Etusivu Tutki Apua
Kirjaudu sisään
Vieraw
/
Kutt
1
0
Haarauta 0
Tiedostot Esitykset 0 Vetopyynnöt 0 Wiki
Puu: 0a68a7437e
Haarat Tunnisteet
Kutt
/
server
/
controllers
/
validateBodyController.js

validateBodyController.js 5.8 KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201 
  1. const { promisify } = require('util');
    2. 

  2. const dns = require('dns');
    3. 

  3. const axios = require('axios');
    4. 

  4. const URL = require('url');
    5. 

  5. const urlRegex = require('url-regex');
    6. 

  6. const validator = require('express-validator/check');
    7. 

  7. const { differenceInMinutes, subHours } = require('date-fns/');
    8. 

  8. const { validationResult } = require('express-validator/check');
    9. 

  9. const { addCooldown, banUser, getIPCooldown: getIPCooldownCount } = require('../db/user');
    10. 

  10. const { getBannedDomain, getBannedHost, urlCountFromDate } = require('../db/url');
    11. 

  11. const subDay = require('date-fns/sub_days');
    12. 

  12. const { addProtocol } = require('../utils');
    13. 

  13. 

  14. const dnsLookup = promisify(dns.lookup);
    15. 

  15. 

  16. exports.validationCriterias = [
    17. 

  17.   validator
    18. 

  18.     .body('email')
    19. 

  19.     .exists()
    20. 

  20.     .withMessage('Email must be provided.')
    21. 

  21.     .isEmail()
    22. 

  22.     .withMessage('Email is not valid.')
    23. 

  23.     .trim()
    24. 

  24.     .normalizeEmail(),
    25. 

  25.   validator
    26. 

  26.     .body('password', 'Password must be at least 8 chars long.')
    27. 

  27.     .exists()
    28. 

  28.     .withMessage('Password must be provided.')
    29. 

  29.     .isLength({ min: 8 }),
    30. 

  30. ];
    31. 

  31. 

  32. exports.validateBody = (req, res, next) => {
    33. 

  33.   const errors = validationResult(req);
    34. 

  34.   if (!errors.isEmpty()) {
    35. 

  35.     const errorsObj = errors.mapped();
    36. 

  36.     const emailError = errorsObj.email && errorsObj.email.msg;
    37. 

  37.     const passwordError = errorsObj.password && errorsObj.password.msg;
    38. 

  38.     return res.status(400).json({ error: emailError || passwordError });
    39. 

  39.   }
    40. 

  40.   return next();
    41. 

  41. };
    42. 

  42. 

  43. const preservedUrls = [
    44. 

  44.   'login',
    45. 

  45.   'logout',
    46. 

  46.   'signup',
    47. 

  47.   'reset-password',
    48. 

  48.   'resetpassword',
    49. 

  49.   'url-password',
    50. 

  50.   'url-info',
    51. 

  51.   'settings',
    52. 

  52.   'stats',
    53. 

  53.   'verify',
    54. 

  54.   'api',
    55. 

  55.   '404',
    56. 

  56.   'static',
    57. 

  57.   'images',
    58. 

  58.   'banned',
    59. 

  59.   'terms',
    60. 

  60.   'privacy',
    61. 

  61.   'report',
    62. 

  62. ];
    63. 

  63. 

  64. exports.preservedUrls = preservedUrls;
    65. 

  65. 

  66. exports.validateUrl = async ({ body, user }, res, next) => {
    67. 

  67.   // Validate URL existence
    68. 

  68.   if (!body.target) return res.status(400).json({ error: 'No target has been provided.' });
    69. 

  69. 

  70.   // validate URL length
    71. 

  71.   if (body.target.length > 3000) {
    72. 

  72.     return res.status(400).json({ error: 'Maximum URL length is 3000.' });
    73. 

  73.   }
    74. 

  74. 

  75.   // Validate URL
    76. 

  76.   const isValidUrl = urlRegex({ exact: true, strict: false }).test(body.target);
    77. 

  77.   if (!isValidUrl) return res.status(400).json({ error: 'URL is not valid.' });
    78. 

  78. 

  79.   // If target is the URL shortener itself
    80. 

  80.   const { host } = URL.parse(addProtocol(body.target));
    81. 

  81.   if (host === process.env.DEFAULT_DOMAIN) {
    82. 

  82.     return res.status(400).json({ error: `${process.env.DEFAULT_DOMAIN} URLs are not allowed.` });
    83. 

  83.   }
    84. 

  84. 

  85.   // Validate password length
    86. 

  86.   if (body.password && body.password.length > 64) {
    87. 

  87.     return res.status(400).json({ error: 'Maximum password length is 64.' });
    88. 

  88.   }
    89. 

  89. 

  90.   // Custom URL validations
    91. 

