Release#150
Conversation
…address-based analytics
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit e2c6d27. Configure here.
|
|
||
| if (startDate > endDate) { | ||
| throw new BadRequestException('Start date must be before end date'); | ||
| } |
There was a problem hiding this comment.
Invalid date inputs bypass validation causing 500 errors
Medium Severity
When start_date or end_date query params contain non-date strings (e.g., ?start_date=abc), moment('abc').toDate() returns Invalid Date. The subsequent comparison startDate > endDate with Invalid Date always evaluates to false (since comparisons involving NaN return false), so the validation check passes. The invalid dates then reach PostgreSQL's BETWEEN $1 AND $2 clause, causing an unhandled database type error that surfaces as a 500 Internal Server Error instead of a 400 Bad Request.
Reviewed by Cursor Bugbot for commit e2c6d27. Configure here.
2 participants
Note
Medium Risk
Touches multiple security-sensitive surfaces (CORS/headers, API key auth, DB sync safeguards, WebSocket behavior) and adds new analytics queries, so misconfiguration or validation mistakes could impact availability or exposure despite mostly additive/defensive changes.
Overview
Hardens production deployments and public API surfaces. Adds
helmetheaders, configurable CORS viaALLOWED_ORIGINS, disables GraphQL introspection/GraphiQL and Swagger by default in production, runs Docker as non-root, binds Postgres/Redis ports to loopback in compose files, supports optionalREDIS_PASSWORD, and forcesDB_SYNCoff in production with stricter DB config parsing.Reduces injection/PII risks and tightens input validation. Adds allowlists and bounds checks for pagination/order/search across many REST + GraphQL endpoints, switches several raw SQL paths to parameterized queries (notably token rankings, pair history, token de-dup cleanup), introduces safe middleware pagination URL resolution to prevent off-origin
nextcursors, clamps sparkline SVG dimensions, and strengthensTRENDING_TAGS_API_KEYhandling (no default, min length, constant-time compare). Also removes unauthenticated WebSocket message relaying and limits unauthenticated affiliation invite responses to minimal fields.Adds new BCL “challenge analytics” capability. Introduces
GET /analytics/challenge(and a preview page) returning per-address/per-day totals for posts, trades/volume, created tokens, and realized PnL, wired via a new service and UI view.Reviewed by Cursor Bugbot for commit e2c6d27. Bugbot is set up for automated code reviews on this repo. Configure here.