Commit Graph

10 Commits

Author SHA1 Message Date
Jeremy Knows 3eceedb9c6 fix GraphQL query injection in /sponsors/github
The username query param was interpolated directly into the GitHub GraphQL
query string (user(login: "${username}")) sent with the server token, and
the route only validated it as a string, so a value containing a quote could
break out of the string literal and alter the query document. Impact depends
on the token's scope; at minimum it allows tampering with the query structure.

Two changes:
- Pass the username as a $login GraphQL variable so it can never alter the
  query document (the actual fix).
- Validate username against GitHub's username format at the route as
  defense-in-depth, rejecting malformed input before it reaches the API.

Adds a regression test for the query builder (bun test). No change in
returned data for valid usernames.
2026-07-07 22:27:40 -04:00
Will Freeman ec8bb9cdca remove spans, log geocoding shit bc of cost 2026-04-29 21:34:51 -06:00
Will Freeman ae861e8e7b zip code short circuit 2026-04-26 17:14:57 -06:00
Will Freeman a39f1a6a36 Add OTel (#114)
* init otel

* deflock group

* no internal metrics

* only log errors for now
2026-04-26 13:20:32 -06:00
Will Freeman c99d4cf597 include address in Nominatim result (for new map) 2026-04-24 09:55:02 -06:00
Will Freeman b0d1e5299d add customer before creating ticket 2026-04-23 09:43:18 -06:00
Will Freeman 7c27235400 zip code fix (#112) 2026-04-21 11:49:46 -06:00
Will Freeman c298a3f5d4 create helpdesk tickets from form submission (#111) 2026-04-21 11:36:24 -06:00
Will Freeman 64ac4c227e Multi Geocode (#109)
* multi-geocode for new map

* backward compatibility w/ city polygon
2026-04-19 15:28:05 -06:00
Will Freeman db49ac2a98 separate fe and be, deploy on push to master 2026-02-02 11:41:29 -07:00