[pull] main from hoppscotch:main#69
Merged
Merged
Conversation
* fix(backend): prevent mass assignment in onboarding config endpoint The unauthenticated POST /v1/onboarding/config endpoint mapped the request body directly to InfraConfigEnum keys, allowing an attacker on a fresh install to inject sensitive values such as JWT_SECRET and SESSION_SECRET, enabling forged admin JWTs and full takeover. Four independent weaknesses combined to make this exploit possible. This commit addresses each in layers so the fix holds even if any single layer regresses: - main.ts: enable `whitelist: true` on the global ValidationPipe so properties not declared on any DTO are stripped before reaching any controller / service. This is the primary mitigation described in the advisory. - onboarding.controller.ts: scope an additional ValidationPipe (`whitelist` + `forbidNonWhitelisted`) on the onboarding POST body so requests containing unknown fields are explicitly rejected with 400 instead of silently dropped. - infra-config.service.ts (updateOnboardingConfig): introduce an `ONBOARDING_ALLOWED_KEYS` allowlist so any `InfraConfigEnum` key not part of the documented onboarding surface (OAuth, SMTP) is dropped server-side before being persisted, even if earlier layers regress. - infra-config.service.ts (validateEnvValues): explicitly reject `JWT_SECRET`, `SESSION_SECRET` and `ALLOW_SECURE_COOKIES` so these keys can never be written through any infra-config code path, replacing the prior `default: break` behaviour that silently accepted them. Fixes GHSA-j542-4rch-8hwf * fix(backend): harden onboarding config validation and add sensitive infra-config tests * chore: cleanup * chore: class validator implemented in dto layer * fix: arguments * fix: api feedback --------- Co-authored-by: “mirarifhasan” <arif.ishan05@gmail.com>
* fix: class validator decorator usages * fix: feedback
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Co-authored-by: nivedin <nivedinp@gmail.com> Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Co-authored-by: gavin mcdonough <mcdgavin@users.noreply.github.com> Co-authored-by: nivedin <nivedinp@gmail.com> Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
* fix: class validation issue for updateRESTUserRequest * test: modified user-req unit test cases
Co-authored-by: cf3901646 <cf3901646@users.noreply.github.com> Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )