Summary
The `OPTIONS /whip/:productionId/:lineId` and `OPTIONS /whep/:productionId/:lineId` handlers have no TypeBox `params` schema. While these handlers manually call `parseInt(productionId, 10)`, the raw path parameters are never validated or length-constrained by AJV before the handler runs.
Affected Files
- `src/api_whip.ts` — `OPTIONS /whip/:productionId/:lineId` handler (~line 311–322)
- `src/api_whep.ts` — `OPTIONS /whep/:productionId/:lineId` handler (~line 310–321)
Current State
fastify.options<{
Params: { productionId: string; lineId: string };
}>(
'/whip/:productionId/:lineId',
{
schema: {
// ❌ no params schema — AJV does not validate path parameters
response: { ... }
}
},
async (request, reply) => {
const productionId = parseInt(request.params.productionId, 10);
// manually parsed, but no TypeBox guard before this point
}
);
Recommendation
Add a `params` TypeBox schema to both handlers:
const WhipWhepParams = Type.Object({
productionId: Type.String({ minLength: 1, maxLength: 200 }),
lineId: Type.String({ minLength: 1, maxLength: 200 })
});
// in schema:
schema: {
params: WhipWhepParams,
response: { ... }
}
This is consistent with how other route params are validated across the codebase.
Severity
Low — Low direct exploitability since the handler only reads and parses these values; defence-in-depth concern.
Found by automated security audit.
Summary
The `OPTIONS /whip/:productionId/:lineId` and `OPTIONS /whep/:productionId/:lineId` handlers have no TypeBox `params` schema. While these handlers manually call `parseInt(productionId, 10)`, the raw path parameters are never validated or length-constrained by AJV before the handler runs.
Affected Files
Current State
Recommendation
Add a `params` TypeBox schema to both handlers:
This is consistent with how other route params are validated across the codebase.
Severity
Low — Low direct exploitability since the handler only reads and parses these values; defence-in-depth concern.
Found by automated security audit.