From d793df14d95f454dd67bf4001748ae6279db1db7 Mon Sep 17 00:00:00 2001 From: JungYunji Date: Fri, 25 Jul 2025 16:08:46 +0900 Subject: [PATCH 1/3] [Autofic] Create package.json and CI workflow --- .github/workflows/pr_notify.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/pr_notify.yml diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml new file mode 100644 index 00000000..2b34036d --- /dev/null +++ b/.github/workflows/pr_notify.yml @@ -0,0 +1,20 @@ +name: PR Notifier + +on: + pull_request: + types: [opened, reopened, closed] + +jobs: + notify: + runs-on: ubuntu-latest + steps: + - name: Notify Discord + env: + DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} + run: | + curl -H "Content-Type: application/json" -d '{"content": "🔔 Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $DISCORD_WEBHOOK_URL + - name: Notify Slack + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + run: | + curl -H "Content-Type: application/json" -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $SLACK_WEBHOOK_URL From 088d31e0506756454066870965eadaad31502ba2 Mon Sep 17 00:00:00 2001 From: JungYunji Date: Fri, 25 Jul 2025 16:08:53 +0900 Subject: [PATCH 2/3] [Autofic] 1 malicious code detected!! --- src/server/routes/api.js | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/server/routes/api.js b/src/server/routes/api.js index 5e48d31c..860c122f 100644 --- a/src/server/routes/api.js +++ b/src/server/routes/api.js @@ -75,7 +75,7 @@ export const apiRoute = async (fastify) => { }); } else if (until != null) { Object.assign(where, { - startAt: LessThanOrEqual(since.utc().format("YYYY-MM-DD HH:mm:ss")), + startAt: LessThanOrEqual(until.utc().format("YYYY-MM-DD HH:mm:ss")), // Fixed the incorrect variable name }); } @@ -89,7 +89,8 @@ export const apiRoute = async (fastify) => { fastify.get("/races/:raceId", async (req, res) => { const repo = (await createConnection()).getRepository(Race); - const race = await repo.findOne(req.params.raceId, { + const raceId = req.params.raceId.replace(/[^0-9]/g, ""); // Sanitize raceId + const race = await repo.findOne(raceId, { relations: ["entries", "entries.player", "trifectaOdds"], }); @@ -106,10 +107,11 @@ export const apiRoute = async (fastify) => { } const repo = (await createConnection()).getRepository(BettingTicket); + const raceId = req.params.raceId.replace(/[^0-9]/g, ""); // Sanitize raceId const bettingTickets = await repo.find({ where: { race: { - id: req.params.raceId, + id: raceId, }, user: { id: req.user.id, @@ -145,11 +147,12 @@ export const apiRoute = async (fastify) => { const bettingTicketRepo = (await createConnection()).getRepository( BettingTicket, ); + const raceId = req.params.raceId.replace(/[^0-9]/g, ""); // Sanitize raceId const bettingTicket = await bettingTicketRepo.save( new BettingTicket({ key: req.body.key, race: { - id: req.params.raceId, + id: raceId, }, type: req.body.type, user: { From 4640a295eb81e2c2f6342064bc222e5de119cd9e Mon Sep 17 00:00:00 2001 From: JungYunji Date: Fri, 25 Jul 2025 16:09:13 +0900 Subject: [PATCH 3/3] chore: remove CI workflow before upstream PR --- .github/workflows/pr_notify.yml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 .github/workflows/pr_notify.yml diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml deleted file mode 100644 index 2b34036d..00000000 --- a/.github/workflows/pr_notify.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: PR Notifier - -on: - pull_request: - types: [opened, reopened, closed] - -jobs: - notify: - runs-on: ubuntu-latest - steps: - - name: Notify Discord - env: - DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} - run: | - curl -H "Content-Type: application/json" -d '{"content": "🔔 Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $DISCORD_WEBHOOK_URL - - name: Notify Slack - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - run: | - curl -H "Content-Type: application/json" -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $SLACK_WEBHOOK_URL