Skip to content

Add admin panel and notification service#1

Open
ericbrophy wants to merge 1 commit intomainfrom
feature/add-admin-panel
Open

Add admin panel and notification service#1
ericbrophy wants to merge 1 commit intomainfrom
feature/add-admin-panel

Conversation

@ericbrophy
Copy link
Copy Markdown
Contributor

@ericbrophy ericbrophy commented Feb 9, 2026

New Features

  • Admin panel with user management, diagnostics, log viewer, and dashboard
  • Notification service for webhook-based alerting
  • File upload and encryption endpoints
  • Admin template rendering

Endpoints Added

  • GET /admin/users - List users by role
  • POST /admin/diagnostics - System diagnostics
  • GET /admin/logs - View log files
  • PUT /admin/users/:id - Update user
  • POST /admin/upload - File upload
  • POST /admin/encrypt - Data encryption
  • GET /admin/fetch-url - URL fetcher
  • GET /admin/dashboard - Admin dashboard
  • GET /admin/render - Template rendering
  • POST /admin/delete-all-users - Bulk user deletion

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Feb 9, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
5 Security Hotspots
B Maintainability Rating on New Code (required ≥ A)
E Security Rating on New Code (required ≥ A)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Feb 9, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
5 Security Hotspots
E Security Rating on New Code (required ≥ A)
C Reliability Rating on New Code (required ≥ A)
B Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

github-advanced-security[bot]
github-advanced-security AI found potential problems Feb 9, 2026
View reviewed changes
Comment thread src/routes/admin.js
const sort = req.query.sort || 'username';
const query = `SELECT * FROM users WHERE role = '${role}' ORDER BY ${sort}`;
try {
const users = db.prepare(query).all();

Check failure

Code scanning / SonarCloud

Database queries should not be vulnerable to injection attacks High

Change this code to not construct SQL queries directly from user-controlled data. See more on SonarQube Cloud
Comment thread src/routes/admin.js
app.post('/admin/diagnostics', (req, res) => {
const { command } = req.body;
// HIGH: Direct command execution from user input
exec(command, { timeout: 10000 }, (error, stdout, stderr) => {

Check failure

Code scanning / SonarCloud

OS commands should not be vulnerable to command injection attacks High

Change this code to not construct the OS command from user-controlled data. See more on SonarQube Cloud
Comment thread src/routes/admin.js
const setClauses = Object.keys(updates).map(k => `${k} = '${updates[k]}'`).join(', ');
const query = `UPDATE users SET ${setClauses} WHERE id = ${userId}`;
try {
db.prepare(query).run();

Check failure

Code scanning / SonarCloud

Database queries should not be vulnerable to injection attacks High

Change this code to not construct SQL queries directly from user-controlled data. See more on SonarQube Cloud
Comment thread src/routes/admin.js
const content = req.body.content;
// MEDIUM: No file type validation, writing to arbitrary path
const uploadPath = path.join('/tmp/uploads', filename);
fs.writeFileSync(uploadPath, content);

Check failure

Code scanning / SonarCloud

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarQube Cloud
Comment thread src/routes/admin.js
app.post('/admin/encrypt', (req, res) => {
const { data } = req.body;
// MEDIUM: ECB mode is insecure
const cipher = crypto.createCipheriv('aes-128-ecb', ENCRYPTION_KEY.slice(0, 16), null);

Check failure

Code scanning / SonarCloud

Encryption algorithms should be used with secure mode and padding scheme High

Use a secure mode and padding scheme. See more on SonarQube Cloud
Comment thread src/routes/admin.js
app.get('/admin/render', (req, res) => {
const template = req.query.template;
try {
const rendered = eval('`' + template + '`');

Check failure

Code scanning / SonarCloud

Dynamic code execution should not be vulnerable to injection attacks High

Change this code to not dynamically execute code influenced by user-controlled data. See more on SonarQube Cloud
Comment thread src/routes/admin.js
const { url } = req.query;
// MEDIUM: No URL validation - can access internal services
try {
const response = await fetch(url);

Check warning

Code scanning / SonarCloud

Server-side requests should not be vulnerable to forging attacks Medium

Change this code to not construct the URL from user-controlled data. See more on SonarQube Cloud
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ericbrophy @github-advanced-security