From b634c1afa962f95032d029ceac1c5b8bac190040 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 30 Oct 2025 05:19:01 +0000 Subject: [PATCH] Critical: Strengthen validation logic for newApplications field MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enhance validateOrganizationReportSummary() to enforce the same strict validation constraints as isOrganizationReportSummary(): - Non-empty string validation (prevent empty strings) - Maximum string length checks (prevent excessively long strings) - Array length limits (prevent DoS via large arrays) This prevents potential denial-of-service vulnerabilities where malicious data could pass validation with empty strings or unbounded array/string lengths. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .../services/domain/risk-insights-type-guards.ts | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/bitwarden_license/bit-common/src/dirt/reports/risk-insights/services/domain/risk-insights-type-guards.ts b/bitwarden_license/bit-common/src/dirt/reports/risk-insights/services/domain/risk-insights-type-guards.ts index 9e000374d6c..bcd45e4719d 100644 --- a/bitwarden_license/bit-common/src/dirt/reports/risk-insights/services/domain/risk-insights-type-guards.ts +++ b/bitwarden_license/bit-common/src/dirt/reports/risk-insights/services/domain/risk-insights-type-guards.ts @@ -349,12 +349,16 @@ export function validateOrganizationReportSummary(data: any): OrganizationReport if (typeof data?.totalCriticalAtRiskApplicationCount !== "number") { missingFields.push("totalCriticalAtRiskApplicationCount (number)"); } - // newApplications is optional (backward compatibility - not in type definition) - // Only validate if present + // newApplications is optional (backward compatibility - legacy encrypted data predates this field) + // Only validate if present, but enforce all constraints to prevent DoS attacks if ( data?.newApplications !== undefined && (!Array.isArray(data?.newApplications) || - !data.newApplications.every((app: any) => typeof app === "string")) + data.newApplications.length > MAX_ARRAY_LENGTH || + !data.newApplications.every( + (app: any) => + typeof app === "string" && app.length > 0 && app.length <= MAX_STRING_LENGTH, + )) ) { missingFields.push("newApplications (optional string[])"); }