Extends the previous commit's fix. The only caller (Donate.vue via
apiService.getSponsors()) never sends a username and always relied on the
server-side default, so the parameter had no legitimate use even after
being parameterized — it just let anyone use deflock's server as an
unauthenticated relay onto GitHub's GraphQL API under the server's own
token. Drop it entirely: the route no longer accepts a username
querystring param, and GithubClient.getSponsors() takes no argument,
hardcoding the maintainer's login via MAINTAINER_USERNAME. Keeps the
$username GraphQL-variable parameterization technique so reintroducing a
variable input later can't reintroduce the injection.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
The username query param was interpolated directly into the GitHub GraphQL
query string (user(login: "${username}")) sent with the server token, and
the route only validated it as a string, so a value containing a quote could
break out of the string literal and alter the query document. Impact depends
on the token's scope; at minimum it allows tampering with the query structure.
Two changes:
- Pass the username as a $login GraphQL variable so it can never alter the
query document (the actual fix).
- Validate username against GitHub's username format at the route as
defense-in-depth, rejecting malformed input before it reaches the API.
Adds a regression test for the query builder (bun test). No change in
returned data for valid usernames.
* use new df map
* close button top-right, link to same position in new map, use localStorage for modal dismissal
* update map image, iframe detection ignores new map modal
* update embed instructions
* pretty banner
* privacy policy update - routing
* launch the map language
* header stuff
* change donate link
* remove new map notice bc 301 on cf
* use user agent for alpr_counts
* news -> footnote4a
* remove blog scraper
* Added "view image" button, if a wikimedia commons tag is present.
* show thumbnail, prevent 'LPR LPR'
---------
Co-authored-by: Will Freeman <hohosanta@me.com>