fix(gateway,inventory): trust model hardening (#5)

- Renamed SERVICE_LEVEL_AUTH to GATEWAY_KEY_SERVICES (clarifies intent) - Removed /debug-nocodb endpoint from inventory (exposed full table dump) - Hardened NocoDB search filter construction: strip (), ~, , chars to prevent filter injection. Reject queries under 2 chars. Files: gateway/dashboard.py, services/inventory/server.js
2026-03-29 13:48:18 -05:00
parent 7c05ef14c7
commit 7a7286ac1c
2 changed files with 9 additions and 62 deletions
--- a/services/inventory/server.js
+++ b/services/inventory/server.js
@@ -142,7 +142,11 @@ app.get('/search-records', async (req, res) => {
            return res.status(400).json({ error: 'Search term required' });
        }

-        const term = searchTerm.replace(/[%_]/g, ''); // sanitize wildcards
+        // Sanitize: strip NocoDB filter operators and special chars to prevent injection
+        const term = searchTerm.replace(/[%_()~,]/g, '').trim();
+        if (!term || term.length < 2) {
+            return res.json({ results: [] });
+        }

        // Server-side search across key fields using NocoDB like filter
        const where = [
@@ -358,64 +362,6 @@ app.get('/summary', async (req, res) => {
    }
 });

-// Debug endpoint to check NocoDB connection and data
-app.get('/debug-nocodb', async (req, res) => {
-    try {
-        console.log('Debug: Testing NocoDB connection...');
-        console.log('Config:', {
-            url: config.ncodbUrl,
-            baseId: config.baseId,
-            tableId: config.tableId,
-            hasToken: !!config.apiToken
-        });
-        
-        // Fetch all records with pagination
-        let allRows = [];
-        let offset = 0;
-        const limit = 1000;
-        let hasMore = true;
-        
-        while (hasMore && offset < 10000) {
-            const response = await axios.get(
-                config.ncodbUrl + '/api/v1/db/data/noco/' + config.baseId + '/' + config.tableId,
-                {
-                    headers: {
-                        'xc-token': config.apiToken,
-                        'Accept': 'application/json'
-                    },
-                    params: { 
-                        limit: limit,
-                        offset: offset
-                    }
-                }
-            );
-            
-            const pageRows = response.data.list || [];
-            allRows = allRows.concat(pageRows);
-            hasMore = pageRows.length === limit;
-            offset += limit;
-        }
-        
-        res.json({
-            success: true,
-            totalRowsRetrieved: allRows.length,
-            sampleRow: allRows[0] || null,
-            fieldNames: allRows.length > 0 ? Object.keys(allRows[0]) : [],
-            firstThreeRows: allRows.slice(0, 3),
-            message: `Successfully retrieved ${allRows.length} total records`
-        });
-        
-    } catch (error) {
-        console.error('Debug error:', error.message);
-        res.status(500).json({ 
-            error: 'Failed to connect to NocoDB',
-            message: error.message,
-            responseData: error.response?.data,
-            status: error.response?.status
-        });
-    }
-});
-
 // Get items with issues (full details)
 app.get('/issues', async (req, res) => {
    try {