fix(security): normalize request parameters and update dependencies

Signed-off-by: Marc Schäfer <git@marcschaeferger.de>
2026-06-25 08:41:55 +00:00 · 2026-05-15 18:35:58 +00:00
parent dd1f7ba544
commit 18d380ce30
37 changed files with 2656 additions and 3609 deletions
--- a/server/routers/resource/getUserResources.ts
+++ b/server/routers/resource/getUserResources.ts
@@ -19,6 +19,7 @@ import {
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { response } from "@server/lib/response";
+import { getFirstString } from "@server/lib/requestParams";

 export async function getUserResources(
    req: Request,
@@ -26,7 +27,7 @@ export async function getUserResources(
    next: NextFunction
 ): Promise<any> {
    try {
-        const { orgId } = req.params;
+        const orgId = getFirstString(req.params.orgId);
        const userId = req.user?.userId;

        if (!userId) {
@@ -35,6 +36,12 @@ export async function getUserResources(
            );
        }

+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
        // Check user is in organization and get their role IDs
        const [userOrg] = await db
            .select()