Comparar commits
2 Commits
8fa586731a
...
42bc5a15d0
| Autor | SHA1 | Fecha | |
|---|---|---|---|
42bc5a15d0
|
|||
|
2de78b7461
|
@@ -11,13 +11,101 @@ interface HashDocument {
|
||||
created_at?: string;
|
||||
}
|
||||
|
||||
// Maximum allowed query length
|
||||
const MAX_QUERY_LENGTH = 1000;
|
||||
|
||||
// Characters that could be used in NoSQL/Elasticsearch injection attacks
|
||||
const DANGEROUS_PATTERNS = [
|
||||
/[{}\[\]]/g, // JSON structure characters
|
||||
/\$[a-zA-Z]/g, // MongoDB-style operators
|
||||
/\\u[0-9a-fA-F]{4}/g, // Unicode escapes
|
||||
/<script/gi, // XSS attempts
|
||||
/javascript:/gi, // XSS attempts
|
||||
];
|
||||
|
||||
/**
|
||||
* Sanitize input to prevent NoSQL injection attacks
|
||||
* For hash lookups, we only need alphanumeric characters and $
|
||||
* For plaintext, we allow more characters but sanitize dangerous patterns
|
||||
*/
|
||||
function sanitizeInput(input: string): string {
|
||||
// Trim and take first word only
|
||||
let sanitized = input.trim().split(/\s+/)[0] || '';
|
||||
|
||||
// Limit length
|
||||
if (sanitized.length > MAX_QUERY_LENGTH) {
|
||||
sanitized = sanitized.substring(0, MAX_QUERY_LENGTH);
|
||||
}
|
||||
|
||||
// Remove null bytes
|
||||
sanitized = sanitized.replace(/\0/g, '');
|
||||
|
||||
// Check for dangerous patterns
|
||||
for (const pattern of DANGEROUS_PATTERNS) {
|
||||
sanitized = sanitized.replace(pattern, '');
|
||||
}
|
||||
|
||||
return sanitized;
|
||||
}
|
||||
|
||||
/**
|
||||
* Validate that the input is safe for use in Elasticsearch queries
|
||||
*/
|
||||
function isValidInput(input: string): boolean {
|
||||
// Check for empty input
|
||||
if (!input || input.length === 0) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check for excessively long input
|
||||
if (input.length > MAX_QUERY_LENGTH) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check for control characters (except normal whitespace)
|
||||
if (/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/.test(input)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
export async function POST(request: NextRequest) {
|
||||
try {
|
||||
const { query } = await request.json();
|
||||
const body = await request.json();
|
||||
|
||||
// Validate request body structure
|
||||
if (!body || typeof body !== 'object') {
|
||||
return NextResponse.json(
|
||||
{ error: 'Invalid request body' },
|
||||
{ status: 400 }
|
||||
);
|
||||
}
|
||||
|
||||
const { query } = body;
|
||||
|
||||
// Validate query type
|
||||
if (!query || typeof query !== 'string') {
|
||||
return NextResponse.json(
|
||||
{ error: 'Query parameter is required' },
|
||||
{ error: 'Query parameter is required and must be a string' },
|
||||
{ status: 400 }
|
||||
);
|
||||
}
|
||||
|
||||
// Validate input before processing
|
||||
if (!isValidInput(query)) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Invalid query: contains forbidden characters or is too long' },
|
||||
{ status: 400 }
|
||||
);
|
||||
}
|
||||
|
||||
// Sanitize input
|
||||
const cleanQuery = sanitizeInput(query);
|
||||
|
||||
if (!cleanQuery) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Invalid query: only whitespace or invalid characters provided' },
|
||||
{ status: 400 }
|
||||
);
|
||||
}
|
||||
@@ -25,15 +113,6 @@ export async function POST(request: NextRequest) {
|
||||
// Ensure index exists
|
||||
await initializeIndex();
|
||||
|
||||
const cleanQuery = query.trim().split(/\s+/)[0];
|
||||
|
||||
if (!cleanQuery) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Invalid query: only whitespace provided' },
|
||||
{ status: 400 }
|
||||
);
|
||||
}
|
||||
|
||||
const cleanQueryLower = cleanQuery.toLowerCase();
|
||||
const hashType = detectHashType(cleanQueryLower);
|
||||
|
||||
|
||||
102
app/page.tsx
102
app/page.tsx
@@ -1,7 +1,8 @@
|
||||
'use client';
|
||||
|
||||
import { useState, useEffect } from 'react';
|
||||
import { Search, Copy, Check, Hash, Key, AlertCircle, Loader2, Database } from 'lucide-react';
|
||||
import { useState, useEffect, useCallback } from 'react';
|
||||
import { useSearchParams, useRouter } from 'next/navigation';
|
||||
import { Search, Copy, Check, Hash, Key, AlertCircle, Loader2, Database, Link } from 'lucide-react';
|
||||
|
||||
interface SearchResult {
|
||||
found: boolean;
|
||||
@@ -46,12 +47,56 @@ function formatNumber(num: number): string {
|
||||
}
|
||||
|
||||
export default function Home() {
|
||||
const searchParams = useSearchParams();
|
||||
const router = useRouter();
|
||||
const [query, setQuery] = useState('');
|
||||
const [result, setResult] = useState<SearchResult | null>(null);
|
||||
const [loading, setLoading] = useState(false);
|
||||
const [error, setError] = useState('');
