Backend fixes

[Artuomka]

Summary by CodeRabbit

• Performance

  • Added intelligent request rate limiting to the company name lookup endpoint, featuring environment-aware configurations and caching to ensure service stability and optimal performance during peak usage.

• Security

  • Enhanced database aggregation query validation to enforce strict read-only operation requirements, preventing unsafe operations and protecting data integrity.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b01e7b6c-e923-40c4-8d69-ac5cde2425fc

📥 Commits

Reviewing files that changed from the base of the PR and between 083a198 and 780cdd1.

📒 Files selected for processing (2)

• backend/src/entities/company-info/company-info.controller.ts
• backend/src/entities/visualizations/panel/utils/check-query-is-safe.util.ts

---

📝 Walkthrough

Walkthrough

This PR adds two security improvements: rate limiting for the company name endpoint with a test-mode-specific threshold, and read-only validation for MongoDB aggregation pipeline queries to prevent write operations and server-side JavaScript execution.

Changes

Security and Query Validation Enhancements

Layer / File(s)	Summary
Company Info Endpoint Rate Limiting backend/src/entities/company-info/company-info.controller.ts	Reorders injected use-case interface dependencies and adds a @Throttle decorator to the getCompanyNameById route with a 60-second TTL and a test-mode-specific request limit (200 when testing, 10 otherwise).
Query Safety Read-Only Pipeline Validation backend/src/entities/visualizations/panel/utils/check-query-is-safe.util.ts	Imports isReadOnlyMongoAggregationPipeline and extends checkMongoQueryIsSafe to reject aggregation pipeline queries that contain disallowed write stages or server-side JavaScript operators.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• rocket-admin/rocketadmin#1819: Introduces and tests the isReadOnlyMongoAggregationPipeline validator that is now consumed by this PR's updated checkMongoQueryIsSafe function.

Poem

🐰 A throttle here, a validator there,
Securing endpoints with careful care—
No write stages slip through tonight,
Just read-only pipelines, safe and right! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Backend fixes' is vague and generic, using non-descriptive language that doesn't convey meaningful information about the specific changes made to the codebase.	Use a more specific and descriptive title that highlights the main changes, such as 'Add rate limiting to company name endpoint and enhance MongoDB query safety validation'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	PR enhances security with rate limiting (10 req/60s) and MongoDB AST-level query validation preventing injection attacks, following OWASP principles with fail-closed design.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch backend_fixes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR tightens backend protections by (1) hardening MongoDB panel query validation to reject non-read-only aggregation pipelines, and (2) adding explicit request throttling to the “get company name” endpoint to reduce abuse/load.

Changes:

• Added an AST-level MongoDB aggregation pipeline validator to block write stages and server-side JavaScript operators.
• Added a @Throttle(...) override to /company/name/:companyId (and minor import reordering).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
backend/src/entities/visualizations/panel/utils/check-query-is-safe.util.ts	Adds isReadOnlyMongoAggregationPipeline() enforcement for Mongo panel queries.
backend/src/entities/company-info/company-info.controller.ts	Applies per-route throttling to the company-name lookup endpoint.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.