fix: 2026-06-09 full-codebase audit hardening
Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace the raw number|string transform idiom across every schema (the root-cause NaN bug class); emailOrEmpty + lenient isoDateString/timeString. Security: roles privilege-escalation closed; refresh-token family revocation on reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices gross VAT on all paths; orders-pdf custom-items authz. Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse confirm/cancel, attendance lockUserRow); uniqueness checks moved into create transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO). Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted fields; dashboard invalidation gaps; stale-closure confirm bugs. Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier; tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes), isolated on app_test via .env.test with a hard-throw setup guard. Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,6 +1,22 @@
|
||||
import { PaginationQuery, PaginationMeta } from "../types";
|
||||
|
||||
export function parsePagination(query: Record<string, unknown>): {
|
||||
/**
|
||||
* Parse common pagination/sort/search query params.
|
||||
*
|
||||
* SECURITY NOTE (trust boundary): `page` and `limit` are clamped here
|
||||
* (page ≥ 1, 1 ≤ limit ≤ 100), but `sort` and `search` are passed through
|
||||
* VERBATIM and are NOT validated against any schema. They originate from the
|
||||
* client. Callers that feed `sort` into a Prisma `orderBy` MUST allow-list it
|
||||
* against the set of sortable columns for that entity (e.g.
|
||||
* `const col = ALLOWED_SORTS.includes(sort) ? sort : "id"`), otherwise an
|
||||
* attacker-supplied field name reaches the query layer. `search` is only safe
|
||||
* when used through parameterized Prisma `contains` filters — never interpolate
|
||||
* it into raw SQL.
|
||||
*/
|
||||
export function parsePagination(
|
||||
query: Record<string, unknown>,
|
||||
opts?: { defaultLimit?: number; maxLimit?: number },
|
||||
): {
|
||||
page: number;
|
||||
limit: number;
|
||||
skip: number;
|
||||
@@ -8,12 +24,20 @@ export function parsePagination(query: Record<string, unknown>): {
|
||||
order: "asc" | "desc";
|
||||
search: string;
|
||||
} {
|
||||
// Defaults suit dense list views (25/page, capped at 100). Report endpoints
|
||||
// that render their full result set pass a generous defaultLimit/maxLimit so
|
||||
// they stay effectively complete while still bounded against a runaway scan.
|
||||
const defaultLimit = opts?.defaultLimit ?? 25;
|
||||
const maxLimit = opts?.maxLimit ?? 100;
|
||||
const page = Math.max(1, parseInt(String(query.page || "1"), 10) || 1);
|
||||
const limit = Math.min(
|
||||
100,
|
||||
maxLimit,
|
||||
Math.max(
|
||||
1,
|
||||
parseInt(String(query.limit || query.per_page || "25"), 10) || 25,
|
||||
parseInt(
|
||||
String(query.limit || query.per_page || String(defaultLimit)),
|
||||
10,
|
||||
) || defaultLimit,
|
||||
),
|
||||
);
|
||||
const sort = String(query.sort || "id");
|
||||
|
||||
Reference in New Issue
Block a user