fix: corrigir bugs críticos de segurança e memory leaks (v1.2.4)
- fix(pagination): SQL injection em cursor pagination - validação de nomes de campos - fix(transaction): substituir Math.random() por crypto.randomBytes() para jitter - fix(monitoring): memory leak - adicionar .unref() ao setInterval - docs: adicionar relatório completo de bugs (BUG-REPORT-2026-01-31.md) - chore: actualizar versão para 1.2.4
This commit is contained in:
54
CHANGELOG.md
54
CHANGELOG.md
@@ -2,6 +2,60 @@
|
||||
|
||||
All notable changes to this project will be documented in this file.
|
||||
|
||||
## [1.2.4] - 2026-01-31
|
||||
|
||||
### Security
|
||||
|
||||
- **SQL Injection Prevention (Pagination):** Fixed critical SQL injection vulnerability in cursor pagination
|
||||
- `pagination.ts`: Added `validateFieldName()` function to sanitize field names
|
||||
- Field names (`cursorField`, `secondaryField`) are now validated against alphanumeric + underscore + dot pattern
|
||||
- Rejects dangerous SQL keywords (SELECT, INSERT, UPDATE, DELETE, DROP, UNION, etc.)
|
||||
- Prevents injection via cursor field names in ORDER BY clauses
|
||||
|
||||
- **Cryptographic Random (Transaction Retry):** Replaced `Math.random()` with `crypto.randomBytes()` for jitter calculation
|
||||
- `transaction.ts`: Retry jitter now uses cryptographically secure random generation
|
||||
- Maintains consistency with project security standards
|
||||
|
||||
### Fixed
|
||||
|
||||
- **Memory Leak (Pool Monitoring):** Added `.unref()` to `setInterval` in `PoolMonitor`
|
||||
- `monitoring.ts`: Pool monitoring interval now allows process to exit gracefully
|
||||
- Prevents memory leak and hanging processes on shutdown
|
||||
|
||||
## [1.2.3] - 2026-01-31
|
||||
|
||||
### Security
|
||||
|
||||
- **Cryptographic Random Generation:** Replaced `Math.random()` with `crypto.randomBytes()` for secure secret generation
|
||||
- `oauth.ts`: OAuth client secrets now use cryptographically secure random generation
|
||||
- `api-keys.ts`: API keys now use cryptographically secure random generation
|
||||
- API keys now store only the hash, not the plain text secret (prevents database breach exposure)
|
||||
|
||||
- **URL Validation:** Added `isValidHttpUrl()` to reject dangerous URL protocols
|
||||
- `emojis.ts`: Emoji URLs must be HTTP(S) - prevents javascript:, data:, file: protocols
|
||||
- `webhooks.ts`: Webhook URLs must be HTTP(S) - both create and update operations
|
||||
- `users.ts`: Avatar URLs must be HTTP(S) or null
|
||||
|
||||
- **Integer Validation:** Added validation for numeric IDs from external systems
|
||||
- `desk-sync.ts`: `desk_project_id` and `desk_task_id` validated as positive integers
|
||||
- Prevents injection via numeric parameters
|
||||
|
||||
- **Memory Leak Fix:** Fixed `setInterval` memory leak in rate limiting
|
||||
- Rate limit cleanup interval now properly managed with start/stop functions
|
||||
- Uses `unref()` to allow process to exit cleanly
|
||||
- Added graceful shutdown handler to clean up intervals
|
||||
|
||||
### Fixed
|
||||
|
||||
- **parseInt Radix:** Added explicit radix (10) to all `parseInt()` calls across 5 files
|
||||
- `collections.ts`, `groups.ts`, `revisions.ts`, `users.ts`, `security.ts`
|
||||
|
||||
- **Savepoint SQL Injection:** Added `sanitizeSavepointName()` to prevent SQL injection in savepoints
|
||||
- Validates savepoint names against PostgreSQL identifier rules
|
||||
|
||||
- **Share URL Generation:** Replaced `Math.random()` with `crypto.randomBytes()` for share URL IDs
|
||||
- Also replaced deprecated `.substr()` with modern approach
|
||||
|
||||
## [1.2.2] - 2026-01-31
|
||||
|
||||
### Security
|
||||
|
||||
Reference in New Issue
Block a user