Fix critical security vulnerabilities in routes/index.js

[devin-ai-integration]

Fix critical security vulnerabilities in routes/index.js

Summary

This PR addresses 5 critical security vulnerabilities identified in the SonarQube analysis of the nodejs-goof application:

1. Open Redirect (BLOCKER) - Fixed unvalidated redirects in adminLoginSuccess() by restricting to relative paths only
2. NoSQL Injection (BLOCKER) - Added input sanitization in loginHandler() to prevent database query manipulation
3. Command Injection (HIGH) - Removed unsafe exec() call in create() function that executed user-controlled data
4. Zip Slip Directory Traversal (HIGH) - Added path validation in import() to prevent malicious archive extraction
5. Prototype Pollution (HIGH) - Replaced _.merge() with safe Object.assign() in chat add() function

Review & Testing Checklist for Human

• Verify login functionality - Test that valid user credentials still authenticate successfully after NoSQL injection fix
• Test file upload security - Attempt to upload a malicious zip file with ../ paths to confirm zip slip protection works
• Validate redirect security - Try various redirect URL formats (absolute URLs, double slashes, etc.) to ensure open redirect is blocked
• Check chat functionality - Test that chat messages work normally and verify prototype pollution attempts are blocked
• Attempt security exploits - Try to reproduce each of the 5 original vulnerabilities to confirm they're properly mitigated

Recommended Test Plan: Set up the application locally, create test cases for each vulnerability type, and verify both that legitimate functionality works and that malicious inputs are properly rejected.

---

Diagram

%%{ init : { "theme" : "default" }}%%
graph TD
    Client["User Browser"]
    Routes["routes/index.js<br/>(MAJOR EDITS)"]:::major-edit
    Auth["Authentication Flow<br/>loginHandler()"]
    Upload["File Upload<br/>import()"]  
    Chat["Chat System<br/>add()"]
    Redirect["Post-login Redirect<br/>adminLoginSuccess()"]
    Database["MongoDB<br/>User Collection"]:::context
    FileSystem["File System<br/>/tmp/extracted_files"]:::context

    Client --> Routes
    Routes --> Auth
    Routes --> Upload
    Routes --> Chat
    Routes --> Redirect
    Auth --> Database
    Upload --> FileSystem
    
    subgraph Legend
        L1[Major Edit]:::major-edit
        L2[Minor Edit]:::minor-edit  
        L3[Context/No Edit]:::context
    end

    classDef major-edit fill:#90EE90
    classDef minor-edit fill:#87CEEB
    classDef context fill:#FFFFFF

Loading

Notes

• Functional Impact: The image identification feature in todo creation has been disabled as part of the command injection fix - this removes functionality but eliminates the security risk
• NoSQL Injection: The fix uses toString() sanitization which handles most common attacks but may not be comprehensive against all NoSQL injection techniques
• Testing Coverage: Limited local testing was performed due to environment constraints - thorough security testing is recommended

Link to Devin run: https://app.devin.ai/sessions/4107680add88497f871e981a94ff95d2
Requested by: Shawn Azman (@ShawnAzman)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud