Skip to content

Sanitize user input 2#239

Merged
shreeyaadhikari merged 4 commits into
mainfrom
sanitize-user-input-2
Jun 30, 2026
Merged

Sanitize user input 2#239
shreeyaadhikari merged 4 commits into
mainfrom
sanitize-user-input-2

Conversation

@shreeyaadhikari

Copy link
Copy Markdown
Contributor

ℹ️ Issue

Closes #220

📝 Description

The PUT /projects/{id} endpoint was passing the entire request body directly to the database update, allowing to overwrite protected columns. Now only safe fields can be updated.
Changes made:

  1. Added an updateValues whitelist object in the PUT handler that only allows name, description, total_budget, currency, start_date, and end_date to be updated in handler.ts
  2. Added a test that verifies sending project_id and created_at in the request body does not change those values in the database in crud.test.ts

✔️ Verification

Ran the test created in crud.test.ts

  1. Protected fields get ignored when a valid field is also sent:
image
  1. Only protected fields get rejected entirely:
image

@github-actions github-actions Bot requested a review from mehanana June 27, 2026 17:08
github-actions Bot added a commit that referenced this pull request Jun 27, 2026

@nourshoreibah nourshoreibah left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your changes! Just a nit but wont block on it

Comment thread apps/backend/lambdas/projects/handler.ts Outdated

@mehanana mehanana left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!!

github-actions Bot added a commit that referenced this pull request Jun 30, 2026
@shreeyaadhikari shreeyaadhikari added this pull request to the merge queue Jun 30, 2026
Merged via the queue into main with commit 0e99248 Jun 30, 2026
14 checks passed
@shreeyaadhikari shreeyaadhikari deleted the sanitize-user-input-2 branch June 30, 2026 22:26
github-actions Bot added a commit that referenced this pull request Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: Sanitize user input before passing to PUT /projects/{id}

3 participants