From e909b25b2949679dbe518102e95c1fa5c25d5d68 Mon Sep 17 00:00:00 2001
From: Sean Hatfield <seanhatfield5@gmail.com>
Date: Tue, 16 Jul 2024 16:40:05 -0700
Subject: [PATCH] [FEAT] Prisma injection validation (#1874)

check all prisma models/model usage and patch any potential sql injection vulns
---
 server/models/user.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/server/models/user.js b/server/models/user.js
index f08548afb..4b14bb58f 100644
--- a/server/models/user.js
+++ b/server/models/user.js
@@ -22,6 +22,15 @@ const User = {
         throw new Error(e.message);
       }
     },
+    role: (role = "default") => {
+      const VALID_ROLES = ["default", "admin", "manager"];
+      if (!VALID_ROLES.includes(role)) {
+        throw new Error(
+          `Invalid role. Allowed roles are: ${VALID_ROLES.join(", ")}`
+        );
+      }
+      return String(role);
+    },
   },
 
   // validations for the above writable fields.
@@ -52,7 +61,7 @@ const User = {
         data: {
           username: this.validations.username(username),
           password: hashedPassword,
-          role: String(role),
+          role: this.validations.role(role),
         },
       });
       return { user: this.filterFields(user), error: null };
-- 
GitLab