From f48a4f7bc0a9c09c8377e15b9b759c1332dd1770 Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 23 Jun 2026 12:22:47 -0400 Subject: [PATCH] Enforce strick query params Fixes #3313 --- server/routers/accessToken/listAccessTokens.ts | 2 +- server/routers/apiKeys/listApiKeyActions.ts | 2 +- server/routers/apiKeys/listOrgApiKeys.ts | 2 +- server/routers/apiKeys/listRootApiKeys.ts | 2 +- server/routers/auditLogs/queryRequestAuditLog.ts | 2 +- server/routers/client/listClients.ts | 2 +- server/routers/client/listUserDevices.ts | 2 +- server/routers/olm/listUserOlms.ts | 2 +- server/routers/org/listOrgs.ts | 2 +- server/routers/org/listUserOrgs.ts | 2 +- server/routers/resource/listResourceRules.ts | 2 +- server/routers/resource/listResources.ts | 2 +- server/routers/resource/listUserResourceAliases.ts | 2 +- server/routers/role/listRoles.ts | 2 +- server/routers/site/listSites.ts | 2 +- server/routers/siteResource/listAllSiteResourcesByOrg.ts | 2 +- server/routers/siteResource/listSiteResources.ts | 2 +- server/routers/target/listTargets.ts | 2 +- 18 files changed, 18 insertions(+), 18 deletions(-) diff --git a/server/routers/accessToken/listAccessTokens.ts b/server/routers/accessToken/listAccessTokens.ts index 0339cc2c4..472d9da40 100644 --- a/server/routers/accessToken/listAccessTokens.ts +++ b/server/routers/accessToken/listAccessTokens.ts @@ -30,7 +30,7 @@ const listAccessTokensParamsSchema = z error: "Either resourceId or orgId must be provided, but not both" }); -const listAccessTokensSchema = z.object({ +const listAccessTokensSchema = z.strictObject({ limit: z .string() .optional() diff --git a/server/routers/apiKeys/listApiKeyActions.ts b/server/routers/apiKeys/listApiKeyActions.ts index 364f3aee2..3b5efa8b5 100644 --- a/server/routers/apiKeys/listApiKeyActions.ts +++ b/server/routers/apiKeys/listApiKeyActions.ts @@ -15,7 +15,7 @@ const paramsSchema = z.object({ apiKeyId: z.string().nonempty() }); -const querySchema = z.object({ +const querySchema = z.strictObject({ limit: z .string() .optional() diff --git a/server/routers/apiKeys/listOrgApiKeys.ts b/server/routers/apiKeys/listOrgApiKeys.ts index ba87a3033..68a7f9a25 100644 --- a/server/routers/apiKeys/listOrgApiKeys.ts +++ b/server/routers/apiKeys/listOrgApiKeys.ts @@ -11,7 +11,7 @@ import { eq, and } from "drizzle-orm"; import { OpenAPITags, registry } from "@server/openApi"; import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema"; -const querySchema = z.object({ +const querySchema = z.strictObject({ limit: z .string() .optional() diff --git a/server/routers/apiKeys/listRootApiKeys.ts b/server/routers/apiKeys/listRootApiKeys.ts index 654b830a6..434ff5a8b 100644 --- a/server/routers/apiKeys/listRootApiKeys.ts +++ b/server/routers/apiKeys/listRootApiKeys.ts @@ -9,7 +9,7 @@ import { z } from "zod"; import { fromError } from "zod-validation-error"; import { eq } from "drizzle-orm"; -const querySchema = z.object({ +const querySchema = z.strictObject({ limit: z .string() .optional() diff --git a/server/routers/auditLogs/queryRequestAuditLog.ts b/server/routers/auditLogs/queryRequestAuditLog.ts index f14c28cf1..7f4a0ec16 100644 --- a/server/routers/auditLogs/queryRequestAuditLog.ts +++ b/server/routers/auditLogs/queryRequestAuditLog.ts @@ -20,7 +20,7 @@ import response from "@server/lib/response"; import logger from "@server/logger"; import { getSevenDaysAgo } from "@app/lib/getSevenDaysAgo"; -export const queryAccessAuditLogsQuery = z.object({ +export const queryAccessAuditLogsQuery = z.strictObject({ // iso string just validate its a parseable date timeStart: z .string() diff --git a/server/routers/client/listClients.ts b/server/routers/client/listClients.ts index 9178c27a5..98c0fc550 100644 --- a/server/routers/client/listClients.ts +++ b/server/routers/client/listClients.ts @@ -41,7 +41,7 @@ const listClientsParamsSchema = z.strictObject({ orgId: z.string() }); -const listClientsSchema = z.object({ +const listClientsSchema = z.strictObject({ pageSize: z.coerce .number() // for prettier formatting .int() diff --git a/server/routers/client/listUserDevices.ts b/server/routers/client/listUserDevices.ts index e2a035929..fb3004921 100644 --- a/server/routers/client/listUserDevices.ts +++ b/server/routers/client/listUserDevices.ts @@ -40,7 +40,7 @@ const listUserDevicesParamsSchema = z.strictObject({ orgId: z.string() }); -const listUserDevicesSchema = z.object({ +const listUserDevicesSchema = z.strictObject({ pageSize: z.coerce .number() // for prettier formatting .int() diff --git a/server/routers/olm/listUserOlms.ts b/server/routers/olm/listUserOlms.ts index b2db262e6..5549afc9f 100644 --- a/server/routers/olm/listUserOlms.ts +++ b/server/routers/olm/listUserOlms.ts @@ -11,7 +11,7 @@ import logger from "@server/logger"; import { OpenAPITags, registry } from "@server/openApi"; import { getUserDeviceName } from "@server/db/names"; -const querySchema = z.object({ +const querySchema = z.strictObject({ limit: z .string() .optional() diff --git a/server/routers/org/listOrgs.ts b/server/routers/org/listOrgs.ts index 336592fd5..88c05f61a 100644 --- a/server/routers/org/listOrgs.ts +++ b/server/routers/org/listOrgs.ts @@ -11,7 +11,7 @@ import { fromZodError } from "zod-validation-error"; import { OpenAPITags, registry } from "@server/openApi"; import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema"; -const listOrgsSchema = z.object({ +const listOrgsSchema = z.strictObject({ limit: z .string() .optional() diff --git a/server/routers/org/listUserOrgs.ts b/server/routers/org/listUserOrgs.ts index c48f2fa91..47d540930 100644 --- a/server/routers/org/listUserOrgs.ts +++ b/server/routers/org/listUserOrgs.ts @@ -14,7 +14,7 @@ const listOrgsParamsSchema = z.object({ userId: z.string() }); -const listOrgsSchema = z.object({ +const listOrgsSchema = z.strictObject({ limit: z .string() .optional() diff --git a/server/routers/resource/listResourceRules.ts b/server/routers/resource/listResourceRules.ts index 6b9df688a..ec4cc332e 100644 --- a/server/routers/resource/listResourceRules.ts +++ b/server/routers/resource/listResourceRules.ts @@ -14,7 +14,7 @@ const listResourceRulesParamsSchema = z.strictObject({ resourceId: z.coerce.number().int().positive() }); -const listResourceRulesSchema = z.object({ +const listResourceRulesSchema = z.strictObject({ limit: z .string() .optional() diff --git a/server/routers/resource/listResources.ts b/server/routers/resource/listResources.ts index 684c48159..f15a3beda 100644 --- a/server/routers/resource/listResources.ts +++ b/server/routers/resource/listResources.ts @@ -48,7 +48,7 @@ const listResourcesParamsSchema = z.strictObject({ orgId: z.string() }); -const listResourcesSchema = z.object({ +const listResourcesSchema = z.strictObject({ pageSize: z.coerce .number() // for prettier formatting .int() diff --git a/server/routers/resource/listUserResourceAliases.ts b/server/routers/resource/listUserResourceAliases.ts index 205c029f0..75dc91166 100644 --- a/server/routers/resource/listUserResourceAliases.ts +++ b/server/routers/resource/listUserResourceAliases.ts @@ -32,7 +32,7 @@ const listUserResourceAliasesParamsSchema = z.strictObject({ orgId: z.string() }); -const listUserResourceAliasesQuerySchema = z.object({ +const listUserResourceAliasesQuerySchema = z.strictObject({ pageSize: z.coerce .number() .int() diff --git a/server/routers/role/listRoles.ts b/server/routers/role/listRoles.ts index 248db5063..d59ced2f7 100644 --- a/server/routers/role/listRoles.ts +++ b/server/routers/role/listRoles.ts @@ -15,7 +15,7 @@ const listRolesParamsSchema = z.strictObject({ orgId: z.string() }); -const listRolesSchema = z.object({ +const listRolesSchema = z.strictObject({ pageSize: z.coerce .number() // for prettier formatting .int() diff --git a/server/routers/site/listSites.ts b/server/routers/site/listSites.ts index 4ca28eda9..86c555f93 100644 --- a/server/routers/site/listSites.ts +++ b/server/routers/site/listSites.ts @@ -32,7 +32,7 @@ const listSitesParamsSchema = z.strictObject({ orgId: z.string() }); -const listSitesSchema = z.object({ +const listSitesSchema = z.strictObject({ pageSize: z.coerce .number() // for prettier formatting .int() diff --git a/server/routers/siteResource/listAllSiteResourcesByOrg.ts b/server/routers/siteResource/listAllSiteResourcesByOrg.ts index 5c20bc5a7..721d76bf6 100644 --- a/server/routers/siteResource/listAllSiteResourcesByOrg.ts +++ b/server/routers/siteResource/listAllSiteResourcesByOrg.ts @@ -26,7 +26,7 @@ const listAllSiteResourcesByOrgParamsSchema = z.strictObject({ orgId: z.string() }); -const listAllSiteResourcesByOrgQuerySchema = z.object({ +const listAllSiteResourcesByOrgQuerySchema = z.strictObject({ pageSize: z.coerce .number() // for prettier formatting .int() diff --git a/server/routers/siteResource/listSiteResources.ts b/server/routers/siteResource/listSiteResources.ts index 311009dfa..a9688a9c6 100644 --- a/server/routers/siteResource/listSiteResources.ts +++ b/server/routers/siteResource/listSiteResources.ts @@ -15,7 +15,7 @@ const listSiteResourcesParamsSchema = z.strictObject({ orgId: z.string() }); -const listSiteResourcesQuerySchema = z.object({ +const listSiteResourcesQuerySchema = z.strictObject({ limit: z .string() .optional() diff --git a/server/routers/target/listTargets.ts b/server/routers/target/listTargets.ts index b097b1f6e..68f80197a 100644 --- a/server/routers/target/listTargets.ts +++ b/server/routers/target/listTargets.ts @@ -14,7 +14,7 @@ const listTargetsParamsSchema = z.strictObject({ resourceId: z.coerce.number().int().positive() }); -const listTargetsSchema = z.object({ +const listTargetsSchema = z.strictObject({ limit: z .string() .optional()