This is a bug bounty issue for a missing input validation and length limit on a search query endpoint in a Node.js API. The task is to implement trimming, length limiting (e.g., 200 characters), and sanitization for the `req.query.q` parameter before it is passed to the search service. This is a straightforward fix for a known vulnerability.
A starter prompt for Claude Code, what you'll need, and how to reach them.
You are an expert Node.js and security developer. The task is to fix a bug bounty issue in the `SecureBananaLabs/bug-bounty` repository. The `GET /api/search` endpoint passes `req.query.q` directly to the search service without validation. Implement input validation for the `req.query.q` parameter in `apps/api/src/controllers/searchController.js`. Specifically, you need to: 1. Trim whitespace from the `req.query.q` string. 2. Limit its length to a maximum of 200 characters. 3. Sanitize the string to prevent common injection attacks (e.g., using `dompurify` or a similar library, or basic regex for alphanumeric and safe symbols). Use a simple, robust sanitization approach suitable for a search query. The existing code is `export async function search(req, res) { return ok(res, await globalSearch(req.query.q ?? "")); }`. Fork the repository, create a new branch, apply the changes, add relevant unit tests to verify the trimming, length limit, and sanitization, and prepare a pull request. Assume the project uses standard Node.js/Express conventions. Focus on a clear, concise, and secure implementation. Define the `ok` helper as a simple `res.status(200).json({ success: true, results: data });` for local testing if not defined.This project is a good fit for developers interested in secure coding practices. The operator could highlight how 'forge-kit' or 'repo-gardener' could help maintain code quality and security by automating checks for such issues, appealing to teams or solo operators working on similar web services.
Bounty (amount on the issue). ## Bug: Missing Input Validation on Search Query **Description:** The `GET /api/search` endpoint passes `req.query.q` directly to the search service without any validation or length limits. An attacker could send extremely long query strings to consume server resources. **File:** `apps/api/src/controllers/searchController.js` **Current code:** ```js export async function search(req, res) { return ok(res, await globalSearch(req.query.q ?? "")); } ``` **Expected behavior:** The search query should be validated — trimmed, limited in length (e.g., 200 chars), and sanitized. **Impact:** Low-Medium — potential DoS via overly long query strings. This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.
Standard for any GitHub-based project.
Standard for JavaScript/TypeScript projects.
Review best practices for sanitizing user input in Node.js/Express, ~1-2 hours.
Learn it: Search getting-started ↗
Create a pull request directly on the SecureBananaLabs/bug-bounty repository, referencing issue #1777 and #743.
“I've implemented a robust fix for the search endpoint input validation issue (#1777), including trimming, length limiting, and sanitization. You can review the changes and associated tests in this PR. I'm confident this addresses the vulnerability as described.”
Open the original ↗