Conversation
Whitelist sortByLastModified to only ASC/DESC before interpolation into orderByRaw() to prevent SQL injection via GraphQL filter input. Also add column name allowlists for getBudgetStatementLineItems and getBudgetStatementComments to prevent dynamic column injection. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Use parameterized Knex raw with make_interval() instead of string concatenation for expirationInMinutes in ResolverCache. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add column name allowlist validation for all Roadmap model query methods to prevent SQL injection via user-supplied paramName values. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add column name allowlist validation for getUser and getUsers methods to prevent SQL injection via user-supplied paramName values. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add column name allowlist for getUserActivity and wrap JSON.parse in getBsEvents with try-catch to prevent crashes on malformed input. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Escape %, _, and \ characters in user-supplied path before using in LIKE clause to prevent wildcard injection attacks. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Use crypto.timingSafeEqual() instead of !== for secret comparison to prevent timing-based side-channel attacks. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Three mutations (budgetStatementsBatchAdd, budgetLineItemsBatchAdd, budgetLineItemsBatchUpdate) skipped authorization checks when ownerType was "Delegates", allowing any authenticated user to create/modify Delegates budget data. Now properly enforces the DelegatesAuditor role via Auth.canUpdate for all three mutations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix SQL injection and security vulnerabilities
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.