Receipt · 83e79770-1

POST /api/admin/templates inserts entire request body unsanitized

api-contracthigh

repo d2246a0e·PR #1·reviewed 13 hours ago

The finding

app/api/admin/templates/route.ts:45-60

`body` is passed directly to Supabase `.insert(...)` with no schema validation. Required fields are not checked, types are not enforced, and unknown columns will cause 400s leaking schema info. With the service-role client this also bypasses RLS, so any attacker (see auth finding) can create rows with any column values including ids.

Fix

Validate `body` with a schema (zod) and pass only known fields to `.insert()`; require auth.

Agent attribution

The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.

anthropic

gpt-5

92.0s · error

openai

claude-opus-4-7

136.5s · error

Total

wall-clock review time · est. inference cost

136.5s · $0.40

Sweeper

closed at SHA

still open

internal review id · 83e79770

Third-party witnesses

Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.

Original review comment
https://github.com/Augustas11/krisskross_shops/pull/1#issuecomment-4467353797

← back to all receipts