fix(security): resolve all CodeQL security findings (#2806)

* fix(security): resolve all CodeQL security findings

- Path injection (ocp-sticker.service.ts): Validate lang against allowed values
- Type confusion (spark.service.ts): Add nullish coalescing for Map.get()
- Missing permissions (api-*.yaml): Add explicit 'contents: read' permissions
- Polynomial ReDoS (gs.service.ts): Replace regex with simple string search
- Incomplete sanitization (olkypay.service.ts): Use replaceAll instead of replace

Resolves 9 CodeQL alerts

* fix(gs): use bounded quantifier for ORDER BY detection

Replace .includes('order by') with bounded regex /order\s{1,100}by/i:
- Prevents ReDoS via bounded quantifier {1,100}
- Maintains support for tabs and multiple spaces between ORDER and BY
- Original .includes() only matched single space

Author: TaprootFreak

.github/workflows/api-dev.yaml

@@ -5,6 +5,9 @@ on:
     branches: [develop]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   AZURE_WEBAPP_NAME: app-dfx-api-dev
   AZURE_WEBAPP_PACKAGE_PATH: '.'

.github/workflows/api-pr.yaml

@@ -7,6 +7,9 @@ on:
       - develop
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   NODE_VERSION: '20.x'
 

.github/workflows/api-prd.yaml

@@ -5,6 +5,9 @@ on:
     branches: [master]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   AZURE_WEBAPP_NAME: app-dfx-api-prd
   AZURE_WEBAPP_PACKAGE_PATH: '.'

src/integration/bank/services/olkypay.service.ts

@@ -133,7 +133,7 @@ export class OlkypayService {
       case TransactionType.RECEIVED:
         return {
           name: tx.line1.split(' Recu ')[1]?.split(' [ Adresse débiteur : ')[0],
-          addressLine1: tx.line1.split(' [ Adresse débiteur : ')[1]?.replace(']', ''),
+          addressLine1: tx.line1.split(' [ Adresse débiteur : ')[1]?.replaceAll(']', ''),
         };
     }
 

src/integration/blockchain/spark/spark.service.ts

@@ -97,7 +97,7 @@ export class SparkService extends BlockchainService {
 
   private getAddressPrefix(address: string): string {
     const separatorIndex = address.lastIndexOf('1');
-    if (separatorIndex === -1) return this.NETWORK_PREFIXES.get(SparkNetwork.MAINNET);
+    if (separatorIndex === -1) return this.NETWORK_PREFIXES.get(SparkNetwork.MAINNET) ?? 'sp';
 
     return address.substring(0, separatorIndex);
   }

src/subdomains/core/payment-link/services/ocp-sticker.service.ts

@@ -1,4 +1,4 @@
-import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { BadRequestException, Injectable, UnauthorizedException } from '@nestjs/common';
 import { readFileSync } from 'fs';
 import { I18nService } from 'nestjs-i18n';
 import { join } from 'path';
@@ -11,6 +11,8 @@ import { PaymentLink } from '../entities/payment-link.entity';
 import { StickerQrMode, StickerType } from '../enums';
 import { PaymentLinkService } from './payment-link.service';
 
+const ALLOWED_LANGUAGES = ['en', 'de', 'fr', 'it'];
+
 @Injectable()
 export class OCPStickerService {
   constructor(
@@ -201,6 +203,11 @@ export class OCPStickerService {
     mode = StickerQrMode.CUSTOMER,
     userId?: number,
   ): Promise<Buffer> {
+    const sanitizedLang = lang.toLowerCase();
+    if (!ALLOWED_LANGUAGES.includes(sanitizedLang)) {
+      throw new BadRequestException(`Invalid language: ${lang}. Allowed: ${ALLOWED_LANGUAGES.join(', ')}`);
+    }
+
     const links = await this.fetchPaymentLinks(routeIdOrLabel, externalIds, ids);
 
     const posUrls: Map<string, string> = new Map();
@@ -216,8 +223,8 @@ export class OCPStickerService {
     // Bitcoin Focus OCP Sticker
     const stickerFileName =
       mode === StickerQrMode.POS
-        ? `ocp-bitcoin-focus-sticker-pos_${lang.toLowerCase()}.png`
-        : `ocp-bitcoin-focus-sticker_${lang.toLowerCase()}.png`;
+        ? `ocp-bitcoin-focus-sticker-pos_${sanitizedLang}.png`
+        : `ocp-bitcoin-focus-sticker_${sanitizedLang}.png`;
     const stickerPath = join(process.cwd(), 'assets', stickerFileName);
     const stickerBuffer = readFileSync(stickerPath);
 

src/subdomains/generic/gs/gs.service.ts

@@ -1297,7 +1297,8 @@ export class GsService {
     }
 
     // MSSQL requires ORDER BY for OFFSET/FETCH - add dummy order if missing
-    const hasOrderBy = /\border\s+by\b/i.test(sql);
+    // Using bounded quantifier {1,100} to prevent ReDoS while supporting tabs/multiple spaces
+    const hasOrderBy = /order\s{1,100}by/i.test(sql);
     const orderByClause = hasOrderBy ? '' : ' ORDER BY (SELECT NULL)';
 
     return `${sql.trim().replace(/;*$/, '')}${orderByClause} OFFSET 0 ROWS FETCH NEXT ${