From ed5279c7c94fd2955c03b6699a4dfdcdab6aa8dc Mon Sep 17 00:00:00 2001
From: Ben <36240171+benkyd@users.noreply.github.com>
Date: Fri, 15 Apr 2022 23:43:44 +0100
Subject: [PATCH] oops that was an injection vector!

Former-commit-id: c0aeda6e6f83c840a4a432c942de9d88aafc8a22
---
 src/controllers/controller-master.js |  5 +++++
 src/routes/query-router.js           | 16 +++++++++++++---
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/src/controllers/controller-master.js b/src/controllers/controller-master.js
index df6ecc0..f2b4e02 100644
--- a/src/controllers/controller-master.js
+++ b/src/controllers/controller-master.js
@@ -50,7 +50,12 @@ function LevenshteinDistance(s, t) {
     return d[n][m];
 }
 
+function SanatiseQuery(query) {
+    return query.replace(/[^a-zA-Z0-9 ]/g, '').toLowerCase();
+}
+
 module.exports = {
+    SanatiseQuery,
     LevenshteinDistance,
     ResultsPerPage: 16,
 };
diff --git a/src/routes/query-router.js b/src/routes/query-router.js
index d671233..2d4ed13 100644
--- a/src/routes/query-router.js
+++ b/src/routes/query-router.js
@@ -5,14 +5,24 @@ const SetController = require('../controllers/set-controller.js');
 async function Search(req, res) {
     const q = req.query.q;
 
+    // sanatise query
+    const sanatisedQuery = ControllerMaster.SanatiseQuery(q);
+    if (sanatisedQuery.trim() === '') {
+        res.send(JSON.stringify({
+            error: 'Invalid query',
+            long: 'The query you have entered is invalid',
+        }));
+        return;
+    }
+
     const pageRequested = req.query.page || 1;
     const perPage = req.query.per_page || 16;
 
     // TODO: it is tricky to do a database offset / limit here
     // due to the fact that we have to combine the results of
     // the two queries, look into me (maybe merging the queries)
-    const brickResults = await BrickController.Search(q);
-    const setResults = await SetController.Search(q);
+    const brickResults = await BrickController.Search(sanatisedQuery);
+    const setResults = await SetController.Search(sanatisedQuery);
 
     if (brickResults.error && setResults.error) {
         return res.send(JSON.stringify({
@@ -55,7 +65,7 @@ async function Search(req, res) {
         }));
     }
 
-    // organise into the most relevant 10 results
+    // organise into the most relevant n results
     const results = [...brickResults, ...setResults];
     results.sort((a, b) => {
         const aName = a.name.toLowerCase();