From 344385712c7e6d1ae96dc5f2003aeb56511f19a8 Mon Sep 17 00:00:00 2001
From: Norris Ng <103449568+norrisng-bc@users.noreply.github.com>
Date: Wed, 16 Jul 2025 17:51:57 -0700
Subject: [PATCH 1/3] Existing OpenAPI spec typos and fixes

---
 app/src/docs/v1.api-spec.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/src/docs/v1.api-spec.yaml b/app/src/docs/v1.api-spec.yaml
index 5cacbc59..8f39b026 100644
--- a/app/src/docs/v1.api-spec.yaml
+++ b/app/src/docs/v1.api-spec.yaml
@@ -416,11 +416,11 @@ paths:
         versions of objects. Search criteria on string attributes will match on
         partial results and ignore case sensitivity.
 
-        This endpoint can be used without authentication. If so, some response attributes (`path`, `createdBy`, `updatedBy`, and
-        `lastSynceDate`) are redacted. The following restrictions also apply:
+        This endpoint may be used without authentication. If so, some response attributes (`path`, `createdBy`, `updatedBy`, and
+        `lastSyncedDate`) are redacted. The following restrictions also apply:
         * Only the following query parameters are allowed: `bucketId`, `objectId`, `public`, `page`, `limit`, `sort`
         * `public` must be `true`
-        * An `objectId` or `publicId` must be provided
+        * An `objectId` or `bucketId` must be provided
       operationId: searchObjects
       tags:
         - Object
@@ -1836,7 +1836,7 @@ components:
               example: ac246e31-c807-496c-bc93-cd8bc2f1b2b4
     Query-BucketName:
       in: query
-      name: displayName
+      name: bucketName
       description: A display name given to the bucket on creation
       schema:
         type: string

From 75b5ec481d6c37e4d241f12aeb81caef42b73afd Mon Sep 17 00:00:00 2001
From: Norris Ng <103449568+norrisng-bc@users.noreply.github.com>
Date: Wed, 3 Sep 2025 17:01:42 -0700
Subject: [PATCH 2/3] GET /object without auth: blacklist ?path only instead of
 whitelisting

No-auth search is already scoped by requiring a bucketId, so allowing the other params is safe.
`path` is still blocked though, as it can expose the underlying S3 directory structure.
---
 app/src/controllers/object.js | 10 +++-------
 app/src/docs/v1.api-spec.yaml |  5 +++--
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/app/src/controllers/object.js b/app/src/controllers/object.js
index 34f69bb0..d6cab8ca 100644
--- a/app/src/controllers/object.js
+++ b/app/src/controllers/object.js
@@ -27,8 +27,7 @@ const {
   mixedQueryToArray,
   toLowerKeys,
   getBucket,
-  renameObjectProperty,
-  hasOnlyPermittedKeys
+  renameObjectProperty
 } = require('../components/utils');
 const utils = require('../db/models/utils');
 
@@ -1062,12 +1061,9 @@ const controller = {
 
         if (req.currentUser.authType === AuthType.NONE) {
 
-          const permittedPublicSearchParams = ['bucketId', 'objectId', 'public', 'page', 'limit', 'sort'];
-
           // no-auth requests MUST have all of the following:
-          //  (a) only the permitted search params; (b) ?public=true; (c) an object or bucket id
-          if (!hasOnlyPermittedKeys(req.query, permittedPublicSearchParams) || !params.public ||
-            !(params.bucketId || params.id)) {
+          //  (a) an object or bucket id; (b) ?public=true; (c) not search by S3 path
+          if (!(params.bucketId || params.id) || !params.public || params.path) {
             throw new Problem(403, {
               detail: 'User lacks permission to complete this action',
               instance: req.originalUrl
diff --git a/app/src/docs/v1.api-spec.yaml b/app/src/docs/v1.api-spec.yaml
index 8f39b026..12ae56c7 100644
--- a/app/src/docs/v1.api-spec.yaml
+++ b/app/src/docs/v1.api-spec.yaml
@@ -418,9 +418,10 @@ paths:
 
         This endpoint may be used without authentication. If so, some response attributes (`path`, `createdBy`, `updatedBy`, and
         `lastSyncedDate`) are redacted. The following restrictions also apply:
-        * Only the following query parameters are allowed: `bucketId`, `objectId`, `public`, `page`, `limit`, `sort`
-        * `public` must be `true`
         * An `objectId` or `bucketId` must be provided
+        * `public` must be `true`
+        * The `path` parameter is not permitted
+
       operationId: searchObjects
       tags:
         - Object

From 6d40186007581f5c4c3162740df60329916fb36c Mon Sep 17 00:00:00 2001
From: Norris Ng <103449568+norrisng-bc@users.noreply.github.com>
Date: Thu, 4 Sep 2025 14:46:59 -0700
Subject: [PATCH 3/3] GHA: temporarily disable Code Climate coverage due to CC
 API shutdown

---
 .github/workflows/unit-tests.yaml | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml
index 03f40473..083a0fad 100644
--- a/.github/workflows/unit-tests.yaml
+++ b/.github/workflows/unit-tests.yaml
@@ -81,11 +81,13 @@ jobs:
         uses: actions/checkout@v4
       - name: Restore Coverage Results
         uses: actions/download-artifact@v4
-      - name: Publish code coverage
-        uses: paambaati/codeclimate-action@v5
-        env:
-          CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
-        with:
-          coverageLocations: |
-            ${{ github.workspace }}/**/lcov.info:lcov
-          prefix: ${{ github.workplace }}
+      # TODO: replace with Qlty as Code Climate has shut down their API:
+      #       https://docs.qlty.sh/migration/coverage
+      # - name: Publish code coverage
+      #   uses: paambaati/codeclimate-action@v5
+      #   env:
+      #     CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
+      #   with:
+      #     coverageLocations: |
+      #       ${{ github.workspace }}/**/lcov.info:lcov
+      #     prefix: ${{ github.workplace }}