prevent path traversal and enable global input validation

[hitakshiA]

Two security fixes addressing OWASP A01 (Broken Access Control) and A04 (Insecure Design).

What changed

• src/app.controller.ts : sanitize fileName param with path.basename() to prevent path traversal attacks (e.g. ../../etc/passwd)
• src/main.ts : enable the commented-out global ValidationPipe to enforce DTO validation on all endpoints (whitelist, forbidNonWhitelisted, transform)

No new dependencies. Build passes clean.

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Improved file upload security by validating file names to prevent invalid or suspicious file access.

• New Features

  • Enabled global request validation across the application to enforce data integrity, reject invalid fields, and automatically transform incoming data.

[coderabbitai]

Walkthrough

The pull request adds two security-focused enhancements: path traversal attack prevention in the file upload endpoint via filename sanitization with path.basename(), and global request validation enforcement across the application using NestJS's ValidationPipe with whitelisting and transformation enabled.

Changes

Cohort / File(s)	Summary
File Upload Security src/app.controller.ts	Added path traversal protection by sanitizing fileName with path.basename(), validating the sanitized value matches the original, and throwing BadRequestException if they differ. Updated res.sendFile() to use the sanitized filename.
Global Request Validation src/main.ts	Enabled global ValidationPipe with configuration for property whitelisting (whitelist: true), rejection of non-whitelisted fields (forbidNonWhitelisted: true), and automatic transformation of incoming data (transform: true).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and concisely summarizes both main changes: path traversal prevention and global input validation enablement.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

🧹 Nitpick comments (1)

src/app.controller.ts (1)

32-36: Effective path traversal mitigation.

Using path.basename() to strip directory components and comparing against the original input is a solid defense-in-depth approach against path traversal attacks like ../../etc/passwd.

Minor consideration: inputs like "." or ".." would pass the check since path.basename("..") returns "..". While Express's sendFile with the root option provides additional protection, you could add explicit rejection for these edge cases:

Optional hardening for edge cases

 const sanitizedFileName = path.basename(fileName);
-if (sanitizedFileName !== fileName) {
+if (sanitizedFileName !== fileName || sanitizedFileName === '.' || sanitizedFileName === '..') {
   throw new BadRequestException("Invalid file name");
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/app.controller.ts` around lines 32 - 36, The current check using
path.basename(fileName) == fileName allows edge inputs like "." or ".." to pass;
update the validation around sanitizedFileName and fileName (used in sendFile
with root "./uploads") to explicitly reject "." and ".." (and optionally any
empty string) before calling res.sendFile; modify the block that throws
BadRequestException to also throw for these edge values so sendFile is never
called with them.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/app.controller.ts`:
- Around line 32-36: The current check using path.basename(fileName) == fileName
allows edge inputs like "." or ".." to pass; update the validation around
sanitizedFileName and fileName (used in sendFile with root "./uploads") to
explicitly reject "." and ".." (and optionally any empty string) before calling
res.sendFile; modify the block that throws BadRequestException to also throw for
these edge values so sendFile is never called with them.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: da10207d-71a9-4aa7-a145-bd242a62ff61

📥 Commits

Reviewing files that changed from the base of the PR and between 978b447 and fabdd5f.

📒 Files selected for processing (2)

• src/app.controller.ts
• src/main.ts