ryan/lunarfront-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix security issues: path traversal, typed errors, file validation

Browse Source 
- Fix path traversal in file serve endpoint (validate company prefix, block ..)
- Add typed error classes: ValidationError, NotFoundError, ForbiddenError,
  ConflictError, StorageError
- Global error handler catches AppError subclasses with correct status codes
- 4xx logged as warn, 5xx as error with request ID
- File upload validates entityType whitelist, UUID format, category pattern
- Remove fragile string-matching error handling from routes
- Services throw typed errors instead of plain Error
- Health endpoint documented as intentionally public
This commit is contained in:
Ryan Moon
2026-03-28 16:03:45 -05:00
parent 5aadd68128
commit e65175ef19
9 changed files with 150 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
packages/backend/src/routes/v1/lookups.ts
View File

@@ -1,6 +1,7 @@
import type { FastifyPluginAsync } from 'fastify'
import { LookupCreateSchema, LookupUpdateSchema } from '@forte/shared/schemas'
import { UnitStatusService, ItemConditionService } from '../../services/lookup.service.js'
import { ConflictError, ValidationError } from '../../lib/errors.js'
function createLookupRoutes(prefix: string, service: typeof UnitStatusService) {
const routes: FastifyPluginAsync = async (app) => {
@@ -12,13 +13,12 @@ function createLookupRoutes(prefix: string, service: typeof UnitStatusService) {
app.post(`/${prefix}`, { preHandler: [app.authenticate] }, async (request, reply) => {
const parsed = LookupCreateSchema.safeParse(request.body)
if (!parsed.success) {
return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
throw new ValidationError('Validation failed', parsed.error.flatten())
}
// Check slug uniqueness
const existing = await service.getBySlug(app.db, request.companyId, parsed.data.slug)
if (existing) {
return reply.status(409).send({ error: { message: `Slug "${parsed.data.slug}" already exists`, statusCode: 409 } })
throw new ConflictError(`Slug "${parsed.data.slug}" already exists`)
}
const row = await service.create(app.db, request.companyId, parsed.data)
@@ -29,32 +29,18 @@ function createLookupRoutes(prefix: string, service: typeof UnitStatusService) {
const { id } = request.params as { id: string }
const parsed = LookupUpdateSchema.safeParse(request.body)
if (!parsed.success) {
return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
}
try {
const row = await service.update(app.db, request.companyId, id, parsed.data)
if (!row) return reply.status(404).send({ error: { message: 'Not found', statusCode: 404 } })
return reply.send(row)
} catch (err) {
if (err instanceof Error && err.message.includes('system')) {
return reply.status(403).send({ error: { message: err.message, statusCode: 403 } })
}
throw err
throw new ValidationError('Validation failed', parsed.error.flatten())
}
const row = await service.update(app.db, request.companyId, id, parsed.data)
if (!row) return reply.status(404).send({ error: { message: 'Not found', statusCode: 404 } })
return reply.send(row)
})
app.delete(`/${prefix}/:id`, { preHandler: [app.authenticate] }, async (request, reply) => {
const { id } = request.params as { id: string }
try {
const row = await service.delete(app.db, request.companyId, id)
if (!row) return reply.status(404).send({ error: { message: 'Not found', statusCode: 404 } })
return reply.send(row)
} catch (err) {
if (err instanceof Error && err.message.includes('system')) {
return reply.status(403).send({ error: { message: err.message, statusCode: 403 } })
}
throw err
}
const row = await service.delete(app.db, request.companyId, id)
if (!row) return reply.status(404).send({ error: { message: 'Not found', statusCode: 404 } })
return reply.send(row)
})
}
return routes