chore: update express to version 5.1.0 in package.json

[SOURAV-ROY]

chore: update express to version 5.1.0 in package.json

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
bootcamps	Ready	Preview	Comment	Aug 29, 2025 11:31am

The best way to fix this issue is to sanitize the file extension before using it to construct the final file path. Specifically:

• Only allow a predefined set of safe image extensions (.jpg, .jpeg, .png, .gif, etc.).
• Avoid using arbitrary extensions extracted from user input.
• Alternatively, use a sanitization library or match against a whitelist regular expression and, in case of an invalid extension, reject the upload or default to .jpg.

Change needed:

• In controllers/bootcampsController.js, at line 228, modify how the extension is determined. Instead of blindly using path.parse(file.name).ext, validate or sanitize it.
• Add a helper function (in this file) to check the extension, or implement inline validation.
• If not present, declare the allowed extensions array/set.
• The .mv function or path construction must use only the sanitized/validated extension.

No external libraries are strictly needed; this can be done with built-in string manipulation and regular expressions, but you may optionally use a small, well-known package (sanitize-filename) if shown in the accepted usage above.

To fix this problem, we should sanitize and restrict the user input that is incorporated into the database update. Specifically, the file extension should be explicitly validated to ensure it is a safe, expected image extension (such as .jpg, .jpeg, .png, .gif, etc.). Rather than using path.parse(file.name).ext directly, extract the extension, normalize it, and check if it is in an allowed set. If not, reject the upload.

How to fix:

• Before assigning to file.name, extract the original file extension, normalize it (lowercase), check against an allowed list (.jpg, .jpeg, .png, .gif, etc).
• If the extension is not in the allowed list, return an error response.
• Only if valid, construct file.name as before.
• This validation must be performed before the filename is persisted to the DB and before the file is written to disk.
• No external library is required—use Node's built-in path module.

Where to change:

• In controllers/bootcampsController.js, inside the bootcampPhotoUpload method, between lines 211 and 228.

Requirements:

• Implement extension extraction and validation.
• Return an error if the extension is not allowed.

---

To fix this problem, we must ensure that user-supplied input is NOT used directly as the update object for findByIdAndUpdate.
The best approach is to flatten the user update so that all properties are applied as literal values, and NEVER allow operators like $set, $where, etc. The safest and most common pattern for "accepting any field updates" is to wrap the user-supplied fields in a $set, but that too can be dangerous if the user is allowed to set e.g. array fields or subdocuments inappropriately.
However, for completeness and general security, we should:

1. Only allow a whitelist of field names to be updated (e.g., the set of fields you want users to be able to change—commonly title, description, etc.), and block any unexpected or system fields.
2. Apply those fields using $set.
3. If you can't or don't want to maintain a whitelist, then ensure that the update document only sets plain values, and does not allow dangerous update operators to be present at the top-level or in nested objects.

In this case, the best quick fix is to wrap updates in a $set, i.e., { $set: body }. Optionally, you can filter body to only the allowed fields.

Modifications to make:

• Change line 97 from { ...body } to { $set: body }.
• Optionally, you may want to restrict body to a set of known properties before assigning it to ensure users can't change protected or non-editable fields. (But as per instructions, we must not change overall functionality.)

No imports or new dependencies are needed.

---