Add queryParser prototype-pollution and operator-injection tests in src/tests/queryParser.injection.test.ts

[1nonlypiece]

📌 Description

src/middleware/queryParser.ts and src/services/queryParser.ts translate
request query strings into filters. There is no dedicated test proving they
reject __proto__/constructor keys and unsafe operator injection. A gap here
could allow prototype pollution or filter-bypass.

This issue adds focused injection and prototype-pollution tests for the query
parser.

Goal: prove the query parser rejects prototype-pollution keys and unsafe
operators while accepting valid filters.

🎯 Requirements and Context

• Must assert __proto__, constructor, and prototype keys are rejected.
• Must assert unsupported operators and unknown fields are rejected.
• Must assert valid filters still parse correctly.
• Must run with bun test.

🛠️ Suggested Execution

1. Fork the repo and create a branch

git checkout -b test/queryparser-injection

2. Implement changes

• Add src/tests/queryParser.injection.test.ts.

3. Test and commit

• Run with bun test.
• Cover edge cases: pollution keys, unknown field, bad operator, valid filter.

Example commit message

test: queryParser prototype-pollution and injection guards

✅ Guidelines

• Minimum 95% test coverage on the new/changed lines.
• Clear, reviewer-friendly documentation.
• No regressions on existing query parsing.
• Timeframe: 96 hours.

🏷️ Labels

type-testing · type-security · area-backend · MAYBE REWARDED · GRANTFOX OSS · OFFICIAL CAMPAIGN

💬 Community & Support

• Join the Disciplr contributor Discord to coordinate, ask questions, and get
  unblocked fast: https://discord.gg/xvNAvMJf
• Please introduce yourself in the channel before you start so we can avoid
  duplicate work, pair you with a reviewer, and get your PR merged quickly.
• Maintainers actively triage this channel and aim for fast, clear, respectful
  reviews — reach out any time you're blocked.

[wonderfulmarv01]

@wonderfulmarv01 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

i will like to work on this please

ℹ️ Repo Maintainers: To accept this application, review their application or assign @wonderfulmarv01 to this issue.

[grantfox-oss]

🦊 GrantFox — @wonderfulmarv01 has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #735)
2. Your PR will be reviewed by the Disciplr-Org maintainers

Good luck! Track your progress on GrantFox.

[drips-wave]

Congratulations, @wonderfulmarv01! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @wonderfulmarv01: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