fix(products): input validation and better date parsing (#326)

tamirGer · web-flow · commit e4aca6ac90d8 · 2024-03-16T22:56:54.000+02:00
diff --git a/charts/brokencrystals/Chart.yaml b/charts/brokencrystals/Chart.yaml
@@ -4,7 +4,7 @@ description: |
   Benchmark application that uses modern technologies and implements a set of
   common security vulnerabilities
 type: application
-version: 0.0.60
+version: 0.0.61
 keywords:
   - brokencrystals
   - brkn
diff --git a/src/products/products.controller.ts b/src/products/products.controller.ts
@@ -37,6 +37,15 @@ export class ProductsController {
 
   constructor(private readonly productsService: ProductsService) {}
 
+  private parseDate(dateString: string): Date {
+    const dateParts = dateString.split('-');
+    const year = parseInt(dateParts[2], 10);
+    const month = parseInt(dateParts[1], 10) - 1;
+    const day = parseInt(dateParts[0], 10);
+
+    return new Date(year, month, day);
+  }
+
   @Get()
   @UseGuards(AuthGuard)
   @JwtType(JwtProcessorType.RSA)
@@ -67,10 +76,14 @@ export class ProductsController {
     let df = new Date(new Date().setFullYear(new Date().getFullYear() - 1));
     let dt = new Date();
     if (dateFrom) {
-      df = new Date(`${dateFrom} 00:00:00.000Z`);
+      df = this.parseDate(dateFrom);
     }
     if (dateTo) {
-      dt = new Date(`${dateTo} 00:00:00.000Z`);
+      dt = this.parseDate(dateTo);
+    }
+
+    if (isNaN(df.getTime()) || isNaN(dt.getTime())) {
+      throw new BadRequestException('Invalid date format');
     }
 
     const allProducts = await this.productsService.findAll(df, dt);
