From 5bd1ef9bcb079695cec8d81004d2cd01461cf40d Mon Sep 17 00:00:00 2001
From: iyanfdezz <uo288231@uniovi.es>
Date: Tue, 2 Apr 2024 18:34:00 +0200
Subject: [PATCH] =?UTF-8?q?Arreglano=20defensa=20contra=20inyecci=C3=B3n?=
 =?UTF-8?q?=20de=20c=C3=B3digo?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 users/userservice/user-service.js | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/users/userservice/user-service.js b/users/userservice/user-service.js
index 4a483b8c..03ed8acc 100644
--- a/users/userservice/user-service.js
+++ b/users/userservice/user-service.js
@@ -27,6 +27,13 @@ function validateRequiredFields(req, requiredFields) {
     }
 }
 
+function checkInput(input) {
+  if (typeof input !== 'string') {
+    throw new Error('Input debe ser una cadena de texto');
+  }
+  return input.trim();
+};
+
 app.post('/adduser', async (req, res) => {
     try {
         // Check if required fields are present in the request body
@@ -48,7 +55,8 @@ app.post('/adduser', async (req, res) => {
 
 app.get('/userInfo', async (req, res) => {
       try {
-          const user = await User.findOne({username:req.query.user});
+          const username = checkInput(req.query.user);
+          const user = await User.findOne({username:username});
           res.json(user);
       } catch (error) {
           res.status(400).json({ error: error.message }); 
@@ -56,8 +64,8 @@ app.get('/userInfo', async (req, res) => {
 
 app.post("/saveGameList", async (req, res) => {
   try {
-    const username = req.body.username;
-    const gamemode = req.body.gameMode;
+    const username = checkInput(req.body.username);
+    const gamemode = checkInput(req.body.gameMode);
     const gameData = req.body.gameData;
 
       let user = await User.findOne({ username: username });