Conversation
…dation and error handling
added event search by slug
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull Request Overview
This PR adds a new endpoint to fetch events by slug identifier instead of MongoDB ObjectId, providing a more user-friendly way to access event data via URL-friendly slugs. The version has been bumped to 1.1.0 to reflect this new feature.
- Added
fetchEventSlugcontroller function to retrieve events using slug identifiers - Added
/events/slug/:slugroute with Swagger documentation - Version bump from 1.0.0 to 1.1.0
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/controller/event.controller.js | Implements fetchEventSlug function with slug-based event lookup, error handling, and Sentry logging |
| src/routes/event.route.js | Adds new route /slug/:slug with comprehensive Swagger documentation and imports fetchEventSlug controller |
| package.json | Version bump to 1.1.0 reflecting the new feature |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Use case-insensitive regex to match slugs regardless of case | ||
| const fetchedEvent = await eventSchema.findOne({ | ||
| slug: { $regex: new RegExp(`^${normalizedSlug}$`, 'i') } |
There was a problem hiding this comment.
Security and performance issue: The slug parameter is directly interpolated into a regex pattern without escaping special regex characters, creating a ReDoS (Regular Expression Denial of Service) vulnerability. An attacker could provide input like (a+)+$ to cause catastrophic backtracking.
Additionally, since the slug field in the schema is defined with lowercase: true (meaning all slugs are stored in lowercase), the case-insensitive regex is unnecessary and inefficient.
Replace with a simple, safe equality match:
const fetchedEvent = await eventSchema.findOne({
slug: normalizedSlug.toLowerCase()
}).lean();This is faster, avoids regex overhead, and eliminates the security vulnerability.
| // Use case-insensitive regex to match slugs regardless of case | |
| const fetchedEvent = await eventSchema.findOne({ | |
| slug: { $regex: new RegExp(`^${normalizedSlug}$`, 'i') } | |
| // Use direct equality match for slug (stored in lowercase) | |
| const fetchedEvent = await eventSchema.findOne({ | |
| slug: normalizedSlug.toLowerCase() |
OS