fix GraphQL query injection in /sponsors/github

The username query param was interpolated directly into the GitHub GraphQL
query string (user(login: "${username}")) sent with the server token, and
the route only validated it as a string, so a value containing a quote could
break out of the string literal and alter the query document. Impact depends
on the token's scope; at minimum it allows tampering with the query structure.

Two changes:
- Pass the username as a $login GraphQL variable so it can never alter the
  query document (the actual fix).
- Validate username against GitHub's username format at the route as
  defense-in-depth, rejecting malformed input before it reaches the API.

Adds a regression test for the query builder (bun test). No change in
returned data for valid usernames.
This commit is contained in:
Jeremy Knows
2026-07-07 22:13:29 -04:00
committed by Jeremy Knows
parent 235f4ce87c
commit 3eceedb9c6
3 changed files with 48 additions and 3 deletions
+2 -1
View File
@@ -208,7 +208,8 @@ const start = async () => {
querystring: {
type: 'object',
properties: {
username: { type: 'string', default: 'frillweeman' },
// GitHub usernames are 1-39 chars of letters, digits, and hyphens.
username: { type: 'string', pattern: '^[A-Za-z0-9-]{1,39}$', default: 'frillweeman' },
},
},
response: {