From 455386de9fb6ec53b957f5ba62216f29e13eb5c1 Mon Sep 17 00:00:00 2001 From: Dhara Pandya Date: Wed, 4 Mar 2026 10:49:06 +0530 Subject: [PATCH 1/2] fix: enforce catalog integrity for order item creation --- backend/db.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/backend/db.js b/backend/db.js index 34e5835..dcf61dc 100644 --- a/backend/db.js +++ b/backend/db.js @@ -242,6 +242,9 @@ export const database = { createOrder({ spotId, userId, items }) { const parsedItems = items.map((item) => { + if ('name' in item || 'unitPrice' in item || 'total' in item) { + throw new Error('Do not provide name, unitPrice, or total. These are derived from catalog. ') + } const quantity = Number(item.quantity || 0); if (!item.productId || !Number.isInteger(quantity) || quantity <= 0) { throw new Error('Each order item must include productId and a positive integer quantity'); From ba3d53bda2b378c36bbb74f78b8beb0ca3300e58 Mon Sep 17 00:00:00 2001 From: Dhara Pandya Date: Wed, 8 Apr 2026 23:43:23 +0530 Subject: [PATCH 2/2] fix: add type guard and safe property checks for parsedItems validation --- backend/db.js | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/backend/db.js b/backend/db.js index dcf61dc..fedadde 100644 --- a/backend/db.js +++ b/backend/db.js @@ -242,7 +242,21 @@ export const database = { createOrder({ spotId, userId, items }) { const parsedItems = items.map((item) => { - if ('name' in item || 'unitPrice' in item || 'total' in item) { + if ( + !item || + typeof item!== 'object' || + Array.isArray(item) + ) + { + throw new Error('Invalid item format'); + } + if( + //if item has it's own property + Object.prototype.hasOwnProperty.call(item, 'name') || + Object.prototype.hasOwnProperty.call(item, 'unitPrice') || + Object.prototype.hasOwnProperty.call(item, 'total') + ) + { throw new Error('Do not provide name, unitPrice, or total. These are derived from catalog. ') } const quantity = Number(item.quantity || 0);