Merge pull request #3085 from marcschaeferger-org/security-updates

Normalize request parameters and update dependencies for Security
2026-06-03 22:35:59 +00:00 · 2026-05-27 21:37:50 -07:00
parent ddabfb5ca1
commit 2946df3b8e
37 changed files with 2656 additions and 3609 deletions
--- a/server/private/middlewares/verifyRemoteExitNodeAccess.ts
+++ b/server/private/middlewares/verifyRemoteExitNodeAccess.ts
@@ -18,6 +18,7 @@ import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyRemoteExitNodeAccess(
    req: Request,
@@ -25,11 +26,11 @@ export async function verifyRemoteExitNodeAccess(
    next: NextFunction
 ) {
    const userId = req.user!.userId; // Assuming you have user information in the request
-    const orgId = req.params.orgId;
+    const orgId = getFirstString(req.params.orgId);
    const remoteExitNodeId =
-        req.params.remoteExitNodeId ||
-        req.body.remoteExitNodeId ||
-        req.query.remoteExitNodeId;
+        getFirstString(req.params.remoteExitNodeId) ||
+        getFirstString(req.body?.remoteExitNodeId) ||
+        getFirstString(req.query?.remoteExitNodeId);

    if (!userId) {
        return next(
@@ -37,6 +38,15 @@ export async function verifyRemoteExitNodeAccess(
        );
    }

+    if (!orgId || !remoteExitNodeId) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                "Invalid organization or remote exit node ID"
+            )
+        );
+    }
+
    try {
        const [remoteExitNode] = await db
            .select()