Skip to content

fix: security review by claude #998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MasterIceZ wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: security review by claude #998

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d6ceffd
fix: security review by claude
MasterIceZ Jun 14, 2026
1b3ad5a
chore: remove unsafe-eval
MasterIceZ Jun 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 24 additions & 1 deletion next.config.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,28 @@ export default withBundleAnalyzer({
}
]
},
output: 'standalone'
output: 'standalone',
async headers() {
return [
{
source: '/(.*)',
headers: [
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{
key: 'Content-Security-Policy',
value: [
"default-src 'self'",
"script-src 'self' 'unsafe-inline'",
"style-src 'self' 'unsafe-inline'",
Comment thread
coderabbitai[bot] marked this conversation as resolved.
"img-src 'self' data: https://lh3.googleusercontent.com https://avatars.githubusercontent.com",
"connect-src 'self'",
"frame-ancestors 'none'"
].join('; ')
}
]
}
]
}
})
3 changes: 2 additions & 1 deletion src/app/api/assessments/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import { NextRequest } from 'next/server'
import { CreateAssessmentSchema } from '@/lib/api/schema/assessment'
import prisma from '@/lib/prisma'
import { getServerUser } from '@/lib/session'
import { badRequest, json, unauthorized } from '@/utils/apiResponse'
import { badRequest, forbidden, json, unauthorized } from '@/utils/apiResponse'
import removeArrDup from '@/utils/removeArrDup'

export async function GET() {
Expand Down Expand Up @@ -35,6 +35,7 @@ export async function POST(req: NextRequest) {

if (!user) return unauthorized()
if (!user.id) return unauthorized('User ID not found')
if (!user.admin) return forbidden()

const parsedBody = CreateAssessmentSchema.safeParse(await req.json())

Expand Down
6 changes: 5 additions & 1 deletion src/app/api/render/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
import { NextRequest } from 'next/server'

import { mdxToHtml } from '@/lib/renderMarkdown'
import { badRequest, json } from '@/utils/apiResponse'
import { getServerUser } from '@/lib/session'
import { badRequest, json, unauthorized } from '@/utils/apiResponse'

export async function POST(req: NextRequest) {
const user = await getServerUser()
if (!user) return unauthorized()

const body = await req.json()

const { content } = body
Expand Down
6 changes: 6 additions & 0 deletions src/app/api/submissions/[id]/realtime/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ export async function GET(
status: true,
score: true,
groups: true,
userId: true,

task: {
select: {
Expand All @@ -43,11 +44,16 @@ export async function GET(
if (!(await checkUserPermissionOnTask(user, submission.task.id))) {
return forbidden()
}

if (!user.admin && submission.userId !== user.id) {
return forbidden()
}
}

const payload: DeepPartial<typeof submission> = submission

delete payload.task
delete payload.userId

return json(payload)
}
2 changes: 0 additions & 2 deletions src/app/api/tasks/[id]/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,8 +129,6 @@ export async function DELETE(
const params = await props.params
const id = params.id

console.log(id)

const user = await getServerUser()

if (!user) {
Expand Down
3 changes: 1 addition & 2 deletions src/app/api/users/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
import { checkOwnerPermission } from '@/lib/api/queries/checkOwnerPermissionOnAssessment'
import prisma from '@/lib/prisma'
import { getServerUser } from '@/lib/session'
import { forbidden, json, unauthorized } from '@/utils/apiResponse'
Expand All @@ -10,7 +9,7 @@ export async function GET() {
return unauthorized()
}

if (!user.admin && !(user.id && (await checkOwnerPermission(user.id)))) {
if (!user.admin) {
return forbidden()
}

Expand Down
4 changes: 4 additions & 0 deletions src/app/render/page.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ export default function Render() {
method: 'POST',
body: JSON.stringify({ content: md })
})
if (!res.ok) {
setLoading(false)
return
}
setRendered(await res.json())
setLoading(false)
}
Expand Down
8 changes: 7 additions & 1 deletion src/lib/api/schema/tasks.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,13 @@ export const IndividualTaskSchema = z.object({ id: z.string().min(1) })

export type IndividualTaskSchema = z.infer<typeof IndividualTaskSchema>

const FilePath = z.object({ path: z.string().min(1), type: z.string() })
const FilePath = z.object({
path: z
.string()
.min(1)
.regex(/^[a-zA-Z0-9._-]+$/, 'Invalid file path'),
type: z.string()
})

export const TaskSchema = z.object({
id: z.string().min(1),
Expand Down
Loading