mirror of
https://github.com/FoggedLens/deflock.git
synced 2026-07-15 00:07:20 +02:00
3eceedb9c6
The username query param was interpolated directly into the GitHub GraphQL
query string (user(login: "${username}")) sent with the server token, and
the route only validated it as a string, so a value containing a quote could
break out of the string literal and alter the query document. Impact depends
on the token's scope; at minimum it allows tampering with the query structure.
Two changes:
- Pass the username as a $login GraphQL variable so it can never alter the
query document (the actual fix).
- Validate username against GitHub's username format at the route as
defense-in-depth, rejecting malformed input before it reaches the API.
Adds a regression test for the query builder (bun test). No change in
returned data for valid usernames.