Skip to content

epcis plugin V1 #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MilanKomsa wants to merge 2 commits into
base: main
Choose a base branch
from
Open

epcis plugin V1 #22

MilanKomsa wants to merge 2 commits into from

Conversation

@MilanKomsa
Copy link

@MilanKomsa MilanKomsa commented Jan 14, 2026

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 14, 2026
View reviewed changes
packages/plugin-epcis/src/services/EPCISValidationService.ts
}

// Validate against GS1 schema
const isValid = this.validateSchema(document);

Check failure

Code scanning / CodeQL

Resources exhaustion from deep object traversal High

Denial of service caused by processing
user input
Loading
with
allErrors: true
Loading
.

Copilot Autofix

AI 4 days ago

In general, the fix is to avoid using allErrors: true when validating user-controlled input in production. Instead, only enable allErrors conditionally (e.g., based on an environment variable or a debug flag) so production validates only until the first error and does not allocate unbounded error arrays.

The best fix here is to change the Ajv instantiation in EpcisValidationService to make allErrors conditional on an environment variable (for example EPCIS_DEBUG), mirroring the recommended pattern from the background section. This keeps current functionality for debugging (developers can still see all validation errors when they explicitly enable debug mode), but prevents the denial-of-service risk in normal operation. No other logic needs to change, because Ajv’s errors array is still populated when validation fails; it will just contain fewer entries in non-debug mode.

Concretely, in packages/plugin-epcis/src/services/EPCISValidationService.ts, update the constructor where new Ajv is called: replace allErrors: true with allErrors: process.env["EPCIS_DEBUG"] === "true". This is the only code change needed. No changes are required in packages/plugin-epcis/src/index.ts, and no new imports or helper methods are necessary.

Suggested changeset 1
packages/plugin-epcis/src/services/EPCISValidationService.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/plugin-epcis/src/services/EPCISValidationService.ts b/packages/plugin-epcis/src/services/EPCISValidationService.ts
--- a/packages/plugin-epcis/src/services/EPCISValidationService.ts
+++ b/packages/plugin-epcis/src/services/EPCISValidationService.ts
@@ -9,7 +9,7 @@
 
   constructor() {
     this.ajv = new Ajv({
-      allErrors: true,
+      allErrors: process.env["EPCIS_DEBUG"] === "true",
       strict: false,
       validateFormats: true,
     });
EOF
@@ -9,7 +9,7 @@

constructor() {
this.ajv = new Ajv({
allErrors: true,
allErrors: process.env["EPCIS_DEBUG"] === "true",
strict: false,
validateFormats: true,
});
Copilot is powered by AI and may make mistakes. Always verify output.
Lexpeartha
Lexpeartha previously requested changes Jan 16, 2026
View reviewed changes
Copy link
Contributor

@Lexpeartha Lexpeartha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also document new .env variable and add it to env.d.ts

@MilanKomsa
Copy link
Author

MilanKomsa commented Jan 16, 2026

Please also document new .env variable and add it to env.d.ts
What new .env variable?

@MilanKomsa MilanKomsa requested a review from Lexpeartha January 16, 2026 14:43
@MilanKomsa MilanKomsa dismissed Lexpeartha’s stale review January 16, 2026 14:44

there is no .env variable used in code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zsculac zsculac Awaiting requested review from zsculac

@lupuszr lupuszr Awaiting requested review from lupuszr

@Lexpeartha Lexpeartha Awaiting requested review from Lexpeartha

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MilanKomsa @Lexpeartha