|
||||
const [copiedField, setCopiedField] = useState<string | null>(null);
|
||||
const [stats, setStats] = useState<IndexStats | null>(null);
|
||||
const [copiedLink, setCopiedLink] = useState(false);
|
||||
|
||||
const performSearch = useCallback(async (searchQuery: string) => {
|
||||
if (!searchQuery.trim()) return;
|
||||
|
||||
setLoading(true);
|
||||
setError('');
|
||||
setResult(null);
|
||||
|
||||
try {
|
||||
const response = await fetch('/api/search', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ query: searchQuery.trim() })
|
||||
});
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error('Search failed');
|
||||
}
|
||||
|
||||
const data = await response.json();
|
||||
setResult(data);
|
||||
|
||||
// Update URL with search query
|
||||
const newUrl = new URL(window.location.href);
|
||||
newUrl.searchParams.set('q', searchQuery.trim());
|
||||
router.replace(newUrl.pathname + newUrl.search, { scroll: false });
|
||||
} catch (_err) {
|
||||
setError('Failed to perform search. Please check your connection.');
|
||||
} finally {
|
||||
setLoading(false);
|
||||
}
|
||||
}, [router]);
|
||||
|
||||
// Load query from URL on mount
|
||||
useEffect(() => {
|
||||
const urlQuery = searchParams.get('q');
|
||||
if (urlQuery) {
|
||||
setQuery(urlQuery);
|
||||
performSearch(urlQuery);
|
||||
}
|
||||
}, [searchParams, performSearch]);
|
||||
|
||||
useEffect(() => {
|
||||
const fetchStats = async () => {
|
||||
@@ -73,30 +118,7 @@ export default function Home() {
|
||||
|
||||
const handleSearch = async (e: React.FormEvent) => {
|
||||
e.preventDefault();
|
||||
if (!query.trim()) return;
|
||||
|
||||
setLoading(true);
|
||||
setError('');
|
||||
setResult(null);
|
||||
|
||||
try {
|
||||
const response = await fetch('/api/search', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ query: query.trim() })
|
||||
});
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error('Search failed');
|
||||
}
|
||||
|
||||
const data = await response.json();
|
||||
setResult(data);
|
||||
} catch (_err) {
|
||||
setError('Failed to perform search. Please check your connection.');
|
||||
} finally {
|
||||
setLoading(false);
|
||||
}
|
||||
performSearch(query);
|
||||
};
|
||||
|
||||
const copyToClipboard = (text: string, field: string) => {
|
||||
@@ -105,6 +127,14 @@ export default function Home() {
|
||||
setTimeout(() => setCopiedField(null), 2000);
|
||||
};
|
||||
|
||||
const copyShareLink = () => {
|
||||
const url = new URL(window.location.href);
|
||||
url.searchParams.set('q', query.trim());
|
||||
navigator.clipboard.writeText(url.toString());
|
||||
setCopiedLink(true);
|
||||
setTimeout(() => setCopiedLink(false), 2000);
|
||||
};
|
||||
|
||||
const HashDisplay = ({ label, value, field }: { label: string; value: string; field: string }) => (
|
||||
<div className="bg-gray-50 rounded-lg p-4 border border-gray-200">
|
||||
<div className="flex items-center justify-between mb-2">
|
||||
@@ -166,12 +196,27 @@ export default function Home() {
|
||||
value={query}
|
||||
onChange={(e) => setQuery(e.target.value)}
|
||||
placeholder="Enter a hash or plaintext..."
|
||||
className="w-full px-6 py-4 pr-14 text-lg rounded-2xl border-2 border-gray-200 focus:border-blue-500 focus:ring-4 focus:ring-blue-100 outline-none transition-all shadow-sm"
|
||||
className="w-full px-6 py-4 pr-28 text-lg rounded-2xl border-2 border-gray-200 focus:border-blue-500 focus:ring-4 focus:ring-blue-100 outline-none transition-all shadow-sm"
|
||||
/>
|
||||
<div className="absolute right-2 top-1/2 -translate-y-1/2 flex gap-1">
|
||||
{query.trim() && (
|
||||
<button
|
||||
type="button"
|
||||
onClick={copyShareLink}
|
||||
className="bg-gray-100 text-gray-600 p-3 rounded-xl hover:bg-gray-200 transition-all"
|
||||
title="Copy share link"
|
||||
>
|
||||
{copiedLink ? (
|
||||
<Check className="w-6 h-6 text-green-600" />
|
||||
) : (
|
||||
<Link className="w-6 h-6" />
|
||||
)}
|
||||
</button>
|
||||
)}
|
||||
<button
|
||||
type="submit"
|
||||
disabled={loading || !query.trim()}
|
||||
className="absolute right-2 top-1/2 -translate-y-1/2 bg-gradient-to-r from-blue-600 to-purple-600 text-white p-3 rounded-xl hover:shadow-lg disabled:opacity-50 disabled:cursor-not-allowed transition-all"
|
||||
className="bg-gradient-to-r from-blue-600 to-purple-600 text-white p-3 rounded-xl hover:shadow-lg disabled:opacity-50 disabled:cursor-not-allowed transition-all"
|
||||
>
|
||||
{loading ? (
|
||||
<Loader2 className="w-6 h-6 animate-spin" />
|
||||
@@ -180,6 +225,7 @@ export default function Home() {
|
||||
)}
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
</form>
|
||||
|
||||
{/* Error Message */}
|
||||
|
||||
Referencia en una nueva incidencia
Block a user