@@ -11,13 +11,101 @@ interface HashDocument {
|
||||
created_at?: string;
|
||||
}
|
||||
|
||||
// Maximum allowed query length
|
||||
const MAX_QUERY_LENGTH = 1000;
|
||||
|
||||
// Characters that could be used in NoSQL/Elasticsearch injection attacks
|
||||
const DANGEROUS_PATTERNS = [
|
||||
/[{}\[\]]/g, // JSON structure characters
|
||||
/\$[a-zA-Z]/g, // MongoDB-style operators
|
||||
/\\u[0-9a-fA-F]{4}/g, // Unicode escapes
|
||||
/<script/gi, // XSS attempts
|
||||
/javascript:/gi, // XSS attempts
|
||||
];
|
||||
|
||||
/**
|
||||
* Sanitize input to prevent NoSQL injection attacks
|
||||
* For hash lookups, we only need alphanumeric characters and $
|
||||
* For plaintext, we allow more characters but sanitize dangerous patterns
|
||||
*/
|
||||
function sanitizeInput(input: string): string {
|
||||
// Trim and take first word only
|
||||
let sanitized = input.trim().split(/\s+/)[0] || '';
|
||||
|
||||
// Limit length
|
||||
if (sanitized.length > MAX_QUERY_LENGTH) {
|
||||
sanitized = sanitized.substring(0, MAX_QUERY_LENGTH);
|
||||
}
|
||||
|
||||
// Remove null bytes
|
||||
sanitized = sanitized.replace(/\0/g, '');
|
||||
|
||||
// Check for dangerous patterns
|
||||
for (const pattern of DANGEROUS_PATTERNS) {
|
||||
sanitized = sanitized.replace(pattern, '');
|
||||
}
|
||||
|
||||
return sanitized;
|
||||
}
|
||||
|
||||
/**
|
||||
* Validate that the input is safe for use in Elasticsearch queries
|
||||
*/
|
||||
function isValidInput(input: string): boolean {
|
||||
// Check for empty input
|
||||
if (!input || input.length === 0) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check for excessively long input
|
||||
if (input.length > MAX_QUERY_LENGTH) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check for control characters (except normal whitespace)
|
||||
if (/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/.test(input)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
export async function POST(request: NextRequest) {
|
||||
try {
|
||||
const { query } = await request.json();
|
||||
const body = await request.json();
|
||||
|
||||
// Validate request body structure
|
||||
if (!body || typeof body !== 'object') {
|
||||
return NextResponse.json(
|
||||
{ error: 'Invalid request body' },
|
||||
{ status: 400 }
|
||||
);
|
||||
}
|
||||
|
||||
const { query } = body;
|
||||
|
||||
// Validate query type
|
||||
if (!query || typeof query !== 'string') {
|
||||
return NextResponse.json(
|
||||
{ error: 'Query parameter is required' },
|
||||
{ error: 'Query parameter is required and must be a string' },
|
||||
{ status: 400 }
|
||||
);
|
||||
}
|
||||
|
||||
// Validate input before processing
|
||||
if (!isValidInput(query)) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Invalid query: contains forbidden characters or is too long' },
|
||||
{ status: 400 }
|
||||
);
|
||||
}
|
||||
|
||||
// Sanitize input
|
||||
const cleanQuery = sanitizeInput(query);
|
||||
|
||||
if (!cleanQuery) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Invalid query: only whitespace or invalid characters provided' },
|
||||
{ status: 400 }
|
||||
);
|
||||
}
|
||||
@@ -25,15 +113,6 @@ export async function POST(request: NextRequest) {
|
||||
// Ensure index exists
|
||||
await initializeIndex();
|
||||
|
||||
const cleanQuery = query.trim().split(/\s+/)[0];
|
||||
|
||||
if (!cleanQuery) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Invalid query: only whitespace provided' },
|
||||
{ status: 400 }
|
||||
);
|
||||
}
|
||||
|
||||
const cleanQueryLower = cleanQuery.toLowerCase();
|
||||
const hashType = detectHashType(cleanQueryLower);
|
||||
|
||||
|
||||
Referencia en una nueva incidencia
Block a user