Initial commit: Open sourcing all of the Maple Open Technologies code.

2025-12-02 14:33:08 -05:00 · 2025-12-02 14:33:08 -05:00 · 755d54a99d
commit 755d54a99d
2010 changed files with 448675 additions and 0 deletions
--- a/cloud/maplepress-backend/pkg/validation/helpers.go
+++ b/cloud/maplepress-backend/pkg/validation/helpers.go
@ -0,0 +1,120 @@
+package validation
+
+import (
+	"fmt"
+	"net/http"
+	"strconv"
+)
+
+// ValidatePathUUID validates a UUID path parameter
+// CWE-20: Improper Input Validation
+func ValidatePathUUID(r *http.Request, paramName string) (string, error) {
+	value := r.PathValue(paramName)
+	if value == "" {
+		return "", fmt.Errorf("%s is required", paramName)
+	}
+
+	validator := NewValidator()
+	if err := validator.ValidateUUID(value, paramName); err != nil {
+		return "", err
+	}
+
+	return value, nil
+}
+
+// ValidatePathSlug validates a slug path parameter
+// CWE-20: Improper Input Validation
+func ValidatePathSlug(r *http.Request, paramName string) (string, error) {
+	value := r.PathValue(paramName)
+	if value == "" {
+		return "", fmt.Errorf("%s is required", paramName)
+	}
+
+	validator := NewValidator()
+	if err := validator.ValidateSlug(value, paramName); err != nil {
+		return "", err
+	}
+
+	return value, nil
+}
+
+// ValidatePathInt validates an integer path parameter
+// CWE-20: Improper Input Validation
+func ValidatePathInt(r *http.Request, paramName string) (int64, error) {
+	valueStr := r.PathValue(paramName)
+	if valueStr == "" {
+		return 0, fmt.Errorf("%s is required", paramName)
+	}
+
+	value, err := strconv.ParseInt(valueStr, 10, 64)
+	if err != nil {
+		return 0, fmt.Errorf("%s must be a valid integer", paramName)
+	}
+
+	if value <= 0 {
+		return 0, fmt.Errorf("%s must be greater than 0", paramName)
+	}
+
+	return value, nil
+}
+
+// ValidatePagination validates pagination query parameters
+// Returns limit and offset with defaults and bounds checking
+func ValidatePagination(r *http.Request, defaultLimit int) (limit int, offset int, err error) {
+	limit = defaultLimit
+	offset = 0
+
+	// Validate limit
+	if limitStr := r.URL.Query().Get("limit"); limitStr != "" {
+		parsedLimit, err := strconv.Atoi(limitStr)
+		if err != nil || parsedLimit <= 0 || parsedLimit > 100 {
+			return 0, 0, fmt.Errorf("limit must be between 1 and 100")
+		}
+		limit = parsedLimit
+	}
+
+	// Validate offset
+	if offsetStr := r.URL.Query().Get("offset"); offsetStr != "" {
+		parsedOffset, err := strconv.Atoi(offsetStr)
+		if err != nil || parsedOffset < 0 {
+			return 0, 0, fmt.Errorf("offset must be >= 0")
+		}
+		offset = parsedOffset
+	}
+
+	return limit, offset, nil
+}
+
+// ValidateSortField validates sort field against whitelist
+// CWE-89: SQL Injection prevention via whitelist
+func ValidateSortField(r *http.Request, allowedFields []string) (string, error) {
+	sortBy := r.URL.Query().Get("sort_by")
+	if sortBy == "" {
+		return "", nil // Optional field
+	}
+
+	for _, allowed := range allowedFields {
+		if sortBy == allowed {
+			return sortBy, nil
+		}
+	}
+
+	return "", fmt.Errorf("invalid sort_by field (allowed: %v)", allowedFields)
+}
+
+// ValidateQueryEmail validates an email query parameter
+// CWE-20: Improper Input Validation
+func ValidateQueryEmail(r *http.Request, paramName string) (string, error) {
+	email := r.URL.Query().Get(paramName)
+	if email == "" {
+		return "", fmt.Errorf("%s is required", paramName)
+	}
+
+	emailValidator := NewEmailValidator()
+	normalizedEmail, err := emailValidator.ValidateAndNormalize(email, paramName)
+	if err != nil {
+		return "", err
+	}
+
+	return normalizedEmail, nil
+}