security: fix MEDIUM findings (M2, M5, M10) and H5 (#5601)

* security: fix MEDIUM findings (M2, M5, M10) and HIGH H5

M2: Validate table name and where field in buildDynamicUpdateQuery()
    against safe identifier regex to prevent SQL injection.

M5: Add URL protocol validation in hypothesisRunner to prevent SSRF.
    Only allows http: and https: protocols.

M10: Replace Math.random() with crypto.randomBytes() for prompt ID
    generation in PromptManager.

H5: Replace eval() with direct function call in requests.tsx.
    The Google Translate compatibility fix was using eval() on a
    hardcoded string — converted to a proper function.

* revert: undo M10 crypto.randomBytes change in PromptManager

Math.random() is fine for prompt IDs — they're not security tokens.

Author: ink-the-squid

valhalla/jawn/src/lib/experiment/hypothesisRunner.ts

@@ -33,6 +33,11 @@ async function runWithRetry(
     promptVersionId,
     isOriginalRequest,
   } = props;
+  // Validate URL to prevent SSRF
+  if (!["https:", "http:"].includes(url.protocol)) {
+    return err(`Invalid URL protocol: ${url.protocol}`);
+  }
+
   const heliconeOnHeliconeApiKey = await GET_KEY(
     "key:helicone_on_helicone_key"
   );

web/lib/api/db/dbExecute.ts

@@ -149,6 +149,15 @@ export function buildDynamicUpdateQuery(options: {
   };
 }): { query: string; params: any[] } {
   const { from, set, where } = options;
+
+  // Validate table and field names to prevent SQL injection
+  if (!/^[a-zA-Z0-9_]+$/.test(from)) {
+    throw new Error(`Invalid table name: ${from}`);
+  }
+  if (!/^[a-zA-Z0-9_]+$/.test(where.field)) {
+    throw new Error(`Invalid where field name: ${where.field}`);
+  }
+
   const queryParts: string[] = [];
   const params: any[] = [];
   let paramCounter = 1;

web/pages/requests.tsx

@@ -6,31 +6,28 @@ import { SortDirection } from "../services/lib/sorts/requests/sorts";
 import { logger } from "@/lib/telemetry/logger";
 
 // Got this ugly hack from https://stackoverflow.com/questions/21926083/failed-to-execute-removechild-on-node
-const jsToRun = `
-if (typeof Node === 'function' && Node.prototype) {
-  const originalRemoveChild = Node.prototype.removeChild;
-  Node.prototype.removeChild = function(child) {
-    if (child.parentNode !== this) {
-      if (console) {
-        logger.error({ child: child.toString(), parent: this.toString() }, 'Cannot remove a child from a different parent');
+function applyGoogleTranslateFix() {
+  if (typeof Node === "function" && Node.prototype) {
+    const originalRemoveChild = Node.prototype.removeChild;
+    Node.prototype.removeChild = function (child: any) {
+      if (child.parentNode !== this) {
+        return child;
       }
-      return child;
-    }
-    return originalRemoveChild.apply(this, arguments);
-  }
+      return originalRemoveChild.apply(this, arguments as any);
+    };
 
-  const originalInsertBefore = Node.prototype.insertBefore;
-  Node.prototype.insertBefore = function(newNode, referenceNode) {
-    if (referenceNode && referenceNode.parentNode !== this) {
-      if (console) {
-        logger.error({ referenceNode: referenceNode.toString(), parent: this.toString() }, 'Cannot insert before a reference node from a different parent');
+    const originalInsertBefore = Node.prototype.insertBefore;
+    Node.prototype.insertBefore = function (
+      newNode: any,
+      referenceNode: any
+    ) {
+      if (referenceNode && referenceNode.parentNode !== this) {
+        return newNode;
       }
-      return newNode;
-    }
-    return originalInsertBefore.apply(this, arguments);
+      return originalInsertBefore.apply(this, arguments as any);
+    };
   }
 }
-`;
 
 interface RequestsV2Props {
   currentPage: number;
@@ -49,7 +46,7 @@ const RequestsV2 = (props: RequestsV2Props) => {
   useEffect(() => {
     var observer = new MutationObserver(function () {
       if (document.documentElement.className.match("translated")) {
-        eval(jsToRun);
+        applyGoogleTranslateFix();
       } else {
         logger.info("Page untranslate");
       }