import {
   Not,
   QueryRunner,
 } from "typeorm"
+import validator from "validator"
 import jsonMap from "json-source-map"
 import yaml from "js-yaml"
 import SourceMap from "js-yaml-source-map"
@@ -29,6 +30,7 @@ import {
 import Error409Conflict from "errors/error-409-conflict"
 import Error500InternalServer from "errors/error-500-internal-server"
 import { getPathTokens } from "@common/utils"
+import Error404NotFound from "errors/error-404-not-found"
 
 export class AlertService {
   static async updateAlert(
@@ -91,13 +93,16 @@ export class AlertService {
     let paginationParams: FindManyOptions<Alert> = {}
     let orderParams: FindOptionsOrder<Alert> = {}
 
-    if (alertParams?.uuid) {
+    if (alertParams?.uuid && validator.isUUID(alertParams?.uuid)) {
       whereConditions = {
         ...whereConditions,
         uuid: alertParams.uuid,
       }
     }
-    if (alertParams?.apiEndpointUuid) {
+    if (
+      alertParams?.apiEndpointUuid &&
+      validator.isUUID(alertParams?.apiEndpointUuid)
+    ) {
       whereConditions = {
         ...whereConditions,
         apiEndpointUuid: alertParams.apiEndpointUuid,
@@ -195,6 +200,9 @@ export class AlertService {
 
   static async getAlert(alertId: string): Promise<AlertResponse> {
     const alertRepository = AppDataSource.getRepository(Alert)
+    if (!validator.isUUID(alertId)) {
+      throw new Error404NotFound("Alert not found.")
+    }
     return await alertRepository.findOneBy({ uuid: alertId })
   }
 

frontend/src/pages/endpoint/[endpointUUID]/index.tsx

@@ -42,7 +42,7 @@ const Endpoint = ({
 export const getServerSideProps: GetServerSideProps = async context => {
   const initAlertParams = {
     uuid: (context.query.uuid as string) || null,
-    apiEndpointUuid: context.query.endpointUUID as string,
+    apiEndpointUuid: (context.query.endpointUUID as string) || null,
     riskScores: [],
     status: [Status.OPEN],
     alertTypes: [],