fix: address OWASP security review findings for v2 API endpoints#30
Open
mukama wants to merge 10 commits intotetherto:developfrom
Open
fix: address OWASP security review findings for v2 API endpoints#30mukama wants to merge 10 commits intotetherto:developfrom
mukama wants to merge 10 commits intotetherto:developfrom
Conversation
The limit param was in the cache key but unused in the handler. Now reads limit from query (default 10080) and truncates results. Adds schema validation with min/max bounds.
Prevents negative timestamps from passing schema validation on balanceHistory and poolStatsAggregate endpoints.
Adds SAFE_ERROR_MESSAGES allowlist to prevent leaking internal error details. Adds X-Content-Type-Options and Cache-Control security headers via onSend hook.
Replace SAFE_ERROR_MESSAGES allowlist Set with a simple
startsWith('ERR_') check in the onError hook.
tekwani
reviewed
Mar 10, 2026
…unused limit param
tekwani
approved these changes
Mar 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses OWASP security review findings flagged by Roberto for 5 API v2 endpoints:
GET /auth/metrics/power-mode/timeline— Implementlimitquery parameter (default 10080, max 50000) to cap result size. Previouslylimitwas in the cache key but unused in the handler (OWASP 4)minimum: 0to allstart/endschema properties across metrics and pools schemas to reject negative timestamps (OWASP 4, 8)SAFE_ERROR_MESSAGESallowlist; unknown errors now return generic "Bad Request" instead of leaking internal details (OWASP 8)X-Content-Type-Options: nosniffandCache-Control: no-storeviaonSendhook (OWASP 8)Endpoints addressed
GET /auth/site/status/liveGET /auth/poolsGET /auth/metrics/hashrateGET /auth/metrics/efficiencyGET /auth/metrics/power-mode/timeline