npm - bulltrackers-module - Versions diffs - 1.0.623 → 1.0.624 - Mend

bulltrackers-module 1.0.623 → 1.0.624

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/functions/api-v2/helpers/data-fetchers/firestore.js +5 -1
package/functions/api-v2/index.js +3 -1
package/package.json +1 -1

package/functions/api-v2/helpers/data-fetchers/firestore.js CHANGED Viewed

@@ -80,6 +80,10 @@ const latestUserCentricSnapshot = async (firestore, userId, collectionName, data
 const pageCollection = async (firestore, dateStr, computationName, userId, lookbackDays = 7) => {
     try {
+        // Sanitize user inputs
+        const sanitizedUserId = sanitizeCid(userId);
+        const sanitizedComputationName = sanitizeDocId(computationName);
         const endDate = new Date(dateStr);
         const startDate = new Date(endDate);
         startDate.setDate(endDate.getDate() - lookbackDays);
@@ -88,7 +92,7 @@ const pageCollection = async (firestore, dateStr, computationName, userId, lookb
             const dateKey = d.toISOString().split('T')[0];
             const docRef = firestore.collection('unified_insights').doc(dateKey)
                 .collection('results').doc('popular-investor')
-                .collection('computations').doc(computationName)
+                .collection('computations').doc(sanitizedComputationName)
                 .collection('pages').doc(sanitizedUserId);
             const docSnapshot = await docRef.get();
             if (docSnapshot.exists) {

package/functions/api-v2/index.js CHANGED Viewed

@@ -29,8 +29,10 @@ function createApiV2App(config, dependencies) {
     const { logger } = dependencies;
     // Trust proxy - Required when behind a load balancer/proxy (e.g., Google Cloud Functions)
+    // Trust only the first proxy (the load balancer) to prevent IP spoofing
     // This allows express-rate-limit to correctly identify client IPs from X-Forwarded-For headers
-    app.set('trust proxy', true);
+    // Setting to 1 means we trust only the first proxy, not all proxies (which would be insecure)
+    app.set('trust proxy', 1);
     // CORS Configuration - Restrict to specific origins
     app.use(cors({

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bulltrackers-module",
-  "version": "1.0.623",
+  "version": "1.0.624",
   "description": "Helper Functions for Bulltrackers.",
   "main": "index.js",
   "files": [