Release: develop -> main#3974
Open
github-actions[bot] wants to merge 6 commits into
Open
Conversation
Klarstellung im JSDoc von BalancesTotal: minus enthaelt seit #3969 auch die akkruierte Referral-Credit-Liability (synthetischer RefCredit-Bucket), und ein Ref-Payout ist dadurch bilanzneutral statt Phantom-Equity-Step.
github-actions
Bot
requested review from
TaprootFreak and
davidleomay
as code owners
…#3964) The RealUnit query builders interpolated user-supplied input straight into the GraphQL query string sent to the ponder indexer, e.g.: const afterClause = after ? `, after: "${after}"` : ''; ... accounts(..., limit: ${limit}${beforeClause}${afterClause}) A crafted `after` cursor breaks out of the string and parenthesis and injects arbitrary GraphQL — observed in prod against /v1/realunit/holders, attempting schema introspection (__schema) and full holder enumeration (accounts(where: {balance_gt:"0"}, orderBy:"balance")). The injection failed only on unbalanced syntax; it is otherwise structurally possible. Convert all input-bearing queries (holders, account summary, account history) to static documents with typed GraphQL variables ($id, $limit, $before, $after) and pass values via graphql-request's variables argument. The cursor is now treated as an opaque value by the indexer, not query syntax, so the injection is closed. tokenInfo takes no input and is unchanged behaviourally.
…QL injection (#3977) (#3978) The juice and deuro ponder clients interpolated values straight into the GraphQL query string sent to the indexer: positionV2s(after: "${after}") // paginated cursor poolShare(id: "${address}") / deps(id: "${address}") A crafted value could break out of the string/parenthesis and inject arbitrary GraphQL. Convert the input-bearing queries to static documents with typed GraphQL variables ($after: String, $id: String!) and pass values via graphql-request's variables argument, so the indexer treats them as opaque values rather than query syntax. Behaviour is otherwise unchanged (first page passes after: null; address is passed as-is). Closes #3977
…3976) (#3979) Apply ParseIntPipe to the remaining numeric :id route params in the buy/sell/swap controllers, typing the handler param as number and dropping the +id coercion, matching the treatment from #3954. Affected handlers: - swap.controller: depositTx, confirmSwap - buy.controller: generateInvoicePDF, confirmBuy - sell.controller: depositTx, confirmSell Closes #3976
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automatic Release PR
This PR was automatically created after changes were pushed to develop.
Commits: 1 new commit(s)
Checklist