fix(middleware): add word boundaries to injection patterns; default role to admin

- Add \b word boundaries to SQL injection and command injection regex patterns to prevent false positives on names like "Josh Smith" (sh\s+), "Norm " (rm\s+) - Change default role in CreateUserModal from 'client' to 'admin' Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-06 09:45:28 +01:00 · 2026-05-06 09:45:28 +01:00 · f91cb16005
commit f91cb16005
parent 3a2bbc9ca0
2 changed files with 3 additions and 3 deletions
--- a/backend/app/middleware/validation.py
+++ b/backend/app/middleware/validation.py
@ -44,7 +44,7 @@ class RequestValidator:
        # Security patterns to block
        self.malicious_patterns = [
            # SQL injection patterns
-            r"(union|select|insert|update|delete|drop|create|alter)\s+",
+            r"\b(union|select|insert|update|delete|drop|create|alter)\b\s+",
            r"vbscript:",                       # vbscript protocol injection
            r"\b(onload|onerror|onclick)\s*=",  # HTML event handler attribute injection
            r"<\s*script[^>]*>",
@ -59,7 +59,7 @@ class RequestValidator:

            # Command injection (removed $ to allow MongoDB operators in controlled contexts)
            r"[;&|`](?!\s*$)",  # Allow $ but not as command separator
-            r"(rm|wget|curl|nc|bash|sh|cmd|powershell)\s+",
+            r"\b(rm|wget|curl|nc|bash|sh|cmd|powershell)\b\s+",

            # MongoDB injection — NoSQL operator abuse
            r"\$where|\$expr|\$function|\$accumulator"
--- a/frontend/src/routes/admin/UserList.tsx
+++ b/frontend/src/routes/admin/UserList.tsx
@ -377,7 +377,7 @@ function CreateUserModal({ onClose, onSuccess }: { onClose: () => void; onSucces
    email: '',
    password: '',
    full_name: '',
-    role: 'client' as UserRole,
+    role: 'admin' as UserRole,
  });
  const createUserMutation = useCreateUser();
  const toast = useToastContext();