fix(git-sync): address PR #119 review #2 — throttle /git Basic auth, fix mcp schema drift + warnings/tests
Must-fix:
- Throttle the raw /git HTTP-Basic path: it bypasses Nest/ThrottlerGuard, so
verifyUserCredentials (bcrypt) ran unthrottled. Wrap it in the SAME
FailedLoginLimiter the /mcp path uses (5/60s; per-IP, per-IP+email, global
per-email keys; atomic tryReserve BEFORE bcrypt; success resets, non-credential
errors release). The (threshold+1)-th attempt now gets 429 pre-bcrypt. Sweep
timer + onModuleDestroy mirror McpService.
- Fix the mcp schema mirror drift: packages/mcp details `open` attr now reads via
hasAttribute (matches editor-ext canon + git-sync copy); getAttribute dropped a
bare `<details open>` state. (build/ is gitignored — rebuilt locally.)
Tests added:
- /git brute-force throttle: pre-bcrypt 429 on the 6th failure; success resets;
non-credential error releases the budget.
- git-http-backend lost-lock AbortSignal: already-aborted -> no spawn + 500;
live abort mid-request -> SIGTERM + response closed.
- orchestrator divergentDocmost -> WARN + flag surfaced in status (+ clean case).
- pollTick re-entrancy guard skips an overlapping tick.
- datasource NotFound early-throws (getPageJson/move/rename) + updatedAt:undefined
stale-read branch (importPageMarkdown/createPage).
Suggestions:
- space.repo updateGitSyncSettings: parameterize the jsonb key (`${prefKey}::text`)
instead of sql.raw (latent-injection footgun); value stays sql.lit. Spec updated.
- pollTick re-entrancy guard (private `polling` flag).
- page-change.listener docstring: honest about the move/rename/delete over-skip
(loop-guard keys only on lastUpdatedSource) -> ~poll-interval latency, not loss.
- AGENTS.md: document the root /git smart-HTTP route + GitSyncModule.
- Remove redundant redteam-provenance.spec.ts (covered e2e in
persistence.extension.spec.ts:145).
- Extract the duplicated SIGTERM->SIGKILL+finish block (watchdog + abort) into
terminateChild; centralize watchdog-timer teardown in done().
Architecture (deferred, documented): mcp schema header now carries the three-copy
keep-in-sync + schema-core note; the editor-ext contract test documents that the
mcp copy and attribute-behaviour drift (details `open`) are not mechanically
covered yet.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -111,8 +111,9 @@ describe('SpaceRepo.updateGitSyncSettings — jsonb merge SQL', () => {
|
||||
expect(sql).toContain(
|
||||
`jsonb_build_object('gitSync', COALESCE(settings->'gitSync', '{}'::jsonb) ||`,
|
||||
);
|
||||
// The pref key is set via jsonb_build_object on the inner object.
|
||||
expect(sql).toContain(`jsonb_build_object('enabled',`);
|
||||
// The pref key is set via jsonb_build_object on the inner object, with the
|
||||
// key as a BOUND, ::text-cast PARAMETER (not sql.raw) — security fix #5.
|
||||
expect(sql).toMatch(/jsonb_build_object\(\$\d+::text,/);
|
||||
// Scoped to the row + workspace.
|
||||
expect(sql).toContain(`where "id" =`);
|
||||
expect(sql).toContain(`and "workspaceId" =`);
|
||||
@@ -121,21 +122,25 @@ describe('SpaceRepo.updateGitSyncSettings — jsonb merge SQL', () => {
|
||||
// `set "settings" = jsonb_build_object(` without the COALESCE/merge).
|
||||
expect(sql).not.toContain(`set "settings" = jsonb_build_object(`);
|
||||
|
||||
// The pref VALUE is inlined via sql.lit (matches the repo's sql.lit usage);
|
||||
// updatedAt + id + workspaceId are the only bound parameters (the jsonb
|
||||
// merge text is all literal). updatedAt is a Date, so assert id/workspaceId.
|
||||
// The pref VALUE stays inlined via sql.lit, but the KEY is now a bound
|
||||
// parameter, so id + workspaceId + the key are all bound (updatedAt is a Date).
|
||||
expect(compiled!.parameters).toContain('space-1');
|
||||
expect(compiled!.parameters).toContain('ws-1');
|
||||
expect(compiled!.parameters).toContain('enabled');
|
||||
});
|
||||
|
||||
it('inlines the prefKey/prefValue literally (sql.raw key, sql.lit value)', async () => {
|
||||
it('binds the prefKey as a ::text parameter (no sql.raw splice) and inlines prefValue via sql.lit', async () => {
|
||||
const { repo, getCaptured } = makeRepoCapturingSql();
|
||||
|
||||
await repo.updateGitSyncSettings('space-1', 'ws-1', 'enabled', false);
|
||||
|
||||
const sql = getCaptured()!.sql.replace(/\s+/g, ' ');
|
||||
// key via sql.raw + value via sql.lit -> both appear literally in the
|
||||
// inner build object (no bound parameter for either).
|
||||
expect(sql).toContain(`jsonb_build_object('enabled', false)`);
|
||||
const compiled = getCaptured()!;
|
||||
const sql = compiled.sql.replace(/\s+/g, ' ');
|
||||
// The key is a bound `$N::text` parameter; the value is the sql.lit literal.
|
||||
expect(sql).toMatch(/jsonb_build_object\(\$\d+::text, false\)/);
|
||||
// The literal key must NOT be spliced into the statement text (the footgun).
|
||||
expect(sql).not.toContain(`'enabled'`);
|
||||
// The key rides as a bound parameter instead.
|
||||
expect(compiled.parameters).toContain('enabled');
|
||||
});
|
||||
});
|
||||
|
||||
@@ -122,9 +122,15 @@ export class SpaceRepo {
|
||||
return db
|
||||
.updateTable('spaces')
|
||||
.set({
|
||||
// The jsonb key is a BOUND PARAMETER (`${prefKey}::text`), not
|
||||
// `sql.raw(prefKey)`. The callers here only ever pass the literals
|
||||
// 'enabled' / 'autoMergeConflicts', but sql.raw would splice the string
|
||||
// straight into the statement — a latent SQL-injection footgun the moment
|
||||
// a future caller passes a request-derived key. Parameterizing closes it
|
||||
// with no behaviour change for the current literal callers.
|
||||
settings: sql`COALESCE(settings, '{}'::jsonb)
|
||||
|| jsonb_build_object('gitSync', COALESCE(settings->'gitSync', '{}'::jsonb)
|
||||
|| jsonb_build_object('${sql.raw(prefKey)}', ${sql.lit(prefValue)}))`,
|
||||
|| jsonb_build_object(${prefKey}::text, ${sql.lit(prefValue)}))`,
|
||||
updatedAt: new Date(),
|
||||
})
|
||||
.where('id', '=', spaceId)
|
||||
|
||||
Reference in New Issue
Block a user