Add Input Sanitization for SQL Injection Prevention (#93)

backend/app.js

@@ -23,7 +23,7 @@ import {
 
 import { performanceMonitor } from "./middleware/performance.js";
 import logger, { stream } from "./utils/logger.js";
-import { sanitizeRequest } from "./middleware/validation.js";
+import { sanitizeRequest, detectSqlInjection } from "./middleware/validation.js";
 
 import {
   globalLimiter,
@@ -104,6 +104,9 @@ app.use(compression({
 app.use(express.json({ limit: "10mb" }));
 app.use(express.urlencoded({ extended: true, limit: "10mb" }));
 
+// Detect SQL Injection attempts
+app.use(detectSqlInjection);
+
 // Sanitize all request inputs
 app.use(sanitizeRequest);
 
@@ -196,7 +199,7 @@ app.use(
 // ===== ERROR HANDLING =====
 
 app.all("*", (req, res, next) => {
-  res.status(404).json({ 
+  res.status(404).json({
     message: `Route ${req.originalUrl} not found`,
     path: req.originalUrl,
     method: req.method,

backend/middleware/validation.js

@@ -150,3 +150,34 @@ export const sanitizeRequest = (req, res, next) => {
   req.params = sanitizeValue(req.params);
   next();
 };
+
+/**
+ * Detect and block common SQL injection patterns in requests
+ */
+export const detectSqlInjection = (req, res, next) => {
+  const sqlInjectionPattern = /(union\s+select|select\s+.*\s+from|from\s+information_schema|or\s+1\s*=\s*1|drop\s+table|update\s+.*\s+set|delete\s+from|insert\s+into|exec\s*\(|;\s*--|--\s*$)/i;
+
+  const detectInObject = (obj) => {
+    if (typeof obj === "string") {
+      return sqlInjectionPattern.test(obj);
+    }
+    if (typeof obj === "object" && obj !== null) {
+      return Object.values(obj).some(detectInObject);
+    }
+    return false;
+  };
+
+  const hasSqlInjection =
+    detectInObject(req.body) ||
+    detectInObject(req.query) ||
+    detectInObject(req.params);
+
+  if (hasSqlInjection) {
+    return res.status(403).json({
+      status: "error",
+      message: "Forbidden: Suspicious input detected",
+    });
+  }
+
+  next();
+};