fix(security): normalize request parameters and update dependencies

Signed-off-by: Marc Schäfer <git@marcschaeferger.de>
2026-06-05 23:28:44 +00:00 · 2026-05-15 18:35:58 +00:00
parent dd1f7ba544
commit 18d380ce30
37 changed files with 2656 additions and 3609 deletions
--- a/server/routers/auth/securityKey.ts
+++ b/server/routers/auth/securityKey.ts
@@ -25,6 +25,7 @@ import { UserType } from "@server/types/UserTypes";
 import { verifyPassword } from "@server/auth/password";
 import { unauthorized } from "@server/auth/unauthorizedResponse";
 import { verifyTotpCode } from "@server/auth/totp";
+import { getFirstString } from "@server/lib/requestParams";

 // The RP ID is the domain name of your application
 const rpID = (() => {
@@ -406,7 +407,12 @@ export async function deleteSecurityKey(
    res: Response,
    next: NextFunction
 ): Promise<any> {
-    const { credentialId: encodedCredentialId } = req.params;
+    const encodedCredentialId = getFirstString(req.params.credentialId);
+    if (!encodedCredentialId) {
+        return next(
+            createHttpError(HttpCode.BAD_REQUEST, "Invalid credential ID")
+        );
+    }
    const credentialId = decodeURIComponent(encodedCredentialId);
    const user = req.user as User;

--- a/server/routers/domain/getDomain.ts
+++ b/server/routers/domain/getDomain.ts
@@ -8,7 +8,6 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { domain } from "zod/v4/core/regexes";

 const getDomainSchema = z.strictObject({
    domainId: z.string().optional(),
--- a/server/routers/resource/getUserResources.ts
+++ b/server/routers/resource/getUserResources.ts
@@ -19,6 +19,7 @@ import {
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { response } from "@server/lib/response";
+import { getFirstString } from "@server/lib/requestParams";

 export async function getUserResources(
    req: Request,
@@ -26,7 +27,7 @@ export async function getUserResources(
    next: NextFunction
 ): Promise<any> {
    try {
-        const { orgId } = req.params;
+        const orgId = getFirstString(req.params.orgId);
        const userId = req.user?.userId;

        if (!userId) {
@@ -35,6 +36,12 @@ export async function getUserResources(
            );
        }

+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
        // Check user is in organization and get their role IDs
        const [userOrg] = await db
            .select()