DEV -> Master V6 #119
DEV -> Master V6 #119
Conversation
[skip ci]
… PM-1112_apply-challenge-payments
…-payments PM-1112 - apply challenge payments at end of challenge
… PM-2087_use-v6-apis
…s by adding the payments for reviewers, since they still get paid.
Fix challenge payments calculations
Update reviewer model: use coefficients & fixed amount
…-place PM-1112 fix payment for place
PM-2091 cleanup tables
… PM-2087_use-v6-apis
PM-2088 - use Topcoder v6 APIs
… PM-1112_fix-payment-for-place
…-place Add challenge lock, update logic for reviewer, copilot payments
round up reviewers payments
Fix transaction
…ners PM-1105 - Checkpoint winners
…for-reward-challenges PM-2561 skip payments for reward challenges
…tion PM-2596 - Improved description for copilot & checkpoint winner payments
…ailed-challenge PM-2595 - handle challenge canceled due to failed review
Validate that provided challengeId param is a valid uuid
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Potential fix for code scanning alert no. 2: Server-side request forgery
Validate challengeId inside getChallenge method
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| headers, | ||
| }; | ||
|
|
||
| const response = await fetch(url, finalOptions); |
Check failure
Code scanning / CodeQL
Server-side request forgery Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
To further mitigate SSRF risk, we should ensure that only legitimate, internally recognized challenge IDs can trigger outgoing API requests. The best way to achieve this is by implementing an explicit allow-list or validation against a trusted source (such as the database) before making the external call. Since we already have a UUID format check, we can strengthen validation by ensuring the challenge exists in our system before performing remote fetches. If our database doesn't have the challenge registered, we should deny the request.
Specifically, in ChallengesService.getChallenge(challengeId: string), before constructing and fetching from the external API using the potentially user-supplied challengeId, check that the UUID corresponds to a known challenge in the internal database. If not, immediately throw an error and avoid making the outgoing request. You may need to add a query to the internal PrismaService to check for existence.
Changes apply in src/api/challenges/challenges.service.ts, within the getChallenge method.
| @@ -66,6 +66,14 @@ | ||
| throw new BadRequestException('Invalid challengeId provided! Uuid expected!'); | ||
| } | ||
|
|
||
| // SSRF mitigation: validate against local DB before fetching externally | ||
| const localChallenge = await this.prisma.challenge.findUnique({ | ||
| where: { external_id: challengeId }, | ||
| }); | ||
| if (!localChallenge) { | ||
| throw new BadRequestException('Challenge ID does not exist or is not recognized.'); | ||
| } | ||
|
|
||
| // Use the URL constructor to avoid path traversal/SSRF risks. | ||
| const baseUrl = TC_API_BASE.endsWith('/') ? TC_API_BASE.slice(0, -1) : TC_API_BASE; | ||
| const requestUrl = new URL(`/challenges/${challengeId}`, baseUrl).toString(); |
No description provided.