Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FRE-588: Fix IDOR vulnerabilities and security findings

Browse Source 
H1: Add verifyScriptAccess/verifyRevisionAccess to all 14 revisions endpoints
H2: Add verifyProjectAccess to listScripts and searchScripts
M2: Add cascade delete for projectMembers on project deletion
M4: Replace plain Error throws with TRPCError for consistent error handling
M5: Use crypto.randomUUID for team ID generation (was Date.now + Math.random)
L1: Add 100KB content size limit on revision content
L2: Add unique constraint to script slug column
L3: Update hasProjectAccess middleware to check project membership
This commit is contained in:
Senior Engineer
2026-04-29 06:57:20 -04:00
committed by Michael Freno
parent eab380b76b
commit c142611470
7 changed files with 154 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
server/trpc/revisions-router.test.ts
View File

@@ -59,11 +59,18 @@ describe('revisionsRouter', () => {
});
describe('listRevisions', () => {
it('should return empty array for unknown script', async () => {
const result = await caller.revisions.listRevisions({ scriptId: 999 });
it('should return empty array for script with no revisions', async () => {
const result = await caller.revisions.listRevisions({ scriptId: 1 });
expect(result).toEqual([]);
});
it('should throw NOT_FOUND for unknown script', async () => {
const { TRPCError } = await import('./router');
await expect(
caller.revisions.listRevisions({ scriptId: 999 })
).rejects.toThrow(TRPCError);
});
it('should filter by branch', async () => {
await caller.revisions.createRevision({
scriptId: 1,