Finding
ID: SD-VAL-03 | Severity: π MEDIUM
hookBodySchema uses .passthrough(). Unknown fields in hook payloads are silently retained and forwarded to SSE subscribers and the event bus.
Fix Required
Remove .passthrough() and use .strict() or enumerate permitted extra fields explicitly.
Files: src/validation.ts
Acceptance Criteria
A hook payload with unknown field x_evil: 1 is stripped before SSE delivery.
Milestone
M-E1: Security Hardening
Finding
ID: SD-VAL-03 | Severity: π MEDIUM
hookBodySchemauses.passthrough(). Unknown fields in hook payloads are silently retained and forwarded to SSE subscribers and the event bus.Fix Required
Remove
.passthrough()and use.strict()or enumerate permitted extra fields explicitly.Files:
src/validation.tsAcceptance Criteria
A hook payload with unknown field
x_evil: 1is stripped before SSE delivery.Milestone
M-E1: Security Hardening