From 554730085fd3eaa76b82f7e0b3fca4ac812c6f69 Mon Sep 17 00:00:00 2001
From: aarjav812 <aarjav.jain8122006@gmail.com>
Date: Tue, 28 Oct 2025 01:12:25 +0530
Subject: [PATCH] fix: add input validation middleware to ATS score endpoint -
 Add validateATSScore middleware with length and type checks - Apply
 validation to /api/ats-score endpoint - Remove manual validation in favor of
 middleware consistency - Prevent DoS attacks via oversized input to TF-IDF
 calculation - Ensure input sanitization for resumeText and jobDescription

---
 backend/app.js                   | 15 ++-------------
 backend/middleware/validation.js | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/backend/app.js b/backend/app.js
index c27e417..8dd7875 100644
--- a/backend/app.js
+++ b/backend/app.js
@@ -10,7 +10,7 @@ import { GoogleGenerativeAI } from "@google/generative-ai";
 import { calculateATSScore } from "./utils/atsScoring.js";
 
 // Import middleware
-import { validateCompile, validateOptimize } from "./middleware/validation.js";
+import { validateCompile, validateOptimize, validateATSScore } from "./middleware/validation.js";
 import {
     compileRateLimiter,
     optimizeRateLimiter,
@@ -160,23 +160,12 @@ ${resumeLatex}
 app.post(
     "/api/ats-score",
     generalRateLimiter,
+    validateATSScore,
     asyncHandler(async (req, res) => {
         try {
             console.log("Received ATS score request:", req.body);
             const { resumeText, jobDescription } = req.body;
 
-            if (!resumeText || !jobDescription) {
-                console.error("Missing required fields:", {
-                    hasResumeText: !!resumeText,
-                    hasJobDescription: !!jobDescription,
-                });
-                return res.status(400).json({
-                    success: false,
-                    message:
-                        "Both resume text and job description are required",
-                });
-            }
-
             console.log("Calculating ATS score...");
             const result = calculateATSScore(resumeText, jobDescription);
             console.log("ATS score result:", result);
diff --git a/backend/middleware/validation.js b/backend/middleware/validation.js
index 866c82b..7f78a61 100644
--- a/backend/middleware/validation.js
+++ b/backend/middleware/validation.js
@@ -71,3 +71,22 @@ export const validateOptimize = [
   
   handleValidationErrors
 ];
+
+/**
+ * Validation rules for /api/ats-score endpoint
+ */
+export const validateATSScore = [
+  body('resumeText')
+    .exists().withMessage('Resume text is required')
+    .isString().withMessage('Resume text must be a string')
+    .notEmpty().withMessage('Resume text cannot be empty')
+    .isLength({ min: 1, max: 50000 }).withMessage('Resume text must be between 1 and 50000 characters'),
+  
+  body('jobDescription')
+    .exists().withMessage('Job description is required')
+    .isString().withMessage('Job description must be a string')
+    .notEmpty().withMessage('Job description cannot be empty')
+    .isLength({ min: 10, max: 10000 }).withMessage('Job description must be between 10 and 10000 characters'),
+  
+  handleValidationErrors
+];