Extends the previous commit's fix. The only caller (Donate.vue via
apiService.getSponsors()) never sends a username and always relied on the
server-side default, so the parameter had no legitimate use even after
being parameterized — it just let anyone use deflock's server as an
unauthenticated relay onto GitHub's GraphQL API under the server's own
token. Drop it entirely: the route no longer accepts a username
querystring param, and GithubClient.getSponsors() takes no argument,
hardcoding the maintainer's login via MAINTAINER_USERNAME. Keeps the
$username GraphQL-variable parameterization technique so reintroducing a
variable input later can't reintroduce the injection.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
The username query param was interpolated directly into the GitHub GraphQL
query string (user(login: "${username}")) sent with the server token, and
the route only validated it as a string, so a value containing a quote could
break out of the string literal and alter the query document. Impact depends
on the token's scope; at minimum it allows tampering with the query structure.
Two changes:
- Pass the username as a $login GraphQL variable so it can never alter the
query document (the actual fix).
- Validate username against GitHub's username format at the route as
defense-in-depth, rejecting malformed input before it reaches the API.
Adds a regression test for the query builder (bun test). No change in
returned data for valid usernames.