senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/veza-backend-api/internal
History
senke a40a61d801 fix(backend): add table name whitelist in testutils/db.go 
- Add allowedTestTables map containing all known database tables
- Add validateTableName() function that panics if table name is not
  in the whitelist
- Call validateTableName() before all fmt.Sprintf("DELETE FROM %s")
  and fmt.Sprintf("TRUNCATE TABLE %s CASCADE") statements
- Prevents potential SQL injection via table name interpolation,
  even though the risk is low (test-only code, table names come from
  hardcoded lists or DB introspection)

Addresses audit finding: A03 (Injection) — minor risk in test utilities.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-11 22:57:40 +01:00
..
api chore(backend): config, router, auth, stream service, sanitizer, tests 2026-02-11 22:19:09 +01:00
common refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
config chore(backend): config, router, auth, stream service, sanitizer, tests 2026-02-11 22:19:09 +01:00
core chore(backend): config, router, auth, stream service, sanitizer, tests 2026-02-11 22:19:09 +01:00
database feat: global update including storybook setup and backend fixes 2026-02-02 19:34:14 +01:00
dto feat: Visual masterpiece - true light mode & premium UI 2026-01-11 02:32:21 +01:00
email STABILISATION: phase 3–5 – API contract, tests & chat-server hardening 2025-12-06 17:21:59 +01:00
errors refactor(marketplace): enforce unified api response envelope 2025-12-06 17:39:04 +01:00
eventbus adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
features adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
handlers fix(security): validate OAuth redirect URL against allowlist, require auth for internal transcode endpoint 2026-02-11 21:28:26 +01:00
infrastructure STABILISATION: phase 3–5 – API contract, tests & chat-server hardening 2025-12-06 17:21:59 +01:00
interfaces adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
jobs STABILISATION: phase 3–5 – API contract, tests & chat-server hardening 2025-12-06 17:21:59 +01:00
logging state-ownership: delete unused optimisticStoreUpdates.ts file 2026-01-15 19:26:53 +01:00
metrics [BE-DB-018] be-db: Add database performance monitoring 2025-12-24 15:58:48 +01:00
middleware chore(backend): config, router, auth, stream service, sanitizer, tests 2026-02-11 22:19:09 +01:00
models incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
monitoring stabilizing veza-backend-api: P1 & P2 2025-12-16 13:34:08 -05:00
recovery incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
repositories [BE-DB-003] be-db: Add soft delete support to all models 2025-12-24 15:07:25 +01:00
repository adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
response state-ownership: delete unused optimisticStoreUpdates.ts file 2026-01-15 19:26:53 +01:00
security adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
services chore(backend): config, router, auth, stream service, sanitizer, tests 2026-02-11 22:19:09 +01:00
shutdown incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
testutils fix(backend): add table name whitelist in testutils/db.go 2026-02-11 22:57:40 +01:00
tracing incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
types adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
upload [INT-015] int: Add file upload format standardization 2025-12-25 15:40:01 +01:00
utils chore(backend): config, router, auth, stream service, sanitizer, tests 2026-02-11 22:19:09 +01:00
validators incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
websocket incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
workers feat: global update including storybook setup and backend fixes 2026-02-02 19:34:14 +01:00