pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-24 15:51:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix security vulnerabilities

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-16 20:01:21 +00:00
parent f176c28df6
commit cdd9e6c8c6
7 changed files with 192 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
supabase/migrations/20251016195944_43e0e937-c5f3-4991-93d9-467caf0337b3.sql Normal file
View File

@@ -0,0 +1,44 @@
-- Fix database functions missing SET search_path protection
-- This prevents schema poisoning attacks
-- Fix has_aal2 function
CREATE OR REPLACE FUNCTION public.has_aal2()
RETURNS boolean
LANGUAGE sql
STABLE SECURITY DEFINER
SET search_path = public
AS $function$
SELECT COALESCE((auth.jwt()->>'aal')::text = 'aal2', false);
$function$;
-- Fix generate_deletion_confirmation_code function
CREATE OR REPLACE FUNCTION public.generate_deletion_confirmation_code()
RETURNS text
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = public
AS $function$
DECLARE
code TEXT;
BEGIN
code := LPAD(FLOOR(RANDOM() * 1000000)::TEXT, 6, '0');
RETURN code;
END;
$function$;
-- Fix hash_ip_address function
CREATE OR REPLACE FUNCTION public.hash_ip_address(ip_text text)
RETURNS text
LANGUAGE plpgsql
IMMUTABLE
SECURITY DEFINER
SET search_path = public
AS $function$
BEGIN
-- Use SHA256 hash with salt
RETURN encode(
digest(ip_text || 'thrillwiki_ip_salt_2025', 'sha256'),
'hex'
);
END;
$function$;