fix: Malformed queries should not break the server (#323)

src/controllers/api/classController.js

@@ -14,18 +14,18 @@ export const index = async (req, res, next) => simpleController.index(req, res,
 export const show = async (req, res, next) => simpleController.show(req, res, next);
 
 export const showLevelsForClass = async (req, res, next) => {
-  const searchQueries = {
-    'class.url': '/api/classes/' + req.params.index,
-    $or: [{ subclass: null }],
-  };
-
-  if (req.query.subclass !== undefined) {
-    searchQueries.$or.push({
-      'subclass.url': { $regex: new RegExp(escapeRegExp(req.query.subclass), 'i') },
-    });
-  }
-
   try {
+    const searchQueries = {
+      'class.url': '/api/classes/' + req.params.index,
+      $or: [{ subclass: null }],
+    };
+
+    if (req.query.subclass !== undefined) {
+      searchQueries.$or.push({
+        'subclass.url': { $regex: new RegExp(escapeRegExp(req.query.subclass), 'i') },
+      });
+    }
+
     const data = await Level.find(searchQueries).sort({ level: 'asc' });
     if (data && data.length) {
       return res.status(200).json(data);
@@ -38,13 +38,13 @@ export const showLevelsForClass = async (req, res, next) => {
 };
 
 export const showLevelForClass = async (req, res, next) => {
-  if (!Number.isInteger(parseInt(req.params.level))) {
-    return res.status(404).json({ error: 'Not found' });
-  }
+  try {
+    if (!Number.isInteger(parseInt(req.params.level))) {
+      return res.status(404).json({ error: 'Not found' });
+    }
 
-  const urlString = '/api/classes/' + req.params.index + '/levels/' + req.params.level;
+    const urlString = '/api/classes/' + req.params.index + '/levels/' + req.params.level;
 
-  try {
     const data = await Level.findOne({ url: urlString });
     if (!data) return next();
     return res.status(200).json(data);
@@ -54,9 +54,9 @@ export const showLevelForClass = async (req, res, next) => {
 };
 
 export const showMulticlassingForClass = async (req, res, next) => {
-  const urlString = '/api/classes/' + req.params.index;
-
   try {
+    const urlString = '/api/classes/' + req.params.index;
+
     const data = await Class.findOne({ url: urlString });
     return res.status(200).json(data.multi_classing);
   } catch (err) {
@@ -65,9 +65,9 @@ export const showMulticlassingForClass = async (req, res, next) => {
 };
 
 export const showSubclassesForClass = async (req, res, next) => {
-  const urlString = '/api/classes/' + req.params.index;
-
   try {
+    const urlString = '/api/classes/' + req.params.index;
+
     const data = await Subclass.find({ 'class.url': urlString })
       .select({ index: 1, name: 1, url: 1, _id: 0 })
       .sort({ url: 'asc', level: 'asc' });
@@ -107,9 +107,9 @@ export const showSpellcastingForClass = async (req, res, next) => {
 };
 
 export const showSpellsForClass = async (req, res, next) => {
-  const urlString = '/api/classes/' + req.params.index;
-
   try {
+    const urlString = '/api/classes/' + req.params.index;
+
     const data = await Spell.find({ 'classes.url': urlString })
       .select({ index: 1, name: 1, url: 1, _id: 0 })
       .sort({ level: 'asc', url: 'asc' });
@@ -120,13 +120,13 @@ export const showSpellsForClass = async (req, res, next) => {
 };
 
 export const showSpellsForClassAndLevel = async (req, res, next) => {
-  if (!Number.isInteger(parseInt(req.params.level))) {
-    return res.status(404).json({ error: 'Not found' });
-  }
+  try {
+    if (!Number.isInteger(parseInt(req.params.level))) {
+      return res.status(404).json({ error: 'Not found' });
+    }
 
-  const urlString = '/api/classes/' + req.params.index;
+    const urlString = '/api/classes/' + req.params.index;
 
-  try {
     const data = await Spell.find({
       'classes.url': urlString,
       level: parseInt(req.params.level),
@@ -140,9 +140,9 @@ export const showSpellsForClassAndLevel = async (req, res, next) => {
 };
 
 export const showFeaturesForClass = async (req, res, next) => {
-  const urlString = '/api/classes/' + req.params.index;
-
   try {
+    const urlString = '/api/classes/' + req.params.index;
+
     const data = await Feature.find({
       'class.url': urlString,
     })
@@ -155,13 +155,13 @@ export const showFeaturesForClass = async (req, res, next) => {
 };
 
 export const showFeaturesForClassAndLevel = async (req, res, next) => {
-  if (!Number.isInteger(parseInt(req.params.level))) {
-    return res.status(404).json({ error: 'Not found' });
-  }
+  try {
+    if (!Number.isInteger(parseInt(req.params.level))) {
+      return res.status(404).json({ error: 'Not found' });
+    }
 
