mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-11 08:42:54 -05:00
[PR #3085] [MERGED] Normalize request parameters and update dependencies for Security #36821
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/fosrl/pangolin/pull/3085
Author: @marcschaeferger
Created: 5/15/2026
Status: ✅ Merged
Merged: 5/28/2026
Merged by: @oschwartz10612
Base:
dev← Head:security-updates📝 Commits (1)
18d380cfix(security): normalize request parameters and update dependencies📊 Changes
37 files changed (+2728 additions, -3681 deletions)
View changed files
📝
drizzle.sqlite.config.ts(+1 -1)📝
install/go.mod(+2 -2)📝
install/go.sum(+4 -4)📝
next.config.ts(+1 -6)📝
package-lock.json(+2265 -3475)📝
package.json(+52 -50)📝
server/index.ts(+1 -1)➕
server/lib/requestParams.ts(+11 -0)📝
server/middlewares/integration/verifyAccessTokenAccess.ts(+8 -1)📝
server/middlewares/integration/verifyApiKeyApiKeyAccess.ts(+5 -2)📝
server/middlewares/integration/verifyApiKeyDomainAccess.ts(+11 -2)📝
server/middlewares/integration/verifyApiKeyIdpAccess.ts(+8 -3)📝
server/middlewares/integration/verifyApiKeyOrgAccess.ts(+3 -2)📝
server/middlewares/integration/verifyApiKeySiteResourceAccess.ts(+4 -2)📝
server/middlewares/integration/verifyApiKeyTargetAccess.ts(+4 -2)📝
server/middlewares/verifyAccessTokenAccess.ts(+9 -2)📝
server/middlewares/verifyApiKeyAccess.ts(+20 -7)📝
server/middlewares/verifyDomainAccess.ts(+4 -7)📝
server/middlewares/verifyLimits.ts(+5 -1)📝
server/middlewares/verifyOrgAccess.ts(+2 -1)...and 17 more files
📄 Description
Community Contribution License Agreement
By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.
Description (Description generated by AI/Copilot)
This pull request introduces several dependency updates and refactors how request parameters are handled in API key and access token middleware, improving type safety and error handling. The most significant changes are grouped below.
Dependency Updates:
package.json, including major upgrades tonext,react,next-intl,@react-email/*,axios,recharts, and others, as well as their corresponding types and build tools. [1] [2] [3] [4]install/go.mod, notablygolang.org/x/termandgolang.org/x/sys. [1] [2]Middleware Refactors and Type Safety:
getFirstStringinserver/lib/requestParams.tsto safely extract the first string from various request parameter sources, handling both string and array types.verifyApiKeyApiKeyAccess.ts,verifyApiKeyDomainAccess.ts,verifyApiKeyIdpAccess.ts,verifyApiKeyOrgAccess.ts,verifyApiKeySiteResourceAccess.ts,verifyApiKeyTargetAccess.ts,verifyAccessTokenAccess.ts, andverifyAccessTokenAccess.ts) to usegetFirstStringfor extracting parameters, improving robustness against malformed or unexpected request data. Added explicit checks for missing or invalid IDs, returning appropriate HTTP errors. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]Build and Config Updates:
drizzle.sqlite.config.tsandserver/index.tsfor consistency and compatibility. [1] [2]next.config.tsby movingreactCompilerto the top level and removing theeslintbuild ignore.These changes collectively improve the reliability of parameter handling in API endpoints and keep the project dependencies up to date.
How to test?
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.