sendou.ink

mirror of https://github.com/Sendouc/sendou.ink.git synced 2026-05-12 22:11:06 -05:00

History

Kalle f216423089 Validate builds page limit search param A crawler hitting /builds/:slug?limit=48%27 (URL-encoded single quote, likely an SQL injection probe) was triggering SQLITE_MISMATCH errors server-side. The loader was calling Number() on the raw string, which returned NaN, and then forwarding NaN as the LIMIT bind parameter on the underlying Kysely query. No injection was possible (params are bound), but the bad value only failed at the DB boundary. Parse the param through a zod schema that coerces to a positive int, falls back to the default batch size on any invalid input, and clamps to the page max.	2026-04-24 21:34:44 +03:00
..
builds.$slug.server.ts	Validate builds page limit search param	2026-04-24 21:34:44 +03:00

Kalle f216423089 Validate builds page limit search param

A crawler hitting /builds/:slug?limit=48%27 (URL-encoded single quote,
likely an SQL injection probe) was triggering SQLITE_MISMATCH errors
server-side. The loader was calling Number() on the raw string, which
returned NaN, and then forwarding NaN as the LIMIT bind parameter on
the underlying Kysely query. No injection was possible (params are
bound), but the bad value only failed at the DB boundary.

Parse the param through a zod schema that coerces to a positive int,
falls back to the default batch size on any invalid input, and clamps
to the page max.

2026-04-24 21:34:44 +03:00

builds.$slug.server.ts

Validate builds page limit search param

2026-04-24 21:34:44 +03:00