Skip to content

Potential fix for code scanning alert no. 188: Database query built from user-controlled sources #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mirkashi wants to merge 1 commit into from
Closed

Potential fix for code scanning alert no. 188: Database query built from user-controlled sources #3

mirkashi wants to merge 1 commit into from

Conversation

@mirkashi
Copy link
Owner

@mirkashi mirkashi commented Dec 28, 2025

Potential fix for https://github.com/mirkashi/LMS/security/code-scanning/188

In general, to fix this kind of issue for MongoDB/Mongoose, ensure that user-provided values used in query filters are treated as literals, not as query sub-objects. Two standard approaches are: (1) validate that the inputs are primitive values (e.g., strings) before using them in a query; or (2) wrap them in $eq, so MongoDB interprets them as literal values even if they are objects.

The best fix here, without changing existing functionality, is to enforce that status and courseId are safe primitive values before putting them into filter. Since status is likely an enum-like string and courseId is a Mongoose ObjectId string, we can:

  • For status: ensure it is a string and (optionally) restrict it to allowed status values.
  • For courseId: ensure it is a string, and optionally check it matches the ObjectId format (24 hex chars).

To stay minimal and not assume additional models/helpers, we will:

  • Check typeof status === 'string' before setting filter.status.
  • Check typeof courseId === 'string' before setting filter.course.

This guarantees that filter will never contain attacker-supplied query objects; only strings will be used. If the checks fail, we simply skip applying that filter, preserving current behavior as much as possible while avoiding NoSQL injection via operator objects.

Concretely, in backend/controllers/adminController.js, in exports.getAllEnrollments, we will replace:

973:     const { status, courseId } = req.query;
974:     let filter = {};
975: 
976:     if (status) filter.status = status;
977:     if (courseId) filter.course = courseId;

with:

973:     const { status, courseId } = req.query;
974:     let filter = {};
975: 
976:     if (typeof status === 'string' && status) {
977:       filter.status = status;
978:     }
979:     if (typeof courseId === 'string' && courseId) {
980:       filter.course = courseId;
981:     }

and adjust the subsequent line numbers accordingly. No new imports or external libraries are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@mirkashi @github-advanced-security
Potential fix for code scanning alert no. 188: Database query built f…
9e8fd0d 
…rom user-controlled sources

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@appwrite
Copy link

appwrite bot commented Dec 28, 2025
edited
Loading

LMS

Project ID: 69468887001ae4944670

Sites (1)
Site Status Logs Preview QR
 LMS
694689080025bd96995a		 Failed Failed View Logs Preview URL QR Code

Tip

Environment variable changes require redeployment to take effect

@mirkashi mirkashi closed this Dec 28, 2025
@mirkashi mirkashi deleted the alert-autofix-188 branch December 28, 2025 07:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mirkashi