From f91cb16005a4ee2af7cb2c268b2cdc9abcf74174 Mon Sep 17 00:00:00 2001
From: Vadym Samoilenko <vadymsamoilenko@oliver.agency>
Date: Wed, 6 May 2026 09:45:28 +0100
Subject: [PATCH] fix(middleware): add word boundaries to injection patterns;
 default role to admin

- Add \b word boundaries to SQL injection and command injection regex patterns
  to prevent false positives on names like "Josh Smith" (sh\s+), "Norm " (rm\s+)
- Change default role in CreateUserModal from 'client' to 'admin'

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/middleware/validation.py   | 4 ++--
 frontend/src/routes/admin/UserList.tsx | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/backend/app/middleware/validation.py b/backend/app/middleware/validation.py
index 2b8d6cd..04dc30f 100644
--- a/backend/app/middleware/validation.py
+++ b/backend/app/middleware/validation.py
@@ -44,7 +44,7 @@ class RequestValidator:
         # Security patterns to block
         self.malicious_patterns = [
             # SQL injection patterns
-            r"(union|select|insert|update|delete|drop|create|alter)\s+",
+            r"\b(union|select|insert|update|delete|drop|create|alter)\b\s+",
             r"vbscript:",                       # vbscript protocol injection
             r"\b(onload|onerror|onclick)\s*=",  # HTML event handler attribute injection
             r"<\s*script[^>]*>",
@@ -59,7 +59,7 @@ class RequestValidator:
 
             # Command injection (removed $ to allow MongoDB operators in controlled contexts)
             r"[;&|`](?!\s*$)",  # Allow $ but not as command separator
-            r"(rm|wget|curl|nc|bash|sh|cmd|powershell)\s+",
+            r"\b(rm|wget|curl|nc|bash|sh|cmd|powershell)\b\s+",
 
             # MongoDB injection — NoSQL operator abuse
             r"\$where|\$expr|\$function|\$accumulator"
diff --git a/frontend/src/routes/admin/UserList.tsx b/frontend/src/routes/admin/UserList.tsx
index 8f0569e..5e3c648 100644
--- a/frontend/src/routes/admin/UserList.tsx
+++ b/frontend/src/routes/admin/UserList.tsx
@@ -377,7 +377,7 @@ function CreateUserModal({ onClose, onSuccess }: { onClose: () => void; onSucces
     email: '',
     password: '',
     full_name: '',
-    role: 'client' as UserRole,
+    role: 'admin' as UserRole,
   });
   const createUserMutation = useCreateUser();
   const toast = useToastContext();