From e5aba60afff93364d91f17c00ea18d38d9dbc970 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Iv=C3=A1n=20Ovejero?= <ivov.src@gmail.com>
Date: Tue, 3 Sep 2024 12:31:30 +0200
Subject: [PATCH] fix(core): Tighten check for company size survey answer
 (#10646)

---
 .../__tests__/me.controller.test.ts           | 20 +++++++++++++++++++
 .../cli/src/controllers/survey-answers.dto.ts |  2 +-
 packages/cli/test/integration/me.api.test.ts  |  2 +-
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/packages/cli/src/controllers/__tests__/me.controller.test.ts b/packages/cli/src/controllers/__tests__/me.controller.test.ts
index 391c50599c..74bd4da987 100644
--- a/packages/cli/src/controllers/__tests__/me.controller.test.ts
+++ b/packages/cli/src/controllers/__tests__/me.controller.test.ts
@@ -352,6 +352,26 @@ describe('MeController', () => {
 			);
 		});
 
+		it('should not flag XSS attempt for `<` sign in company size', async () => {
+			const req = mock<MeRequest.SurveyAnswers>();
+			req.body = {
+				version: 'v4',
+				personalization_survey_submitted_at: '2024-08-06T12:19:51.268Z',
+				personalization_survey_n8n_version: '1.0.0',
+				companySize: '<20',
+				otherCompanyIndustryExtended: ['test'],
+				automationGoalSm: ['test'],
+				usageModes: ['test'],
+				email: 'test@email.com',
+				role: 'test',
+				roleOther: 'test',
+				reportedSource: 'test',
+				reportedSourceOther: 'test',
+			};
+
+			await expect(controller.storeSurveyAnswers(req)).resolves.toEqual({ success: true });
+		});
+
 		test.each([
 			'automationGoalDevops',
 			'companyIndustryExtended',
diff --git a/packages/cli/src/controllers/survey-answers.dto.ts b/packages/cli/src/controllers/survey-answers.dto.ts
index f115a6992b..25d9bfacfc 100644
--- a/packages/cli/src/controllers/survey-answers.dto.ts
+++ b/packages/cli/src/controllers/survey-answers.dto.ts
@@ -45,7 +45,7 @@ export class PersonalizationSurveyAnswersV4 implements IPersonalizationSurveyAns
 	@IsString({ each: true })
 	otherCompanyIndustryExtended?: string[] | null;
 
-	@NoXss()
+	@IsEnum(['<20', '20-99', '100-499', '500-999', '1000+', 'personalUser'])
 	@Expose()
 	@IsOptional()
 	@IsString()
diff --git a/packages/cli/test/integration/me.api.test.ts b/packages/cli/test/integration/me.api.test.ts
index 829b296fe6..72ecb09b32 100644
--- a/packages/cli/test/integration/me.api.test.ts
+++ b/packages/cli/test/integration/me.api.test.ts
@@ -400,7 +400,7 @@ const SURVEY: IPersonalizationSurveyAnswersV4 = {
 	automationGoalDevopsOther: 'test',
 	companyIndustryExtended: ['test'],
 	otherCompanyIndustryExtended: ['test'],
-	companySize: 'test',
+	companySize: '20-99',
 	companyType: 'test',
 	automationGoalSm: ['test'],
 	automationGoalSmOther: 'test',