Merge pull request #4 from JPL-Devin/devin/1775595279-blocker-fixes-e2e-tests

fix: BLOCKER fixes + E2E & unit tests for security, correctness, and code quality

Author: tariqksoliman

API/Backend/Geodatasets/routes/geodatasets.js

@@ -205,14 +205,14 @@ function get(reqtype, req, res, next) {
             t += [
               `((`,
                 `${startProp} IS NOT NULL AND ${endProp} IS NOT NULL AND`, 
-                  ` ${startProp} >= ${start_time}`,
-                  ` AND ${endProp} <= ${end_time}`,
+                  ` ${startProp} >= :start_time`,
+                  ` AND ${endProp} <= :end_time`,
               `)`,
               ` OR `,
               `(`,
                 `${startProp} IS NULL AND ${endProp} IS NOT NULL AND`,
-                  ` ${endProp} >= ${start_time}`,
-                  ` AND ${endProp} <= ${end_time}`,
+                  ` ${endProp} >= :start_time`,
+                  ` AND ${endProp} <= :end_time`,
               `))`
           ].join('')
             q += t;
@@ -653,14 +653,14 @@ router.post("/intersect", function (req, res, next) {
           t += [
               `((`,
                 `${startProp} IS NOT NULL AND ${endProp} IS NOT NULL AND`, 
-                  ` ${startProp} >= ${start_time}`,
-                  ` AND ${endProp} <= ${end_time}`,
+                  ` ${startProp} >= :start_time`,
+                  ` AND ${endProp} <= :end_time`,
               `)`,
               ` OR `,
               `(`,
                 `${startProp} IS NULL AND ${endProp} IS NOT NULL AND`,
-                  ` ${endProp} >= ${start_time}`,
-                  ` AND ${endProp} <= ${end_time}`,
+                  ` ${endProp} >= :start_time`,
+                  ` AND ${endProp} <= :end_time`,
               `))`
           ].join('')
           q += t;
@@ -800,17 +800,17 @@ router.get("/aggregations", function (req, res, next) {
           endProp = Utils.forceAlphaNumUnder(req.query.endProp || endProp);
           // prettier-ignore
           t += [
-            `(`,
+            `((`,
               `${startProp} IS NOT NULL AND ${endProp} IS NOT NULL AND`, 
-                ` ${startProp} >= ${start_time}`,
-                ` AND ${endProp} <= ${end_time}`,
+                ` ${startProp} >= :start_time`,
+                ` AND ${endProp} <= :end_time`,
             `)`,
             ` OR `,
             `(`,
               `${startProp} IS NULL AND ${endProp} IS NOT NULL AND`,
-                ` ${endProp} >= ${start_time}`,
-                ` AND ${endProp} <= ${end_time}`,
-            `)`
+                ` ${endProp} >= :start_time`,
+                ` AND ${endProp} <= :end_time`,
+            `))`
         ].join('')
           q += t;
         }

API/Backend/Users/routes/users.js

@@ -298,19 +298,19 @@ router.post("/login", function (req, res) {
                           : "",
                     });
                   });
-                  return null;
+                  return;
                 })
                 .catch((err) => {
                   res.send({ status: "failure", message: "Login failed." });
-                  return null;
+                  return;
                 });
-              return null;
+              return;
             } else {
               res.send({
                 status: "failure",
                 message: "Invalid username or password.",
               });
-              return null;
+              return;
             }
           }
 

configure/package.json

@@ -1,6 +1,6 @@
 {
   "name": "configure",
-  "version": "4.2.36-20260402",
+  "version": "4.2.38-20260408",
   "homepage": "./configure/build",
   "private": true,
   "dependencies": {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "mmgis",
-  "version": "4.2.36-20260402",
+  "version": "4.2.38-20260408",
   "description": "A web-based mapping and localization solution for science operation on planetary missions.",
   "homepage": "build",
   "repository": {

playwright.config.js

@@ -11,8 +11,8 @@ export default defineConfig({
   // Test file patterns
   testMatch: "**/*.spec.js",
 
-  // Timeout per test
-  timeout: 30 * 1000,
+  // Timeout per test (2 minutes — E2E tests may need extra time on slower machines)
+  timeout: 120 * 1000,
 
