Skip to content

fix: security fixes from P3 trilhas audit + upgrade Next.js to 16.2.10#79

Draft
caimanoliveira wants to merge 3 commits into
mainfrom
claude/kind-keller-tftp0d
Draft

fix: security fixes from P3 trilhas audit + upgrade Next.js to 16.2.10#79
caimanoliveira wants to merge 3 commits into
mainfrom
claude/kind-keller-tftp0d

Conversation

@caimanoliveira

Copy link
Copy Markdown
Owner

Summary

  • Upgrade Next.js 16.2.0 → 16.2.10 to patch 14 CVEs: middleware/proxy bypass (GHSA-267c, GHSA-492v, GHSA-26hh), DoS via Server Components and Image API (GHSA-q4gf, GHSA-8h8q, GHSA-h64f), cache poisoning (GHSA-3g8h, GHSA-vfv6, GHSA-wfc6), XSS (GHSA-ffhc, GHSA-gx5p), and SSRF via WebSocket upgrades (GHSA-c4j6). Also fixes a ws uninitialized memory disclosure.
  • Fix IDOR in /api/exportar-star: the route was querying mentorado_trilhas filtered only by trilha_slug, with no check that the row belonged to the authenticated user's mentorado_id. Added a lookup of the caller's mentorado record and applied .eq('mentorado_id', mentorado.id) to the query.
  • Fix silent crash in getEtapa(): accessing .etapas on an undefined trilha (from an unknown slug) caused an uncaught TypeError (HTTP 500). Added a null guard that returns null before the property access, consistent with the existing getTrilhaSafe pattern.
  • Fix silent upsert failures in saveResposta and completeEtapa: both server actions were ignoring the Supabase error return from .upsert(). A DB constraint violation or RLS denial would silently drop the write and then run completion logic against stale data. Now both propagate the error via throw.
  • Add input length limits to schemas: starBuilderRespostaSchema fields capped at 2000 chars each and record keys at 100 chars; bancoPerguntasRespostaSchema.favoritas capped at 200 items. Prevents unbounded DB writes and PDF renderer memory exhaustion.

What was audited

No commits in the last 24 hours. This PR covers the security and correctness findings from an automated audit of the P3 trilhas feature landed in PR #1 (merged 2026-04-18).

Remaining known issues (not fixed here)

  • /api/exportar-pdf uses a service-role client with select("*") after a single ownership check — defense-in-depth improvement, no active exploit.
  • submitPlanoAcaoInput hardcodes .length(3) instead of reading n_acoes from etapa config — mismatch only matters if a trilha is configured with n_acoes ≠ 3.
  • Widget components use as unknown as Config double-cast — TypeScript safety improvement, not a runtime risk.
  • Completion check in completeEtapa/submitPlanoAcao is non-atomic (TOCTOU) — benign for the current usage pattern (last write wins with same timestamp direction).
  • postcss < 8.5.10 moderate CVE remains in Next.js's own vendored copy — no upstream fix available without downgrading Next.js to a breaking version.

Generated by Claude Code

- Upgrade Next.js 16.2.0 → 16.2.10 to patch 14 CVEs (middleware bypass,
  DoS, XSS, cache poisoning — GHSA-q4gf, GHSA-3g8h, GHSA-ffhc, et al.)
- Fix IDOR in /api/exportar-star: bind query to authenticated user's
  mentorado_id before fetching mentorado_trilhas (no ownership check existed)
- Fix silent crash: add null guard in getEtapa() for unknown trilhaSlug
  (trilha.etapas.find would throw TypeError on undefined)
- Fix silent upsert failures in saveResposta and completeEtapa: propagate
  DB errors instead of silently continuing with stale completion state
- Add .max() limits to starBuilderRespostaSchema fields (2000 chars each)
  and bancoPerguntasRespostaSchema.favoritas (max 200 items) to prevent
  unbounded DB writes and PDF memory exhaustion
@vercel

vercel Bot commented Jul 9, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
mentoria-crm Error Error Jul 9, 2026 7:22am
splinter Ready Ready Preview, Comment Jul 9, 2026 7:22am
splinter-yhcm Ready Ready Preview, Comment Jul 9, 2026 7:22am

….gitignore

node_modules/.package-lock.json was accidentally tracked in git. Remove it
from tracking since node_modules/ is already gitignored.
Add *.tsbuildinfo so TypeScript build artifacts do not appear as untracked
files after running next build.
Python 3.9 is no longer available on GitHub Actions ubuntu-latest runners
(available: 3.10–3.14). Bump to 3.12 and update actions from deprecated
checkout@v2 / setup-python@v1 (Node 20) to checkout@v4 / setup-python@v5.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants