From 9fab4a8fe712e7ff7a41e5e881d515321555a7eb Mon Sep 17 00:00:00 2001
From: Grzegorz Leoniec <greg@app-interactive.de>
Date: Mon, 7 Jan 2019 17:34:18 +0100
Subject: [PATCH] Fixed injection issues

---
 src/middleware/userMiddleware.js | 49 ++++++++++++++++++++++----------
 src/server.js                    |  2 +-
 2 files changed, 35 insertions(+), 16 deletions(-)

diff --git a/src/middleware/userMiddleware.js b/src/middleware/userMiddleware.js
index 56bb524c8..5bf0d5af9 100644
--- a/src/middleware/userMiddleware.js
+++ b/src/middleware/userMiddleware.js
@@ -33,12 +33,18 @@ const createOrUpdateLocations = async (userId, locationName, driver) =>{
   const data = res.features[0]
   const session = driver.session()
   await session.run(
-    `MERGE (l:Location {id: "${data.id}"}) ` +
-    `SET l.name = "${data.text}", ` +
-        `l.type = "${data.place_type[0].toLowerCase()}", ` +
-        `l.lat = "${data.center[0]}", ` +
-        `l.lng = "${data.center[1]}" ` +
-    'RETURN l.id, l.name, l.type, l.lat, l.lng'
+    'MERGE (l:Location {id: $id}) ' +
+    'SET l.name = $name, ' +
+        'l.type = $type, ' +
+        'l.lat = $lat, ' +
+        'l.lng = $lng ' +
+    'RETURN l.id, l.name, l.type, l.lat, l.lng', {
+      id: data.id,
+      name: data.text,
+      type: data.place_type[0].toLowerCase(),
+      lat: data.center[0],
+      lng: data.center[1]
+    }
   )
 
   let parent = data
@@ -47,24 +53,37 @@ const createOrUpdateLocations = async (userId, locationName, driver) =>{
     await asyncForEach(data.context, async ctx => {
       const type = ctx.id.split('.')[0].toLowerCase()
       await session.run(
-        `MERGE (l:Location {id: "${ctx.id}"}) ` +
-        `SET l.name = "${ctx.text}", ` +
-            `l.type = "${type}", ` +
-            `l.shortCode = "${ctx.short_code}" ` +
-        'RETURN l.id, l.name, l.type'
+        'MERGE (l:Location {id: $id}) ' +
+        'SET l.name = $name, ' +
+            'l.type = $type, ' +
+            'l.shortCode = $short_code ' +
+        'RETURN l.id, l.name, l.type', {
+          id: ctx.id,
+          name: ctx.text,
+          type: type,
+          shortCode: ctx.short_code
+        }
       )
       await session.run(
-        `MATCH (parent:Location {id: "${parent.id}"}), (child:Location {id: "${ctx.id}"}) ` +
+        'MATCH (parent:Location {id: $parentId}), (child:Location {id: $childId}) ' +
         'MERGE (child)<-[:IS_IN]-(parent) ' +
-        'RETURN child.id, parent.id')
+        'RETURN child.id, parent.id', {
+          parentId: parent.id,
+          childId: ctx.id
+        })
 
       parent = ctx
     })
   }
   // delete all current locations from user
-  await session.run(`MATCH (u:User {id: "${userId}"})-[r:IS_IN]->(l:Location) DETACH DELETE r`)
+  await session.run('MATCH (u:User {id: $userId})-[r:IS_IN]->(l:Location) DETACH DELETE r', {
+    userId: userId
+  })
   // connect user with location
-  await session.run(`MATCH (u:User {id: "${userId}"}), (l:Location {id: "${data.id}"}) MERGE (u)-[:IS_IN]->(l) RETURN l.id, u.id`)
+  await session.run('MATCH (u:User {id: $userId}), (l:Location {id: $locationId}) MERGE (u)-[:IS_IN]->(l) RETURN l.id, u.id', {
+    userId: userId,
+    locationId: data.id
+  })
   session.close()
 }
 
diff --git a/src/server.js b/src/server.js
index eff18f8d0..1ecab800e 100644
--- a/src/server.js
+++ b/src/server.js
@@ -18,7 +18,7 @@ dotenv.config()
 const requiredEnvVars = ['MAPBOX_TOKEN', 'JWT_SECRET']
 requiredEnvVars.forEach(env => {
   if (!process.env[env]) {
-    throw new Error(`ERROR: "${env}" env variable is missing`)
+    throw new Error(`ERROR: "${env}" env variable is missing.`)
   }
 })