   // Test execution settings
   fullyParallel: true,

scripts/middleware.js

@@ -38,12 +38,17 @@ async function compositeImageUrls(urls) {
 
 async function onlyExistingFilepaths(paths) {
   const filePromises = [];
-  paths.forEach((path) => {
+  paths.forEach((filePath) => {
     filePromises.push(
       new Promise(async (resolve, reject) => {
         try {
-          await fs.promises.access(`${rootDirMissions}${path}`);
-          resolve(path);
+          const fullPath = path.resolve(`${rootDirMissions}${filePath}`);
+          if (!fullPath.replace(/\\/g, '/').startsWith(path.resolve(rootDirMissions).replace(/\\/g, '/') + '/')) {
+            resolve(false);
+            return;
+          }
+          await fs.promises.access(fullPath);
+          resolve(filePath);
         } catch (err) {
           resolve(false);
         }

src/essence/Basics/Map_/Map_.js

@@ -1329,6 +1329,7 @@ async function makeTileLayer(layerObj, mapContext = null) {
                     layerObj.tileMatrixSet || 'WebMercatorQuad'
                 }/{z}/{x}/{y}.webp?url=${layerUrl}${bandsParam}${resamplingParam}`
 
+                break
             default:
                 break
         }

src/essence/Tools/Chemistry/chemistryplot.js

@@ -5,6 +5,10 @@ import L_ from '../../Basics/Layers_/Layers_'
 import CursorInfo from '../../Ancillary/CursorInfo'
 
 var clearFunction
+var chemsArray = []
+var chemsNames = []
+var apxsArray = []
+var apxsNames = []
 
 function makeChemistryPlot(chems, names, id) {
     var svg

src/normalize.js

@@ -88,6 +88,7 @@ define(function() {
 
     baseParts.pop();
 
+    var curPart;
     while (curPart = uriParts.shift())
       if (curPart == '..')
         baseParts.pop();
@@ -105,7 +106,7 @@ define(function() {
     var baseParts = base.split('/');
     baseParts.pop();
     base = baseParts.join('/') + '/';
-    i = 0;
+    var i = 0;
     while (base.substr(i, 1) == uri.substr(i, 1))
       i++;
     while (base.substr(i, 1) != '/')
@@ -116,11 +117,12 @@ define(function() {
     // each base folder difference is thus a backtrack
     baseParts = base.split('/');
     var uriParts = uri.split('/');
-    out = '';
+    var out = '';
     while (baseParts.shift())
       out += '../';
 
     // finally add uri parts
+    var curPart;
     while (curPart = uriParts.shift())
       out += curPart + '/';
 

tests/e2e/api/draw.spec.js

@@ -0,0 +1,66 @@
+import { test, expect } from '@playwright/test';
+
+/**
+ * E2E tests for Draw API endpoints.
+ * Backend routes: API/Backend/Draw/routes/files.js
+ *
+ * Currently covers:
+ *   - POST /api/files/getfile (impacted by SQL injection fix in filesutils.js)
+ *
+ * Future tests can cover:
+ *   - POST /api/files/getfiles
+ *   - POST /api/files/gethistory
+ *   - POST /api/files/add, /edit, /remove, /merge, /split, /undo
+ *   - POST /api/files/publish, /clip
+ */
+
+test.describe('Draw API', () => {
+
+  test.describe('POST /api/files/getfile', () => {
+
+    test('returns a valid response for a basic getfile request', async ({ request }) => {
+      const response = await request.post('/api/files/getfile', {
+        data: {
+          id: 1,
+          test: 'false',
+        },
+      });
+      // Should not crash (no 500)
+      expect(response.status()).toBeLessThan(500);
+      const body = await response.json();
+      expect(body).toHaveProperty('status');
+    });
+
+    test('returns a valid response with temporal filter parameters', async ({ request }) => {
+      // Exercises the timeProp SQL path that was fixed
+      const response = await request.post('/api/files/getfile', {
+        data: {
+          id: 1,
+          test: 'false',
+          timeProp: 'sol',
+          startTime: '2024-01-01T00:00:00Z',
+          endTime: '2024-12-31T23:59:59Z',
+        },
+      });
+      expect(response.status()).toBeLessThan(500);
+      const body = await response.json();
+      expect(body).toHaveProperty('status');
+    });
+
+    test('handles malicious timeProp without server error', async ({ request }) => {
+      // SQL injection attempt via timeProp — should be sanitized, not crash
+      const response = await request.post('/api/files/getfile', {
+        data: {
+          id: 1,
+          test: 'false',
+          timeProp: "'; DROP TABLE user_features; --",
+          startTime: '2024-01-01T00:00:00Z',
+          endTime: '2024-12-31T23:59:59Z',
+        },
+      });
+      expect(response.status()).toBeLessThan(500);
+    });
+
+  });
+
+});