[Security Fix] SAST: NoSQL/server-side JS injection via $where with unsanitized threshold query ...

app/data/allocations-dao.js

@@ -60,23 +60,19 @@ const AllocationsDAO = function(db){
         const searchCriteria = () => {
 
             if (threshold) {
-                /*
-                // Fix for A1 - 2 NoSQL Injection - escape the threshold parameter properly
-                // Fix this NoSQL Injection which doesn't sanitze the input parameter 'threshold' and allows attackers
-                // to inject arbitrary javascript code into the NoSQL query:
-                // 1. 0';while(true){}'
-                // 2. 1'; return 1 == '1
-                // Also implement fix in allocations.html for UX.                             
+                // Fix for A1 - 2 NoSQL Injection - validate and coerce the threshold to a
+                // safe integer before using it in the query. Avoid using $where with
+                // unsanitized user input, which would allow server-side JS injection
+                // (e.g. "0';while(true){}'" or "1'; return 1 == '1").
                 const parsedThreshold = parseInt(threshold, 10);
-
-                if (parsedThreshold >= 0 && parsedThreshold <= 99) {
-                    return {$where: `this.userId == ${parsedUserId} && this.stocks > ${parsedThreshold}`};
+
+                if (Number.isInteger(parsedThreshold) && parsedThreshold >= 0 && parsedThreshold <= 99) {
+                    return {
+                        userId: parsedUserId,
+                        stocks: { $gt: parsedThreshold }
+                    };
                 }
-                throw `The user supplied threshold: ${parsedThreshold} was not valid.`;
-                */
-                return {
-                    $where: `this.userId == ${parsedUserId} && this.stocks > '${threshold}'`
-                };
+                throw `The user supplied threshold: ${threshold} was not valid.`;
             }
             return {
                 userId: parsedUserId