Improve image upload and test data generation functionalities

Refactors `uploadPendingImages` to use `Promise.allSettled` for parallel uploads and implements JSON path queries in `clearTestData` and `getTestDataStats` for more robust test data management. Enhances `seed-test-data` function to support creating data conflicts and version chains, and adds validation for `imageId` format in `upload-image` function. Updates `AutocompleteSearch` to use a default search types constant. Replit-Commit-Author: Agent Replit-Commit-Session-Id: dc31cf9d-7a06-4420-8ade-e7b7f5200e71 Replit-Commit-Checkpoint-Type: intermediate_checkpoint
2025-12-20 08:31:12 -05:00 · 2025-10-08 18:14:34 +00:00
parent bdc9f5695e
commit 3832439d67
6 changed files with 164 additions and 91 deletions
--- a/supabase/functions/upload-image/index.ts
+++ b/supabase/functions/upload-image/index.ts
@@ -129,6 +129,23 @@ serve(async (req) => {
        )
      }

+      // Validate imageId format - Cloudflare accepts UUIDs and alphanumeric IDs
+      // Allow: alphanumeric, hyphens, underscores (common ID formats)
+      // Reject: special characters that could cause injection or path traversal
+      const validImageIdPattern = /^[a-zA-Z0-9_-]{1,100}$/;
+      if (!validImageIdPattern.test(imageId)) {
+        return new Response(
+          JSON.stringify({ 
+            error: 'Invalid imageId format',
+            message: 'imageId must be alphanumeric with optional hyphens/underscores (max 100 chars)'
+          }),
+          { 
+            status: 400, 
+            headers: { ...corsHeaders, 'Content-Type': 'application/json' } 
+          }
+        )
+      }
+
      let deleteResponse;
      try {
        deleteResponse = await fetch(