Fix/security and bugs#95
Open
Rajaykumar12 wants to merge 7 commits into
Open
Conversation
Replace Math.random()-based genSecret with Node crypto.randomBytes to generate AUTH_SECRET, POSTGRES_PASSWORD, and REDIS_PASSWORD.
Add boundary check to ensure resolved file path stays within the dist directory before serving, returning 403 for traversal attempts.
Both fields were referenced throughout the codebase but absent from the schema, causing Mongoose to silently discard writes to them.
Replace pre-check uniqueness loop with a retry-on-duplicate strategy that relies on the MongoDB unique index to atomically enforce uniqueness, preventing duplicate joinId collisions under concurrent requests.
Use Submission.create() for new submissions (Mongoose pre-assigns _id on construction so the old guard was always false) and findByIdAndUpdate with $set/$push for updates, ensuring concurrent submits do not overwrite each other and data is always persisted to MongoDB. Also add NaN guard on MCQ correctAnswer index parsing to handle malformed stored values without crashing.
Add isNaN check after parsing du output to avoid propagating NaN bytes when the command returns unexpected output.
- Remove unused jwtVerify import from contestAuth middleware - Fix MCQ problem filtering to use p.type instead of deprecated p.questionType field, correcting nav order in attempt view - Remove no-op setLiveLog identity call in LogsContext on stream end - Wrap all localStorage calls in try-catch to handle private browsing and storage quota errors gracefully
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Math.random()withcrypto.randomBytesfor generatingAUTH_SECRET,POSTGRES_PASSWORD, andREDIS_PASSWORD—Math.randomis not cryptographically securedistdirectory with a 403violationsandstatusfields to theContestMongoose schema — both were read/written throughout the codebase but absent from the schema, causing Mongoose to silently discard all writesnew Submission()pre-assigns_id, so the old!submission._idguard was always false and the document was never inserted; replaced withSubmission.create()for new docs andfindByIdAndUpdatefor updatesp.questionTypeis deprecated; switch top.type === "mcq"/p.type === "coding"so MCQ/coding tabs sort correctly in the attempt viewNaNguard on MCQcorrectAnswerindex parsing — malformed stored values no longer crash the scorerNaNin admin daemon disk usage —duoutput mismatch no longer propagatesNaNbytes to the status APIjwtVerifyimport fromcontestAuthmiddlewaresetLiveLog((prev) => prev || null)identity call inLogsContexton stream endlocalStoragecalls intry/catchto handle private browsing and storage quota errors