🔒 Fix mass assignment vulnerabilities in blog and job controllers

[Adityavanjre]

🎯 What:
Mass assignment vulnerabilities existed in blogController.js and jobController.js due to the unsafe usage of Object.assign(doc, req.body) when updating entities.

⚠️ Risk:
Attackers could potentially inject unexpected and unauthorized fields during updates (e.g., overriding system fields, modifying timestamps, toggling isAdmin or other internal-only states), leading to privilege escalation, data corruption, or application logic bypass.

🛡️ Solution:
Replaced Object.assign() with explicit field assignment loops. We defined strict lists of allowedFields in both controllers based on the Mongoose models' schemas. New tests were also added (massAssignment.test.js) verifying that explicitly allowed fields update successfully while injected vulnerable fields (e.g., isAdmin, _id) are safely ignored.

---

PR created automatically by Jules for task 3297366078245988208 started by @Adityavanjre

Summary by CodeRabbit

• Bug Fixes

  • Update operations for blogs and jobs now restrict which fields can be modified during updates to prevent unintended changes.

• Tests

  • Added tests verifying that only allowed fields are applied during updates and that other properties remain unchanged.

• Chores

  • Added development testing infrastructure and a test script to run the new test suite.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2e0a6513-a7a5-4e0b-a813-d53513d32f4c

📥 Commits

Reviewing files that changed from the base of the PR and between 6051811 and 28ab850.

📒 Files selected for processing (4)

• agency/server/controllers/blogController.js
• agency/server/controllers/jobController.js
• agency/server/package.json
• agency/server/tests/massAssignment.test.js

 _________________________________________________
< I am the right brain to your SAST's left brain. >
 -------------------------------------------------
  \
   \   \
        \ /\
        ( )
      .( o ).

📝 Walkthrough

Walkthrough

This PR adds mass-assignment protection to blog and job update endpoints by introducing field whitelists that restrict which request-body properties can be modified. The controllers now conditionally assign only explicitly allowed fields from req.body to documents before saving, replacing prior unrestricted merging. Jest testing infrastructure and test cases verify the protections work correctly.

Changes

Mass-Assignment Protections

Layer / File(s)	Summary
Core Implementation: Update Controllers agency/server/controllers/blogController.js, agency/server/controllers/jobController.js	updateBlog and updateJob replace Object.assign(doc, req.body) with an allowedFields whitelist, copying only permitted fields (title, status for blog; role, type, location, description, requirements, isActive for job).
Test Infrastructure & Dependencies agency/server/package.json	Adds dev and test npm scripts; introduces jest and nodemon as devDependencies to enable local development and test execution.
Test Cases: Mass-Assignment Verification agency/server/tests/massAssignment.test.js	Jest test suite mocks Blog and Job models and verifies that updateBlog and updateJob apply only whitelisted fields from req.body, ignore unauthorized assignments, and properly invoke save() and res.json().

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jules-security-mass-assignment-fix-3297366078245988208

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can enable review details to help with troubleshooting, context usage and more.

Enable the reviews.review_details setting to include review details such as the model used, the time taken for each step and more in the review comments.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 62820fb9f7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Update the server lockfile for Jest

When this package is installed from a clean checkout using the tracked agency/server/package-lock.json, the new test script depends on jest but the lockfile still has only nodemon in the server devDependencies and no Jest entries. That leaves the new tests unreproducible and can make lockfile-based installs or dependency verification for agency/server fail or omit the test runner; update the corresponding lockfile alongside this added dependency.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.