-  const urlString = '/api/classes/' + req.params.index;
+    const urlString = '/api/classes/' + req.params.index;
 
-  try {
     const data = await Feature.find({
       'class.url': urlString,
       level: parseInt(req.params.level),
@@ -175,9 +175,9 @@ export const showFeaturesForClassAndLevel = async (req, res, next) => {
 };
 
 export const showProficienciesForClass = async (req, res, next) => {
-  const urlString = '/api/classes/' + req.params.index;
-
   try {
+    const urlString = '/api/classes/' + req.params.index;
+
     const data = await Proficiency.find({ 'classes.url': urlString })
       .select({ index: 1, name: 1, url: 1, _id: 0 })
       .sort({ index: 'asc' });

src/controllers/api/magicItemController.js

@@ -3,32 +3,28 @@ import { ResourceList, escapeRegExp, redisClient } from '../../util/index.js';
 import MagicItem from '../../models/magicItem/index.js';
 
 export const index = async (req, res, next) => {
-  const searchQueries = {};
-  if (req.query.name !== undefined) {
-    searchQueries.name = { $regex: new RegExp(escapeRegExp(req.query.name), 'i') };
-  }
-
-  const redisKey = req.originalUrl;
-  let data;
   try {
+    const searchQueries = {};
+    if (req.query.name !== undefined) {
+      searchQueries.name = { $regex: new RegExp(escapeRegExp(req.query.name), 'i') };
+    }
+
+    const redisKey = req.originalUrl;
+    let data;
     data = await redisClient.get(redisKey);
-  } catch (err) {
-    return;
-  }
 
-  if (data) {
-    res.status(200).json(JSON.parse(data));
-  } else {
-    try {
+    if (data) {
+      res.status(200).json(JSON.parse(data));
+    } else {
       const data = await MagicItem.find(searchQueries)
         .select({ index: 1, name: 1, url: 1, _id: 0 })
         .sort({ index: 'asc' });
       const jsonData = ResourceList(data);
       redisClient.set(redisKey, JSON.stringify(jsonData));
       return res.status(200).json(jsonData);
-    } catch (err) {
-      next(err);
     }
+  } catch (err) {
+    next(err);
   }
 };
 

src/controllers/api/monsterController.js

@@ -3,35 +3,31 @@ import { ResourceList, escapeRegExp, redisClient } from '../../util/index.js';
 import Monster from '../../models/monster/index.js';
 
 export const index = async (req, res, next) => {
-  const searchQueries = {};
-  if (req.query.name !== undefined) {
-    searchQueries.name = { $regex: new RegExp(escapeRegExp(req.query.name), 'i') };
-  }
-  if (req.query.challenge_rating !== undefined) {
-    searchQueries.challenge_rating = { $in: req.query.challenge_rating };
-  }
-
-  const redisKey = req.originalUrl;
-  let data;
   try {
+    const searchQueries = {};
+    if (req.query.name !== undefined) {
+      searchQueries.name = { $regex: new RegExp(escapeRegExp(req.query.name), 'i') };
+    }
+    if (req.query.challenge_rating !== undefined) {
+      searchQueries.challenge_rating = { $in: req.query.challenge_rating };
+    }
+
+    const redisKey = req.originalUrl;
+    let data;
     data = await redisClient.get(redisKey);
-  } catch (err) {
-    return;
-  }
 
-  if (data) {
-    res.status(200).json(JSON.parse(data));
-  } else {
-    try {
+    if (data) {
+      res.status(200).json(JSON.parse(data));
+    } else {
       const data = await Monster.find(searchQueries)
         .select({ index: 1, name: 1, url: 1, _id: 0 })
         .sort({ index: 'asc' });
       const jsonData = ResourceList(data);
       redisClient.set(redisKey, JSON.stringify(jsonData));
       return res.status(200).json(jsonData);
-    } catch (err) {
-      next(err);
     }
+  } catch (err) {
+    next(err);
   }
 };
 

src/controllers/api/raceController.js

@@ -11,9 +11,9 @@ export const index = async (req, res, next) => simpleController.index(req, res,
 export const show = async (req, res, next) => simpleController.show(req, res, next);
 
