fix(security): address CodeQL high-severity findings

ddlManager.ts — add assertValidOrgId() (regex /^[A-Za-z0-9]{15,18}$/)
called at the top of every DDL function so CodeQL's taint tracking can see
that orgId is validated before it reaches any SQL string. Matches the same
regex already enforced by schemaNameForOrgId() in migrate.ts.

app.ts — enable Helmet's Content Security Policy instead of disabling it.
Directives are tuned for the bundled React SPA: scripts from self only,
unsafe-inline styles for Tailwind, no CDN, no frame embedding.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: SSheppDev

src/api/src/app.ts

@@ -60,8 +60,21 @@ const syncLimiter = rateLimit({
 export function createApp() {
   const app = express()
 
-  // HTTP security headers — CSP disabled to allow the bundled React SPA to load
-  app.use(helmet({ contentSecurityPolicy: false }))
+  // HTTP security headers with CSP tuned for the bundled React SPA (no CDN, no inline scripts)
+  app.use(helmet({
+    contentSecurityPolicy: {
+      directives: {
+        defaultSrc: ["'self'"],
+        scriptSrc: ["'self'"],
+        styleSrc: ["'self'", "'unsafe-inline'"], // Tailwind uses inline style attributes
+        imgSrc: ["'self'", 'data:'],
+        fontSrc: ["'self'", 'data:'],
+        connectSrc: ["'self'"],
+        objectSrc: ["'none'"],
+        frameAncestors: ["'none'"],
+      },
+    },
+  }))
 
   // JSON body parser
   app.use(express.json({ limit: '100kb' }))

src/api/src/sync/ddlManager.ts

@@ -7,13 +7,20 @@ import { schemaNameForOrgId } from '../db/migrate'
 // ---------------------------------------------------------------------------
 
 const SF_API_NAME_RE = /^[A-Za-z][A-Za-z0-9_]{0,79}$/
+const ORG_ID_RE = /^[A-Za-z0-9]{15,18}$/
 
 function assertValidApiName(name: string, label: string): void {
   if (!SF_API_NAME_RE.test(name)) {
     throw new Error(`ddlManager: invalid ${label} "${name}"`)
   }
 }
 
+function assertValidOrgId(orgId: string): void {
+  if (!ORG_ID_RE.test(orgId)) {
+    throw new Error(`ddlManager: invalid orgId "${orgId}"`)
+  }
+}
+
 const SYSTEM_COLUMNS = new Set([
   'id',
   'sf_created_at',
@@ -89,6 +96,7 @@ function quoteIdent(name: string): string {
  * grants if the role exists, so newly added orgs are visible to BI users.
  */
 export async function createOrgSchema(orgId: string): Promise<void> {
+  assertValidOrgId(orgId)
   const schema = schemaNameForOrgId(orgId)
   await pool.query(`CREATE SCHEMA IF NOT EXISTS ${schema}`)
 
@@ -111,6 +119,7 @@ export async function createOrgSchema(orgId: string): Promise<void> {
  * with the user before invoking — this is destructive.
  */
 export async function dropOrgSchema(orgId: string): Promise<void> {
+  assertValidOrgId(orgId)
   const schema = schemaNameForOrgId(orgId)
   await pool.query(`DROP SCHEMA IF EXISTS ${schema} CASCADE`)
 }
@@ -128,6 +137,7 @@ export async function createObjectTable(
   objectApiName: string,
   fields: Array<{ apiName: string; sfType: string }>
 ): Promise<void> {
+  assertValidOrgId(orgId)
   assertValidApiName(objectApiName, 'objectApiName')
   const fieldColumns = fields
     .filter(({ apiName }) => !SYSTEM_COLUMNS.has(apiName.toLowerCase()))
@@ -170,6 +180,7 @@ export async function addColumn(
   fieldApiName: string,
   sfType: string
 ): Promise<void> {
+  assertValidOrgId(orgId)
   assertValidApiName(objectApiName, 'objectApiName')
   assertValidApiName(fieldApiName, 'fieldApiName')
   const col = fieldApiName.toLowerCase()
@@ -191,6 +202,7 @@ export async function dropColumn(
   objectApiName: string,
   fieldApiName: string
 ): Promise<void> {
+  assertValidOrgId(orgId)
   assertValidApiName(objectApiName, 'objectApiName')
   assertValidApiName(fieldApiName, 'fieldApiName')
   const col = fieldApiName.toLowerCase()
@@ -210,6 +222,7 @@ export async function dropTable(
   orgId: string,
   objectApiName: string
 ): Promise<void> {
+  assertValidOrgId(orgId)
   assertValidApiName(objectApiName, 'objectApiName')
   const sql = `DROP TABLE IF EXISTS ${tableRefForOrg(orgId, objectApiName)}`
   await pool.query(sql)