fix: 2026-06-09 full-codebase audit hardening

Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace
the raw number|string transform idiom across every schema (the root-cause NaN bug
class); emailOrEmpty + lenient isoDateString/timeString.

Security: roles privilege-escalation closed; refresh-token family revocation on
reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices
gross VAT on all paths; orders-pdf custom-items authz.

Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse
confirm/cancel, attendance lockUserRow); uniqueness checks moved into create
transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision
timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO).

Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted
fields; dashboard invalidation gaps; stale-closure confirm bugs.

Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier;
tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit
fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes),
isolated on app_test via .env.test with a hard-throw setup guard.

Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-06-09 06:45:26 +02:00
parent c454d1a3fc
commit 519edce373
179 changed files with 7179 additions and 2844 deletions

View File

@@ -1,6 +1,22 @@
import { PaginationQuery, PaginationMeta } from "../types";
export function parsePagination(query: Record<string, unknown>): {
/**
* Parse common pagination/sort/search query params.
*
* SECURITY NOTE (trust boundary): `page` and `limit` are clamped here
* (page ≥ 1, 1 ≤ limit ≤ 100), but `sort` and `search` are passed through
* VERBATIM and are NOT validated against any schema. They originate from the
* client. Callers that feed `sort` into a Prisma `orderBy` MUST allow-list it
* against the set of sortable columns for that entity (e.g.
* `const col = ALLOWED_SORTS.includes(sort) ? sort : "id"`), otherwise an
* attacker-supplied field name reaches the query layer. `search` is only safe
* when used through parameterized Prisma `contains` filters — never interpolate
* it into raw SQL.
*/
export function parsePagination(
query: Record<string, unknown>,
opts?: { defaultLimit?: number; maxLimit?: number },
): {
page: number;
limit: number;
skip: number;
@@ -8,12 +24,20 @@ export function parsePagination(query: Record<string, unknown>): {
order: "asc" | "desc";
search: string;
} {
// Defaults suit dense list views (25/page, capped at 100). Report endpoints
// that render their full result set pass a generous defaultLimit/maxLimit so
// they stay effectively complete while still bounded against a runaway scan.
const defaultLimit = opts?.defaultLimit ?? 25;
const maxLimit = opts?.maxLimit ?? 100;
const page = Math.max(1, parseInt(String(query.page || "1"), 10) || 1);
const limit = Math.min(
100,
maxLimit,
Math.max(
1,
parseInt(String(query.limit || query.per_page || "25"), 10) || 25,
parseInt(
String(query.limit || query.per_page || String(defaultLimit)),
10,
) || defaultLimit,
),
);
const sort = String(query.sort || "id");