fix: add input validation to YAML templates, RCON gateway, and match DTOs#7
Open
fix: add input validation to YAML templates, RCON gateway, and match DTOs#7
Conversation
…DTOs - YAML template: sanitize replacement values (strip newlines) and use split/join instead of RegExp to prevent injection via special chars - RCON gateway: validate command length (max 512), reject command chaining (semicolons, newlines), log all commands for audit trail - Offline matches: convert MatchData to class with class-validator decorators, use @Body() with ValidationPipe instead of raw req.body cast Closes 5stackgg/5stack-panel#404 Closes 5stackgg/5stack-panel#405 Closes 5stackgg/5stack-panel#406
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
These were imported for future nested object validation but are not currently used. Will be re-added when nested DTOs are converted.
Without @ValidateNested and @type, nested objects bypass validation entirely. Convert MatchOptions, Lineup, MatchMap from interfaces to classes with class-validator decorators so nested field validation is enforced by the ValidationPipe.
lukepolo
reviewed
Apr 9, 2026
src/rcon/rcon.gateway.ts
Outdated
| private static readonly MAX_COMMAND_LENGTH = 512; | ||
|
|
||
| private validateCommand(command: string): string | null { | ||
| if (!command || typeof command !== "string") { |
Contributor
There was a problem hiding this comment.
i dont see how this can be anything but a stirng
Contributor
Author
There was a problem hiding this comment.
Removed the redundant typeof check -- you're right, command will always be a string given the typed parameter.
Contributor
Author
|
Addressed review feedback:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three input validation improvements:
YAML template sanitization —
replacePlaceholders()now strips newlines from replacement values to prevent YAML structure injection. Usessplit/joininstead ofRegExpfor safer string replacement.RCON command validation — New
validateCommand()method rejects commands that are empty, exceed 512 chars, or contain command-chaining characters (;,\n,\r). All commands are logged for audit trail.Match data DTO validation — Converted
MatchDatafrom interface to class withclass-validatordecorators. Controller now uses@Body()withValidationPipe({ whitelist: true })instead of rawreq.bodycast.Test plan
Closes 5stackgg/5stack-panel#404
Closes 5stackgg/5stack-panel#405
Closes 5stackgg/5stack-panel#406