CapaKraken

Hartmut/CapaKraken

Fork 0

Commit Graph

Author	SHA1	Message	Date
Hartmut	c0c5f762b8	security: bound JSONB inputs + whitelist batchUpdateCustomFields keys (#48 ) batchUpdateCustomFields used $executeRaw to merge a manager-supplied record straight into Resource.dynamicFields with no key whitelist — so a manager could pollute the JSONB namespace with arbitrary keys (e.g. ones admin tools later interpret). Separately, several user-facing JSONB fields (allocation/demand metadata, dynamicFields) were typed as unbounded z.record(z.string(), z.unknown()), letting clients ship multi-MB payloads that flow into DB writes, audit logs, and SSE frames. - Add BoundedJsonRecord helper (shared) — 64 keys / depth 4 / 8 KB strings / 32 KB serialized total. Conservative defaults; call sites needing more should use a strict object schema. - Apply BoundedJsonRecord to the highest-traffic untrusted JSONB inputs: allocation metadata (Create/CreateDemandRequirement/CreateAssignment), resource & project dynamicFields, and the createDemand router input. - batchUpdateCustomFields: * Tighten input schema (key length, value bounds, max 100 keys). * Fetch each target resource and verify all input keys are in the union of (specific blueprint defs) ∪ (active global RESOURCE blueprint defs) for that resource. Empty whitelist → reject all keys (stricter than create/update, but appropriate for a bulk escape-hatch endpoint). * Run the existing per-key value validator afterwards. * 404 if any requested id does not exist (was silently skipped). - New helper getAllowedDynamicFieldKeys() in blueprint-validation. - 7 new BoundedJsonRecord tests, 2 new batchUpdateCustomFields tests covering the whitelist-rejection and not-found paths. Covers EAPPS 3.2.7 (input bounds) / OWASP A03 (injection / mass assignment). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-17 08:44:11 +02:00
Hartmut	9bd3781c03	fix(types): flatten tRPC Zod schema types to resolve TS2589 inference depth errors Cast Zod schemas with .refine()/.superRefine() to z.ZodType<InferredType> at the procedure level. This short-circuits TypeScript's deep type recursion through tRPC's middleware chain, eliminating 4 of 5 @ts-expect-error TS2589 suppressions in web components (VacationModal, ProjectModal, UsersClient, CountriesClient). Applied same pattern to allocation, timeline, staffing, dashboard, project, and resource query/mutation procedures to reduce client-side type depth. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-10 15:28:12 +02:00
Hartmut	b2c8d98b25	refactor(api): reorganise allocation router into allocation/ subdirectory Moves read, assignment-procedures, assignment-mutations, and demand procedures into allocation/ so the domain boundary is discoverable without grep. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-09 14:44:17 +02:00

Author

SHA1

Message

Date

Hartmut

c0c5f762b8

security: bound JSONB inputs + whitelist batchUpdateCustomFields keys (#48 )

batchUpdateCustomFields used $executeRaw to merge a manager-supplied
record straight into Resource.dynamicFields with no key whitelist —
so a manager could pollute the JSONB namespace with arbitrary keys
(e.g. ones admin tools later interpret). Separately, several user-facing
JSONB fields (allocation/demand metadata, dynamicFields) were typed as
unbounded z.record(z.string(), z.unknown()), letting clients ship
multi-MB payloads that flow into DB writes, audit logs, and SSE frames.

- Add BoundedJsonRecord helper (shared) — 64 keys / depth 4 /
  8 KB strings / 32 KB serialized total. Conservative defaults; call
  sites needing more should use a strict object schema.
- Apply BoundedJsonRecord to the highest-traffic untrusted JSONB inputs:
  allocation metadata (Create/CreateDemandRequirement/CreateAssignment),
  resource & project dynamicFields, and the createDemand router input.
- batchUpdateCustomFields:
    * Tighten input schema (key length, value bounds, max 100 keys).
    * Fetch each target resource and verify all input keys are in the
      union of (specific blueprint defs) ∪ (active global RESOURCE
      blueprint defs) for that resource. Empty whitelist → reject all
      keys (stricter than create/update, but appropriate for a bulk
      escape-hatch endpoint).
    * Run the existing per-key value validator afterwards.
    * 404 if any requested id does not exist (was silently skipped).
- New helper getAllowedDynamicFieldKeys() in blueprint-validation.
- 7 new BoundedJsonRecord tests, 2 new batchUpdateCustomFields tests
  covering the whitelist-rejection and not-found paths.

Covers EAPPS 3.2.7 (input bounds) / OWASP A03 (injection / mass assignment).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-04-17 08:44:11 +02:00

Hartmut

9bd3781c03

fix(types): flatten tRPC Zod schema types to resolve TS2589 inference depth errors

Cast Zod schemas with .refine()/.superRefine() to z.ZodType<InferredType> at the
procedure level. This short-circuits TypeScript's deep type recursion through
tRPC's middleware chain, eliminating 4 of 5 @ts-expect-error TS2589 suppressions
in web components (VacationModal, ProjectModal, UsersClient, CountriesClient).

Applied same pattern to allocation, timeline, staffing, dashboard, project, and
resource query/mutation procedures to reduce client-side type depth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-10 15:28:12 +02:00

Hartmut

b2c8d98b25

refactor(api): reorganise allocation router into allocation/ subdirectory

Moves read, assignment-procedures, assignment-mutations, and demand
procedures into allocation/ so the domain boundary is discoverable
without grep.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-09 14:44:17 +02:00

3 Commits