Potential fix for code scanning alert no. 26: Server-side request forgery

tacxou · github-advanced-security[bot] · web-flow · commit 8f5e0e601e1e · 2025-05-13T11:27:14.000+02:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/src/app.controller.ts b/src/app.controller.ts
@@ -83,8 +83,12 @@ export class AppController extends AbstractController {
     @Param('project') project?: string,
     @Query('current') current?: string,
   ): Promise<Response> {
+    const validProjects = ['sesame-orchestrator', 'sesame-daemon', 'sesame-app-manager'];
+    if (!validProjects.includes(project)) {
+      throw new BadRequestException(`Invalid project: ${project}`);
+    }
+
     let data = <GithubUpdate>{};
-    // console.log('this.storage', storage.get(project))
     if (storage.has(project)) {
       this.logger.log(`Fetching ${project} tags from cache`);
       data = storage.get(project) as GithubUpdate;
@@ -96,7 +100,6 @@ export class AppController extends AbstractController {
       data = await update.json();
       console.log('update', data)
       storage.set(project, data);
-      // console.log('this.storage', storage.get(project))
     }
     // if (!Array.isArray(data)) {
     //   throw new BadRequestException(`Invalid data from Github <${JSON.stringify(data)}>`);
