Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FRE-588: Fix IDOR vulnerabilities and security findings

Browse Source 
H1: Add verifyScriptAccess/verifyRevisionAccess to all 14 revisions endpoints
H2: Add verifyProjectAccess to listScripts and searchScripts
M2: Add cascade delete for projectMembers on project deletion
M4: Replace plain Error throws with TRPCError for consistent error handling
M5: Use crypto.randomUUID for team ID generation (was Date.now + Math.random)
L1: Add 100KB content size limit on revision content
L2: Add unique constraint to script slug column
L3: Update hasProjectAccess middleware to check project membership
This commit is contained in:
Senior Engineer
2026-04-29 06:57:20 -04:00
committed by Michael Freno
parent eab380b76b
commit c142611470
7 changed files with 154 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
server/trpc/project-router.ts
View File

@@ -221,6 +221,10 @@ export const projectRouter = {
await ctx.db!.delete(scenes)
.where(eq(scenes.projectId, input.id));
// M2 fix: remove project members
await ctx.db!.delete(projectMembers)
.where(eq(projectMembers.projectId, input.id));
// Get character IDs for this project
const projectCharacters = await ctx.db!.select({ id: characters.id })
.from(characters)
@@ -544,7 +548,7 @@ export const projectRouter = {
)
);
if (existing.length > 0) {
throw new Error('Relationship already exists between these characters');
throw new TRPCError({ code: 'CONFLICT', message: 'Relationship already exists between these characters' });
}
const result = await ctx.db!.insert(characterRelationships)