Skip to content

Security: WHIP/WHEP OPTIONS handlers missing TypeBox params schema — path params unvalidated #249

Description

@LucasMaupin

Summary

The `OPTIONS /whip/:productionId/:lineId` and `OPTIONS /whep/:productionId/:lineId` handlers have no TypeBox `params` schema. While these handlers manually call `parseInt(productionId, 10)`, the raw path parameters are never validated or length-constrained by AJV before the handler runs.

Affected Files

  • `src/api_whip.ts` — `OPTIONS /whip/:productionId/:lineId` handler (~line 311–322)
  • `src/api_whep.ts` — `OPTIONS /whep/:productionId/:lineId` handler (~line 310–321)

Current State

fastify.options<{
  Params: { productionId: string; lineId: string };
}>(
  '/whip/:productionId/:lineId',
  {
    schema: {
      // ❌ no params schema — AJV does not validate path parameters
      response: { ... }
    }
  },
  async (request, reply) => {
    const productionId = parseInt(request.params.productionId, 10);
    // manually parsed, but no TypeBox guard before this point
  }
);

Recommendation

Add a `params` TypeBox schema to both handlers:

const WhipWhepParams = Type.Object({
  productionId: Type.String({ minLength: 1, maxLength: 200 }),
  lineId: Type.String({ minLength: 1, maxLength: 200 })
});

// in schema:
schema: {
  params: WhipWhepParams,
  response: { ... }
}

This is consistent with how other route params are validated across the codebase.

Severity

Low — Low direct exploitability since the handler only reads and parses these values; defence-in-depth concern.


Found by automated security audit.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions