Skip to content

fix(bug): number id parse issue#163

Open
hemantch01 wants to merge 1 commit into
accordproject:mainfrom
hemantch01:fix/numeric_id_parse
Open

fix(bug): number id parse issue#163
hemantch01 wants to merge 1 commit into
accordproject:mainfrom
hemantch01:fix/numeric_id_parse

Conversation

@hemantch01
Copy link
Copy Markdown
Contributor

@hemantch01 hemantch01 commented Apr 14, 2026

Description

Fixes #162

this pr resolves a vulnerability where numeric :id route parameters were partially parsed due to the use of parseInt(). For example, requests like GET /templates/1abc were incorrectly truncated and executed as GET /templates/1, potentially leading to unexpected resource modification or deletion.

Tests passed

Screenshot 2026-04-14 100207

Postman screenshot after FIX

Screenshot 2026-04-14 101328

@hemantch01
fix(bug):number id parse
b6820b1 
Signed-off-by: hemantch01 <hemantchaudhary905@gmail.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 30, 2026

This PR is stale because it has been open 15 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions github-actions Bot added the Stale label Apr 30, 2026
@github-actions github-actions Bot closed this May 11, 2026
@mttrbrts mttrbrts reopened this May 11, 2026
@github-actions github-actions Bot removed the Stale label May 12, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 27, 2026

This PR is stale because it has been open with no activity. Remove the stale label or comment to keep it active. Only items with maintainer engagement are auto-closed.

@github-actions github-actions Bot added the Stale label May 27, 2026
@hemantch01
Copy link
Copy Markdown
Contributor Author

hemantch01 commented May 27, 2026

hi @mttrbrts any feedback?

@mttrbrts mttrbrts requested a review from Copilot May 28, 2026 09:00
@mttrbrts mttrbrts removed the Stale label May 28, 2026
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a vulnerability where numeric :id route parameters were partially parsed via parseInt() (e.g. /templates/1abc resolving to /templates/1). The PR switches to Number() and rejects non-numeric IDs with a 400 response.

Changes:

  • In buildCrudRouter, replace parseInt with Number for GET/PUT/DELETE /:id and return 400 Invalid ID format when the parsed value is NaN (skipped for UUID PKs).
  • In resolveAgreement, replace Number.parseInt with Number and throw on NaN before querying the DB.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
server/handlers/crud.ts Adds strict numeric ID validation and switches parseInt to Number in the three /:id CRUD handlers.
server/handlers/agreements.ts Applies the same strict numeric parsing/validation in resolveAgreement.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: Numeric :id routes vulnerable to partial parses.

3 participants

@hemantch01 @mttrbrts