fix(api): use query() validator and check result for GET /api/search#502
fix(api): use query() validator and check result for GET /api/search#502Rajeevydvv wants to merge 1 commit into
Conversation
✅ Deploy Preview for krkn-chaos ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
Review Summary by QodoFix GET /api/search validation using query() validator
WalkthroughsDescription• Fixed GET /api/search endpoint validation using query() instead of body() • Imported queryValidator from express-validator for URL query parameters • Corrected validator to read from req.query instead of empty req.body • Applied code formatting cleanup (trailing whitespace removal) Diagramflowchart LR
A["GET /api/search endpoint"] -->|Previously used| B["body() validator"]
B -->|Reads from| C["req.body empty"]
C -->|Result| D["Validation never executed"]
A -->|Now uses| E["queryValidator() validator"]
E -->|Reads from| F["req.query URL params"]
F -->|Result| G["Validation properly enforced"]
File Changes1. api/server.js
|
Code Review by Qodo
Context used✅ Compliance rules (platform):
24 rules 1. Search validation not enforced
|
| app.get('/api/search', | ||
| [ | ||
| body('query') | ||
| queryValidator('query') | ||
| .trim() | ||
| .isLength({ min: 1, max: 200 }) | ||
| .withMessage('Query must be between 1 and 200 characters') | ||
| ], | ||
| async (req, res) => { | ||
| try { | ||
| const { query, limit = 10 } = req.query; | ||
|
|
||
| if (!query) { | ||
| return res.status(400).json({ | ||
| error: 'Query parameter is required' |
There was a problem hiding this comment.
1. Search validation not enforced 🐞 Bug ≡ Correctness
GET /api/search adds queryValidator('query') but never calls validationResult(req), so
express-validator errors are ignored and invalid/oversized query values still reach
documentationIndex.search(). This undermines the intended fix and can also cause downstream errors
when non-string query values (e.g., repeated query params) reach code paths that assume query is a
string.
Agent Prompt
### Issue description
`GET /api/search` registers express-validator rules but never checks `validationResult(req)`, so requests with invalid `query` values are still processed.
### Issue Context
The `/api/chat` endpoint already demonstrates the intended pattern (validate + `validationResult` check + 400 on error). The search path calls `documentationIndex.search(query, ...)`, and downstream code assumes `query` is a string.
### Fix Focus Areas
- api/server.js[254-295]
### Proposed change
1. In the `/api/search` handler, add:
- `const errors = validationResult(req);`
- if errors exist, return `400` with `errors.array()`.
2. Consider strengthening the validator chain to enforce type:
- `queryValidator('query').isString().trim().isLength({ min: 1, max: 200 }) ...`
This prevents `?query=a&query=b` (array) from reaching the service.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
There was a problem hiding this comment.
"Thanks @qodo-code-review for catching the missing validationResult check! I've updated the PR to add .isString() to the validator chain and properly handle the validation errors
1e90c74 to
35ce654
Compare
|
Hi @paigepatton Whenever you have some free time, could you please review this PR? It fixes a bug in the GET /api/search endpoint where the express-validator rules were silently failing because they were targeting the request body instead of the URL query string, and the validation results weren't being checked. I've also addressed the feedback from the Qodo bot by adding .isString() to prevent array inputs from reaching the search service. Let me know if you need any changes! Thank you |
556b89c to
ee81df9
Compare
Signed-off-by: Rajeev-Cryptographer <Rajeevofficial3@gmail.com>
ee81df9 to
da4169a
Compare
Bug Fix
Related Feature: Chatbot API — search endpoint (
api/server.js)Branch name:
fix-get-validationChanges:
The
GET /api/searchendpoint had two critical validation flaws that allowed malformed or oversized queries to bypass validation and reach the search service:body('query')fromexpress-validator. Since this is aGETroute, the query string is in the URL (req.query), not the request body (req.body). The validator silently found nothing and passed.validationResult(req), meaning validation failures were entirely ignored.Root Cause
express-validatorprovides separate functions for different input locations:body()→ readsreq.body(POST/PUT data)query()→ readsreq.query(URL query string)Because the search endpoint is a
GETroute, it must usequery().What this PR does:
body('query')withqueryValidator('query')so it correctly targets URL parameters instead of the request body..isString()to the validation chain to reject array query parameters (e.g., preventing errors from?query=a&query=b).validationResult(req)check at the start of the handler that halts execution and returns a400 Bad Requestwith theerrors.array()if validation fails.Files Changed
api/server.js— Fixed the validator function location and added the missingvalidationResulterror handler for the GET search endpoint.