Potential fix for code scanning alert no. 3: Database query built from user-controlled sources

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: Nec0ti

package.json

@@ -14,7 +14,8 @@
     "express": "^4.18.2",
     "express-rate-limit": "^7.5.0",
     "jsonwebtoken": "^9.0.2",
-    "mongoose": "^8.12.1"
+    "mongoose": "^8.12.1",
+    "joi": "^17.13.3"
   },
   "devDependencies": {
     "nodemon": "^3.0.2"

routes/books.js

@@ -2,6 +2,19 @@ const express = require('express');
 const router = express.Router();
 const Book = require('../models/book');
 const auth = require('../middleware/auth');
+const Joi = require('joi');
+
+const bookSchema = Joi.object({
+  title: Joi.string().required(),
+  author: Joi.string().required(),
+  publicationYear: Joi.number().integer().required(),
+  isbn: Joi.string().required(),
+  summary: Joi.string().required(),
+  coverImage: Joi.string().uri().required(),
+  category: Joi.string().required(),
+  pageCount: Joi.number().integer().required(),
+  language: Joi.string().required()
+});
 
 router.get('/', auth, async (req, res) => {
   try {
@@ -25,6 +38,10 @@ router.get('/:id', auth, async (req, res) => {
 });
 
 router.post('/', auth, async (req, res) => {
+  const { error } = bookSchema.validate(req.body);
+  if (error) {
+    return res.status(400).json({ message: error.details[0].message });
+  }
   const book = new Book({
     title: req.body.title,
     author: req.body.author,
@@ -46,6 +63,10 @@ router.post('/', auth, async (req, res) => {
 });
 
 router.put('/:id', auth, async (req, res) => {
+  const { error } = bookSchema.validate(req.body);
+  if (error) {
+    return res.status(400).json({ message: error.details[0].message });
+  }
   try {
     const book = await Book.findByIdAndUpdate(req.params.id, req.body, { new: true });
     if (!book) {