rate limiting and api security enhancements

2024-09-10 13:47:16 +02:00
parent 88991c9de0
commit 158a8ca0bb
4 changed files with 195 additions and 0 deletions
--- a/lib/rate-limiter.ts
+++ b/lib/rate-limiter.ts
@@ -0,0 +1,61 @@
+interface RateLimitData {
+  count: number
+  resetTime: number
+}
+
+const cache = new Map<string, RateLimitData>()
+
+export interface RateLimitConfig {
+  windowMs: number
+  maxRequests: number
+}
+
+const defaultConfig: RateLimitConfig = {
+  windowMs: 60 * 1000, // 1 minute
+  maxRequests: 100
+}
+
+export function rateLimit(
+  identifier: string, 
+  config: RateLimitConfig = defaultConfig
+): { allowed: boolean; remaining: number; resetTime: number } {
+  
+  const now = Date.now()
+  const windowStart = now - config.windowMs
+  
+  // Clean expired entries
+  for (const [key, data] of cache.entries()) {
+    if (data.resetTime < now) {
+      cache.delete(key)
+    }
+  }
+  
+  let data = cache.get(identifier)
+  
+  if (!data || data.resetTime < now) {
+    data = {
+      count: 0,
+      resetTime: now + config.windowMs
+    }
+  }
+  
+  data.count++
+  cache.set(identifier, data)
+  
+  const allowed = data.count <= config.maxRequests
+  const remaining = Math.max(0, config.maxRequests - data.count)
+  
+  return {
+    allowed,
+    remaining,
+    resetTime: data.resetTime
+  }
+}
+
+export function getRateLimitHeaders(result: ReturnType<typeof rateLimit>) {
+  return {
+    'X-RateLimit-Limit': '100',
+    'X-RateLimit-Remaining': result.remaining.toString(),
+    'X-RateLimit-Reset': new Date(result.resetTime).toISOString()
+  }
+}
--- a/lib/validate-input.ts
+++ b/lib/validate-input.ts
@@ -0,0 +1,80 @@
+export function sanitizeUrl(url: string): string {
+  return url
+    .trim()
+    .replace(/[<>'"]/g, '') // Remove potential XSS characters
+    .substring(0, 2048) // Limit length
+}
+
+export function validateEmail(email: string): boolean {
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/
+  return emailRegex.test(email) && email.length <= 254
+}
+
+export function validateUrl(url: string): boolean {
+  try {
+    const sanitized = sanitizeUrl(url)
+    if (!sanitized) return false
+    
+    // Add protocol if missing
+    let testUrl = sanitized
+    if (!testUrl.startsWith('http://') && !testUrl.startsWith('https://')) {
+      testUrl = 'https://' + testUrl
+    }
+    
+    const urlObj = new URL(testUrl)
+    
+    // Check for suspicious patterns
+    const suspiciousPatterns = [
+      /javascript:/i,
+      /data:/i,
+      /vbscript:/i,
+      /file:/i,
+      /about:/i
+    ]
+    
+    return !suspiciousPatterns.some(pattern => pattern.test(testUrl))
+  } catch {
+    return false
+  }
+}
+
+export function validateRiskLevel(level: any): boolean {
+  const num = parseInt(level)
+  return !isNaN(num) && num >= 1 && num <= 5
+}
+
+export function escapeSql(input: string): string {
+  return input.replace(/'/g, "''")
+}
+
+export interface ValidationResult {
+  valid: boolean
+  errors: string[]
+}
+
+export function validateReportData(data: any): ValidationResult {
+  const errors: string[] = []
+  
+  if (!data.source_url || typeof data.source_url !== 'string') {
+    errors.push('Source URL is required')
+  } else if (!validateUrl(data.source_url)) {
+    errors.push('Invalid URL format')
+  }
+  
+  if (data.reporter_email && !validateEmail(data.reporter_email)) {
+    errors.push('Invalid email format')
+  }
+  
+  if (!data.categories || !Array.isArray(data.categories) || data.categories.length === 0) {
+    errors.push('At least one category is required')
+  }
+  
+  if (data.description && typeof data.description === 'string' && data.description.length > 1000) {
+    errors.push('Description too long (max 1000 characters)')
+  }
+  
+  return {
+    valid: errors.length === 0,
+    errors
+  }
+}