ryan/lunarfront-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix security issues: path traversal, typed errors, file validation

Browse Source 
- Fix path traversal in file serve endpoint (validate company prefix, block ..)
- Add typed error classes: ValidationError, NotFoundError, ForbiddenError,
  ConflictError, StorageError
- Global error handler catches AppError subclasses with correct status codes
- 4xx logged as warn, 5xx as error with request ID
- File upload validates entityType whitelist, UUID format, category pattern
- Remove fragile string-matching error handling from routes
- Services throw typed errors instead of plain Error
- Health endpoint documented as intentionally public
This commit is contained in:
Ryan Moon
2026-03-28 16:03:45 -05:00
parent 5aadd68128
commit e65175ef19
9 changed files with 150 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
packages/backend/src/routes/v1/health.ts
View File

@@ -2,6 +2,7 @@ import type { FastifyPluginAsync } from 'fastify'
import { sql } from 'drizzle-orm'
export const healthRoutes: FastifyPluginAsync = async (app) => {
// Intentionally public — no auth. Load balancers, Docker health checks, and monitoring need this.
app.get('/health', async (request, reply) => {
let dbStatus = 'disconnected'
let redisStatus = 'disconnected'