Skip to content

fix: prevent client-controlled field injection via object spread#9037

Open
Yzgaming005 wants to merge 4 commits into
SecureBananaLabs:mainfrom
Yzgaming005:fix/field-injection-spread
Open

fix: prevent client-controlled field injection via object spread#9037
Yzgaming005 wants to merge 4 commits into
SecureBananaLabs:mainfrom
Yzgaming005:fix/field-injection-spread

Conversation

@Yzgaming005

@Yzgaming005 Yzgaming005 commented Jun 27, 2026

Copy link
Copy Markdown

/claim #9036

Summary

  • Moved spread operator (...payload) to the beginning of object literals in messageService.js and jobService.js
  • Server-controlled fields (id, status, sentAt) now come AFTER the spread, preventing client override
  • Added regression tests verifying that injected id, status, and sentAt values are ignored

Test Results

# tests 2
# pass 2
# fail 0

Validation

git diff --check: passed
npm test: all tests pass

Ref: #743

Yusrizal Ahmad added 4 commits June 27, 2026 12:43
fix: return 400 for malformed JSON and Zod validation errors
01d7757 
- Updated errorHandler to recognize body-parser parse errors (entity.parse.failed)
  and return HTTP 400 with { success: false, message } shape
- Added ZodError recognition in errorHandler returning 400 with structured issues
- Added catchAsync utility to forward async errors to Express error handler
- Wrapped auth and job route handlers with catchAsync
- Added regression tests for malformed JSON, invalid registration, and missing fields

Closes SecureBananaLabs#9020
Closes SecureBananaLabs#9018
Ref: SecureBananaLabs#743
fix: limit upload file size and return 413 on oversized files
c8cf7a1 
- Added 5 MB file size limit to Multer configuration
- Updated errorHandler to recognize LIMIT_FILE_SIZE errors and return HTTP 413
- Wrapped upload route with catchAsync for proper error forwarding
- Added regression tests for small (accepted) and oversized (rejected) uploads

Closes SecureBananaLabs#9028
Ref: SecureBananaLabs#743
fix: require authentication before issuing refreshed tokens
dd76ab9 
- Protected /api/auth/refresh route with authMiddleware
- Updated refreshToken service to accept subject and role parameters
- Updated refresh controller to pass authenticated user's sub and role
- Added regression tests for unauthenticated rejection and identity preservation

Closes SecureBananaLabs#9030
Ref: SecureBananaLabs#743
fix: prevent client-controlled field injection via object spread
9a132f5 
- Moved spread operator before server-controlled fields in messageService.js
- Moved spread operator before server-controlled fields in jobService.js
- Clients can no longer override id, status, or sentAt via request payload
- Added regression tests for both message and job creation

Closes SecureBananaLabs#9036
Ref: SecureBananaLabs#743
github-actions Bot added a commit that referenced this pull request Jun 27, 2026
@github-actions
chore: update leaderboard for PR #9037
4ba8c41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Yzgaming005