Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FRE-588: Fix IDOR vulnerabilities and security findings

Browse Source 
H1: Add verifyScriptAccess/verifyRevisionAccess to all 14 revisions endpoints
H2: Add verifyProjectAccess to listScripts and searchScripts
M2: Add cascade delete for projectMembers on project deletion
M4: Replace plain Error throws with TRPCError for consistent error handling
M5: Use crypto.randomUUID for team ID generation (was Date.now + Math.random)
L1: Add 100KB content size limit on revision content
L2: Add unique constraint to script slug column
L3: Update hasProjectAccess middleware to check project membership
This commit is contained in:
Senior Engineer
2026-04-29 06:57:20 -04:00
committed by Michael Freno
parent eab380b76b
commit c142611470
7 changed files with 154 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
server/trpc/team-router.ts
View File

@@ -54,8 +54,9 @@ async function verifyTeamRole(
}
}
function generateTeamId(): string {
return `team_${Date.now()}_${Math.random().toString(36).slice(2, 9)}`;
async function generateTeamId(): Promise<string> {
const { randomUUID } = await import('crypto');
return `team_${randomUUID()}`;
}
export const teamRouter = {
@@ -101,7 +102,7 @@ export const teamRouter = {
name: z.string().min(1).max(255),
}))
.mutation(async ({ input, ctx }) => {
const teamId = generateTeamId();
const teamId = await generateTeamId();
const result = await ctx.db!.insert(teams)
.values({
id: teamId,