Skip to content

sanitize PUT /projects input to prevent field injection#229

Open
shreeyaadhikari wants to merge 2 commits into
mainfrom
sanitize-user-input
Open

sanitize PUT /projects input to prevent field injection#229
shreeyaadhikari wants to merge 2 commits into
mainfrom
sanitize-user-input

Conversation

@shreeyaadhikari

@shreeyaadhikari shreeyaadhikari commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown

ℹ️ Issue

Closes #220

📝 Description

The PUT /projects/{id} endpoint was passing the entire request body directly to the database update, allowing to overwrite protected columns. Now only safe fields can be updated.
Changes made:

  1. Added an updateValues whitelist object in the PUT handler that only allows name, description, total_budget, currency, start_date, and end_date to be updated in handler.ts
  2. Added a test that verifies sending project_id and created_at in the request body does not change those values in the database in crud.test.ts

✔️ Verification

Ran the test created in crud.test.ts

  1. Protected fields get ignored when a valid field is also sent:
image
  1. Only protected fields get rejected entirely:
image

@github-actions github-actions Bot requested a review from Rayna-Yu June 9, 2026 17:51
github-actions Bot added a commit that referenced this pull request Jun 9, 2026
@github-actions
bot: assign reviewer for PR #229
cd2510b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nourshoreibah nourshoreibah Awaiting requested review from nourshoreibah nourshoreibah is a code owner

@Rayna-Yu Rayna-Yu Awaiting requested review from Rayna-Yu

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: Sanitize user input before passing to PUT /projects/{id}

1 participant

@shreeyaadhikari