🔒 [security fix] Fix Mass Assignment in Job and Blog Update

[Adityavanjre]

🎯 What:

Fixed a mass assignment vulnerability in the Job and Blog update controllers.

⚠️ Risk:

The previous use of Object.assign(document, req.body) allowed clients to modify any property on the Mongoose document, including those not intended for client-side updates (e.g., system-generated fields like createdAt, or restricted fields). This could lead to data integrity issues or privilege escalation if sensitive fields were present in the model.

🛡️ Solution:

Replaced the direct merging of req.body with an explicit field whitelist. Only fields specified in the model schema for these entities are now updated, and only if they are present in the request body.

Affected Files:

• agency/server/controllers/jobController.js: Whitelisted role, type, location, description, requirements, and isActive.
• agency/server/controllers/blogController.js: Whitelisted title, author, category, image, excerpt, content, readTime, tags, slug, and status.

Verification was performed using a reproduction script that attempted to overwrite createdAt and add an unauthorized isAdmin field, confirming that the fix correctly ignores these fields while still allowing valid updates.

---

PR created automatically by Jules for task 2451609093056489458 started by @Adityavanjre

Summary by CodeRabbit

• Bug Fixes
  • Improved data integrity for blog and job updates. Unspecified fields are now preserved during updates instead of being overwritten, preventing accidental loss of information.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Warning

Rate limit exceeded

@Adityavanjre has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 3 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Free

Run ID: 29dc2dcc-d79c-4e74-9415-f0bfdb35309e

📥 Commits

Reviewing files that changed from the base of the PR and between 99d0a06 and 77476a8.

📒 Files selected for processing (1)

• package.json

📝 Walkthrough

Walkthrough

The PR modifies two controller update methods—updateBlog and updateJob—to replace bulk property assignment with selective field updates. Instead of copying all properties from the request body, each controller now destructures only allowed fields and conditionally applies them only when provided, preventing accidental overwrites of unspecified fields.

Changes

Selective Field Updates in Controllers

Layer / File(s)	Summary
Controller Update Logic agency/server/controllers/blogController.js, agency/server/controllers/jobController.js	updateBlog and updateJob replace Object.assign() with field-by-field conditional updates, applying only specified fields (title, author, category, image, excerpt, content, readTime, tags, slug, status for blogs; role, type, location, description, requirements, isActive for jobs) when values are not undefined.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 99d0a065fd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore date updates in blog whitelist

When an admin/API client sends date in PUT /api/blogs/:id, this new whitelist silently drops it, even though date is a first-class Blog schema field (agency/server/models/Blog.js) and is rendered in the blog list/detail UI. The old Object.assign path allowed correcting or backdating the displayed publish date; after this change those requests still return success but leave the public date stale, so include date in the allowed fields unless it is intentionally being made immutable.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 77476a8d8e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep the Ajv override v6-compatible

This root override applies to Ajv consumers across the workspace, but the committed lockfile still contains v6-only consumers such as @develar/schema-utils requiring ajv: ^6.12.0 and ajv-keywords@3.5.2 peering on ajv: ^6.9.1. I checked the local npm ci man page, which states that if lockfile dependencies do not match package.json, npm ci exits instead of updating the lock; root CI/install jobs will either fail as out-of-sync or, after regenerating, force Ajv 8 into packages used by electron-builder/fork-ts-checker that expect Ajv 6.

Useful? React with 👍 / 👎.