 export const showSubracesForRace = async (req, res, next) => {
-  const urlString = '/api/races/' + req.params.index;
-
   try {
+    const urlString = '/api/races/' + req.params.index;
+
     const data = await Subrace.find({ 'race.url': urlString }).select({
       index: 1,
       name: 1,
@@ -27,9 +27,9 @@ export const showSubracesForRace = async (req, res, next) => {
 };
 
 export const showTraitsForRace = async (req, res, next) => {
-  const urlString = '/api/races/' + req.params.index;
-
   try {
+    const urlString = '/api/races/' + req.params.index;
+
     const data = await Trait.find({ 'races.url': urlString }).select({
       index: 1,
       name: 1,
@@ -43,9 +43,9 @@ export const showTraitsForRace = async (req, res, next) => {
 };
 
 export const showProficienciesForRace = async (req, res, next) => {
-  const urlString = '/api/races/' + req.params.index;
-
   try {
+    const urlString = '/api/races/' + req.params.index;
+
     const data = await Proficiency.find({ 'races.url': urlString })
       .select({ index: 1, name: 1, url: 1, _id: 0 })
       .sort({ index: 'asc' });

src/controllers/api/ruleController.js

@@ -3,35 +3,30 @@ import { ResourceList, escapeRegExp, redisClient } from '../../util/index.js';
 import Rule from '../../models/rule/index.js';
 
 export const index = async (req, res, next) => {
-  const searchQueries = {};
-  if (req.query.name !== undefined) {
-    searchQueries.name = { $regex: new RegExp(escapeRegExp(req.query.name), 'i') };
-  }
-  if (req.query.desc !== undefined) {
-    searchQueries.desc = { $regex: new RegExp(escapeRegExp(req.query.desc), 'i') };
-  }
-
-  const redisKey = req.originalUrl;
-  let data;
   try {
-    data = await redisClient.get(redisKey);
-  } catch (err) {
-    return;
-  }
+    const searchQueries = {};
+    if (req.query.name !== undefined) {
+      searchQueries.name = { $regex: new RegExp(escapeRegExp(req.query.name), 'i') };
+    }
+    if (req.query.desc !== undefined) {
+      searchQueries.desc = { $regex: new RegExp(escapeRegExp(req.query.desc), 'i') };
+    }
 
-  if (data) {
-    res.status(200).json(JSON.parse(data));
-  } else {
-    try {
+    const redisKey = req.originalUrl;
+    let data;
+    data = await redisClient.get(redisKey);
+    if (data) {
+      res.status(200).json(JSON.parse(data));
+    } else {
       const data = await Rule.find(searchQueries)
         .select({ index: 1, name: 1, url: 1, _id: 0 })
         .sort({ index: 'asc' });
       const jsonData = ResourceList(data);
       redisClient.set(redisKey, JSON.stringify(jsonData));
       return res.status(200).json(jsonData);
-    } catch (err) {
-      next(err);
     }
+  } catch (err) {
+    next(err);
   }
 };
 

src/controllers/api/ruleSectionController.js

@@ -3,35 +3,31 @@ import { ResourceList, escapeRegExp, redisClient } from '../../util/index.js';
 import RuleSection from '../../models/ruleSection/index.js';
 
 export const index = async (req, res, next) => {
-  const searchQueries = {};
-  if (req.query.name !== undefined) {
-    searchQueries.name = { $regex: new RegExp(escapeRegExp(req.query.name), 'i') };
-  }
-  if (req.query.desc !== undefined) {
-    searchQueries.desc = { $regex: new RegExp(escapeRegExp(req.query.desc), 'i') };
-  }
-
-  const redisKey = req.originalUrl;
-  let data;
   try {
+    const searchQueries = {};
+    if (req.query.name !== undefined) {
+      searchQueries.name = { $regex: new RegExp(escapeRegExp(req.query.name), 'i') };
+    }
+    if (req.query.desc !== undefined) {
+      searchQueries.desc = { $regex: new RegExp(escapeRegExp(req.query.desc), 'i') };
+    }
+
+    const redisKey = req.originalUrl;
+    let data;
     data = await redisClient.get(redisKey);
-  } catch (err) {
-    return;
-  }
 
-  if (data) {
-    res.status(200).json(JSON.parse(data));
-  } else {
-    try {
+    if (data) {
+      res.status(200).json(JSON.parse(data));
+    } else {
       const data = await RuleSection.find(searchQueries)
         .select({ index: 1, name: 1, url: 1, _id: 0 })
         .sort({ index: 'asc' });
       const jsonData = ResourceList(data);
       redisClient.set(redisKey, JSON.stringify(jsonData));
       return res.status(200).json(jsonData);
-    } catch (err) {
-      next(err);
     }
+  } catch (err) {
+    next(err);
   }
 };