Merge pull request #3085 from marcschaeferger-org/security-updates

Normalize request parameters and update dependencies for Security
2026-06-03 06:21:32 +00:00 · 2026-05-27 21:37:50 -07:00
parent ddabfb5ca1
commit 2946df3b8e
37 changed files with 2656 additions and 3609 deletions
--- a/server/routers/resource/getUserResources.ts
+++ b/server/routers/resource/getUserResources.ts
@@ -19,6 +19,7 @@ import {
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { response } from "@server/lib/response";
+import { getFirstString } from "@server/lib/requestParams";

 export async function getUserResources(
    req: Request,
@@ -26,7 +27,7 @@ export async function getUserResources(
    next: NextFunction
 ): Promise<any> {
    try {
-        const { orgId } = req.params;
+        const orgId = getFirstString(req.params.orgId);
        const userId = req.user?.userId;

        if (!userId) {
@@ -35,6 +36,12 @@ export async function getUserResources(
            );
        }

+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
        // Check user is in organization and get their role IDs
        const [userOrg] = await db
            .select()