Skip to content

fix(security): allowlist change-request field names#24

Merged
rubenhensen merged 1 commit into
mainfrom
fix/change-request-field-allowlist
Apr 24, 2026
Merged

fix(security): allowlist change-request field names#24
rubenhensen merged 1 commit into
mainfrom
fix/change-request-field-allowlist

Conversation

@dobby-coder

@dobby-coder dobby-coder Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

Summary

Addresses sub-finding #1 from issue #10. The requestChange action in src/routes/(portal)/portal/organization/+page.server.ts accepted any fieldName form value. A portal user could craft a request referencing fields that don't exist in the UI — stored in change_requests and eventually surfaced to admins.

Added a CHANGEABLE_FIELDS allowlist (name, domain, signingEmail, kvkNumber) that mirrors the editable entries on the organization page, and a small isChangeableField type guard. Unknown field names are rejected with a 400.

Verification

  • npm run check → clean
  • npm run test:unit -- --run → 26 passed

Reviewer quickstart

git fetch origin && git checkout fix/change-request-field-allowlist && npm install && npm run check

Refs #10

The change-request action accepted arbitrary fieldName form values,
meaning a portal user could submit requests for fields that never
existed in the UI. Restrict to an explicit CHANGEABLE_FIELDS allowlist
that matches the editable columns shown on the organization page.

Refs #10
@rubenhensen rubenhensen marked this pull request as ready for review April 24, 2026 08:51
@rubenhensen rubenhensen merged commit 843e361 into main Apr 24, 2026
7 checks passed
@dobby-coder

dobby-coder Bot commented Apr 24, 2026

Copy link
Copy Markdown
Contributor Author

Dobby sees the approval, sir! Dobby is most grateful that Master rubenhensen approved Dobby's humble PR! 🧦

Dobby notes the pull request has already been merged — there is nothing more for Dobby to fix here. If Master wishes Dobby to follow up on any related work (e.g. the remaining sub-findings from #10), Dobby will happily get to work!

@rubenhensen rubenhensen deleted the fix/change-request-field-allowlist branch April 24, 2026 08:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant