chore: more validation, use frozen lockfile in ci, remove on delete cascade

explodingcamera · explodingcamera · commit 9e20c1d7de0a · 2026-06-03T21:53:50.000+02:00
Signed-off-by: Henry &lt;mail@henrygressmann.de&gt;
diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml
@@ -21,11 +21,11 @@ jobs:
 
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
       - name: Extract Semver
         id: semver
         env:
@@ -34,7 +34,7 @@ jobs:
           SEMVER_VERSION=$(echo "$INPUT_TAG" | sed -E 's/liwan-v//')
           echo "SEMVER_VERSION=${SEMVER_VERSION}" >> "$GITHUB_OUTPUT"
       - name: Setup Docker Metadata
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
         id: meta
         with:
           images: ghcr.io/${{ github.actor }}/liwan
@@ -44,7 +44,7 @@ jobs:
             type=semver,pattern={{major}},value=${{ steps.semver.outputs.SEMVER_VERSION }}
             type=raw,edge
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -66,7 +66,7 @@ jobs:
 
           wait
       - name: Build and push Docker images
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: .
           file: ./scripts/Containerfile
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -11,7 +11,7 @@ jobs:
       contents: write
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
       - uses: taiki-e/create-gh-release-action@eba8ea96c86cca8a37f1b56e94b4d13301fba651 # v1.11.0
@@ -27,7 +27,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
@@ -36,7 +36,7 @@ jobs:
           no-cache: true
       - name: Build web project
         run: |
-          bun install
+          bun install --frozen-lockfile
           bun run build
         working-directory: ./web
       - name: Upload web assets
@@ -64,7 +64,7 @@ jobs:
 
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
diff --git a/.github/workflows/test-web.yaml b/.github/workflows/test-web.yaml
@@ -19,7 +19,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -23,7 +23,7 @@ jobs:
     name: Run tests on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
       - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1
diff --git a/src/app/core/entities.rs b/src/app/core/entities.rs
@@ -71,6 +71,7 @@ impl LiwanEntities {
     pub fn delete(&self, id: &str) -> Result<()> {
         let mut conn = self.pool.get()?;
         let tx = conn.transaction()?;
+        tx.execute("delete from entity_settings where entity_id = ?", rusqlite::params![id])?;
         tx.execute("delete from entities where id = ?", rusqlite::params![id])?;
         tx.execute("delete from project_entities where entity_id = ?", rusqlite::params![id])?;
         tx.commit()?;
diff --git a/src/app/core/projects.rs b/src/app/core/projects.rs
@@ -126,6 +126,7 @@ impl LiwanProjects {
     pub fn delete(&self, id: &str) -> Result<()> {
         let mut conn = self.pool.get()?;
         let tx = conn.transaction()?;
+        tx.execute("delete from project_settings where project_id = ?", rusqlite::params![id])?;
         tx.execute("delete from projects where id = ?", rusqlite::params![id])?;
         tx.execute("delete from project_entities where project_id = ?", rusqlite::params![id])?;
         tx.commit()?;
diff --git a/src/app/core/settings.rs b/src/app/core/settings.rs
@@ -131,7 +131,8 @@ impl LiwanSettings {
         Ok(())
     }
 
-    fn reload(&self) -> Result<()> {
+    /// Reload collection settings from SQLite into the in-memory cache
+    pub fn reload(&self) -> Result<()> {
         let cache = SettingsCache::load(&self.pool)?;
         *self.cache.write().expect("collection settings cache poisoned") = cache;
         Ok(())
diff --git a/src/lib.rs b/src/lib.rs
@@ -1,3 +1,5 @@
+pub const PASSWORD_MIN_LENGTH: usize = 8;
+
 pub mod app;
 pub mod cli;
 pub mod config;
diff --git a/src/migrations/app/V2__settings.sql b/src/migrations/app/V2__settings.sql
@@ -27,12 +27,12 @@ create table entity_settings (
     history_mode text not null default 'inherit',
     history_days integer,
     ingest_drop_rules_json text not null default '[]',
-    foreign key (entity_id) references entities(id) on delete cascade
+    foreign key (entity_id) references entities(id)
 );
 
 create table project_settings (
     project_id text primary key not null,
     metric_display_overrides_json text not null default '{}',
     dimension_display_overrides_json text not null default '{}',
-    foreign key (project_id) references projects(id) on delete cascade
+    foreign key (project_id) references projects(id)
 );
diff --git a/src/web/routes/admin.rs b/src/web/routes/admin.rs
@@ -11,11 +11,14 @@ use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
 use crate::{
-    app::models::{
-        CollectionSettings, Entity, EntityCollectionSettings, Project, ProjectDisplaySettings,
-        ResolvedCollectionSettings, UserRole,
+    PASSWORD_MIN_LENGTH,
+    app::{
+        models::{
+            CollectionSettings, Entity, EntityCollectionSettings, Project, ProjectDisplaySettings,
+            ResolvedCollectionSettings, UserRole,
+        },
+        reports::{Dimension, Metric},
     },
-    app::reports::{Dimension, Metric},
     utils::validate::can_access_project,
     web::{
         RouterState,
@@ -267,14 +270,18 @@ async fn update_user_password(
     app: State<RouterState>,
     Path(username): Path<String>,
     Auth(session_user): Auth,
-    password: Json<UpdatePasswordRequest>,
+    params: Json<UpdatePasswordRequest>,
 ) -> ApiResult<impl IntoApiResponse> {
     if session_user.role != UserRole::Admin || username != session_user.username {
         http_bail!(StatusCode::FORBIDDEN, "Forbidden")
     }
 
+    if params.password.len() < PASSWORD_MIN_LENGTH {
+        http_bail!(StatusCode::BAD_REQUEST, "password must be at least 8 characters long");
+    }
+
     app.users
-        .update_password(&username, &password.password)
+        .update_password(&username, &params.password)
         .http_err("Failed to update password", StatusCode::INTERNAL_SERVER_ERROR)?;
 
     Ok(empty_response())
@@ -301,14 +308,18 @@ async fn remove_user(
 async fn create_user(
     app: State<RouterState>,
     Auth(session_user): Auth,
-    user: Json<CreateUserRequest>,
+    params: Json<CreateUserRequest>,
 ) -> ApiResult<impl IntoApiResponse> {
     if session_user.role != UserRole::Admin {
         http_bail!(StatusCode::FORBIDDEN, "Forbidden")
     }
 
+    if params.password.len() < PASSWORD_MIN_LENGTH {
+        http_bail!(StatusCode::BAD_REQUEST, "password must be at least 8 characters long");
+    }
+
     let app = app.app.clone();
-    tokio::task::spawn_blocking(move || app.users.create(&user.username, &user.password, user.role, &[]))
+    tokio::task::spawn_blocking(move || app.users.create(&params.username, &params.password, params.role, &[]))
         .await
         .http_err("Failed to create user", StatusCode::INTERNAL_SERVER_ERROR)?
         .http_err("Failed to create user", StatusCode::INTERNAL_SERVER_ERROR)?;
@@ -646,6 +657,7 @@ async fn entity_delete_handler(
     }
 
     app.entities.delete(&entity_id).http_err("Failed to delete entity", StatusCode::INTERNAL_SERVER_ERROR)?;
+    app.settings.reload().http_err("Failed to reload collection settings", StatusCode::INTERNAL_SERVER_ERROR)?;
 
     Ok(empty_response())
 }
diff --git a/src/web/routes/auth.rs b/src/web/routes/auth.rs
@@ -13,6 +13,7 @@ use tokio::task::spawn_blocking;
 use tower_governor::{GovernorLayer, governor::GovernorConfigBuilder};
 
 use crate::{
+    PASSWORD_MIN_LENGTH,
     app::models::UserRole,
     utils::hash::session_token,
     web::{
@@ -72,6 +73,10 @@ async fn setup(app: State<RouterState>, Json(params): Json<SetupRequest>) -> Api
         http_bail!(StatusCode::UNAUTHORIZED, "invalid setup token");
     }
 
+    if params.password.len() < PASSWORD_MIN_LENGTH {
+        http_bail!(StatusCode::BAD_REQUEST, "password must be at least 8 characters long");
+    }
+
     app.users
         .create(&params.username, &params.password, UserRole::Admin, &[])
         .http_err("failed to create user", StatusCode::INTERNAL_SERVER_ERROR)?;
diff --git a/src/web/routes/event.rs b/src/web/routes/event.rs
@@ -50,6 +50,43 @@ struct EventRequest {
     orientation: Option<String>,
 }
 
+impl EventRequest {
+    fn validate(&self) -> Result<()> {
+        if self.entity_id.trim().is_empty() {
+            anyhow::bail!("entity_id cannot be empty");
+        }
+        if self.name.trim().is_empty() {
+            anyhow::bail!("name cannot be empty");
+        }
+
+        if self.entity_id.len() > 255 {
+            anyhow::bail!("entity_id cannot be longer than 255 characters");
+        }
+
+        if self.name.len() > 255 {
+            anyhow::bail!("name cannot be longer than 255 characters");
+        }
+
+        if self.screen_width.as_deref().map_or(false, |w| w.len() > 20) {
+            anyhow::bail!("screen_width cannot be longer than 20 characters");
+        }
+
+        if self.orientation.as_deref().map_or(false, |o| o.len() > 20) {
+            anyhow::bail!("orientation cannot be longer than 20 characters");
+        }
+
+        if self.referrer.as_deref().map_or(false, |r| r.len() > 256) {
+            anyhow::bail!("referrer cannot be longer than 256 characters");
+        }
+
+        if self.url.len() > 2048 {
+            anyhow::bail!("url cannot be longer than 2048 characters");
+        }
+
+        Ok(())
+    }
+}
+
 #[derive(Debug, Default, PartialEq, Eq)]
 struct Utm {
     source: Option<String>,
@@ -64,7 +101,7 @@ fn extract_query(url: &mut Url, keys: &[&str]) -> Option<String> {
         .iter()
         .find_map(|key| url.query_pairs().find(|(name, _)| name == *key).map(|(_, value)| value.into_owned()));
 
-    if value.is_some() {
+    if let Some(value) = &value {
         let filtered = url
             .query_pairs()
             .filter(|(name, _)| !keys.contains(&name.as_ref()))
@@ -79,6 +116,14 @@ fn extract_query(url: &mut Url, keys: &[&str]) -> Option<String> {
             let mut pairs = url.query_pairs_mut();
             pairs.extend_pairs(filtered.iter().map(|(name, value)| (name.as_str(), value.as_str())));
         }
+
+        if value.trim().is_empty() {
+            return None;
+        }
+
+        if value.len() > 255 {
+            return None;
+        }
     }
 
     value
@@ -106,6 +151,7 @@ async fn event_handler(
     let url = Url::from_str(&event.url).context("invalid url").http_err("invalid url", StatusCode::BAD_REQUEST)?;
     let app = state.app.clone();
     let events = state.events.clone();
+    event.validate().context("invalid event").http_err("invalid event", StatusCode::BAD_REQUEST)?;
 
     // run the event processing in the background
     let res = tokio::task::spawn_blocking(move || process_event(app, event, url, ip, user_agent))
diff --git a/web/bun.lock b/web/bun.lock
diff --git a/web/package.json b/web/package.json
@@ -17,7 +17,7 @@
 		"@fontsource-variable/stack-sans-headline": "^5.2.1",
 		"@icons-pack/react-simple-icons": "^13.13.0",
 		"@picocss/pico": "^2.1.1",
-		"@tanstack/react-query": "^5.100.14",
+		"@tanstack/react-query": "^5.101.0",
 		"d3-array": "^3.2.4",
 		"d3-ease": "^3.0.1",
 		"d3-geo": "^3.1.1",

Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,8 @@ impl LiwanSettings {`
`131`	`131`	`Ok(())`
`132`	`132`	`}`
`133`	`133`
`134`		`- fn reload(&self) -> Result<()> {`
	`134`	`+ /// Reload collection settings from SQLite into the in-memory cache`
	`135`	`+ pub fn reload(&self) -> Result<()> {`
`135`	`136`	`let cache = SettingsCache::load(&self.pool)?;`
`136`	`137`	`*self.cache.write().expect("collection settings cache poisoned") = cache;`
`137`	`138`	`Ok(())`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+pub const PASSWORD_MIN_LENGTH: usize = 8;`
	`2`	`+`
`1`	`3`	`pub mod app;`
`2`	`4`	`pub mod cli;`
`3`	`5`	`pub mod config;`