  91.   if (user && body.customurl) {
    92. 

  92.     // Validate custom URL
    93. 

  93.     if (!/^[a-zA-Z0-9-_]+$/g.test(body.customurl.trim())) {
    94. 

  94.       return res.status(400).json({ error: 'Custom URL is not valid.' });
    95. 

  95.     }
    96. 

  96. 

  97.     // Prevent from using preserved URLs
    98. 

  98.     if (preservedUrls.some(url => url === body.customurl)) {
    99. 

  99.       return res.status(400).json({ error: "You can't use this custom URL name." });
    100. 

  100.     }
    101. 

  101. 

  102.     // Validate custom URL length
    103. 

  103.     if (body.customurl.length > 64) {
    104. 

  104.       return res.status(400).json({ error: 'Maximum custom URL length is 64.' });
    105. 

  105.     }
    106. 

  106.   }
    107. 

  107. 

  108.   return next();
    109. 

  109. };
    110. 

  110. 

  111. exports.cooldownCheck = async user => {
    112. 

  112.   if (user && user.cooldowns) {
    113. 

  113.     if (user.cooldowns.length > 4) {
    114. 

  114.       await banUser(user);
    115. 

  115.       throw new Error('Too much malware requests. You are now banned.');
    116. 

  116.     }
    117. 

  117.     const hasCooldownNow = user.cooldowns.some(
    118. 

  118.       cooldown => cooldown > subHours(new Date(), 12).toJSON()
    119. 

  119.     );
    120. 

  120.     if (hasCooldownNow) {
    121. 

  121.       throw new Error('Cooldown because of a malware URL. Wait 12h');
    122. 

  122.     }
    123. 

  123.   }
    124. 

  124. };
    125. 

  125. 

  126. exports.ipCooldownCheck = async (req, res, next) => {
    127. 

  127.   const cooldonwConfig = Number(process.env.NON_USER_COOLDOWN);
    128. 

  128.   if (req.user || !cooldonwConfig) return next();
    129. 

  129.   const cooldownDate = await getIPCooldownCount(req.realIp);
    130. 

  130.   if (cooldownDate) {
    131. 

  131.     const timeToWait = cooldonwConfig - differenceInMinutes(new Date(), cooldownDate);
    132. 

  132.     return res
    133. 

  133.       .status(400)
    134. 

  134.       .json({ error: `Non-users are limited. Wait ${timeToWait} minutes or log in.` });
    135. 

  135.   }
    136. 

  136.   next();
    137. 

  137. };
    138. 

  138. 

  139. exports.malwareCheck = async (user, target) => {
    140. 

  140.   const isMalware = await axios.post(
    141. 

  141.     `https://safebrowsing.googleapis.com/v4/threatMatches:find?key=${
    142. 

  142.       process.env.GOOGLE_SAFE_BROWSING_KEY
    143. 

  143.     }`,
    144. 

  144.     {
    145. 

  145.       client: {
    146. 

  146.         clientId: process.env.DEFAULT_DOMAIN.toLowerCase().replace('.', ''),
    147. 

  147.         clientVersion: '1.0.0',
    148. 

  148.       },
    149. 

  149.       threatInfo: {
    150. 

  150.         threatTypes: [
    151. 

  151.           'THREAT_TYPE_UNSPECIFIED',
    152. 

  152.           'MALWARE',
    153. 

  153.           'SOCIAL_ENGINEERING',
    154. 

  154.           'UNWANTED_SOFTWARE',
    155. 

  155.           'POTENTIALLY_HARMFUL_APPLICATION',
    156. 

  156.         ],
    157. 

  157.         platformTypes: ['ANY_PLATFORM', 'PLATFORM_TYPE_UNSPECIFIED'],
    158. 

  158.         threatEntryTypes: ['EXECUTABLE', 'URL', 'THREAT_ENTRY_TYPE_UNSPECIFIED'],
    159. 

  159.         threatEntries: [{ url: target }],
    160. 

  160.       },
    161. 

  161.     }
    162. 

  162.   );
    163. 

  163.   if (isMalware.data && isMalware.data.matches) {
    164. 

  164.     if (user) {
    165. 

  165.       await addCooldown(user);
    166. 

  166.     }
    167. 

  167.     throw new Error(user ? 'Malware detected! Cooldown for 12h.' : 'Malware detected!');
    168. 

  168.   }
    169. 

  169. };
    170. 

  170. 

  171. exports.urlCountsCheck = async email => {
    172. 

  172.   const { count } = await urlCountFromDate({
    173. 

  173.     email,
    174. 

  174.     date: subDay(new Date(), 1).toJSON(),
    175. 

  175.   });
    176. 

  176.   if (count > Number(process.env.USER_LIMIT_PER_DAY)) {
    177. 

  177.     throw new Error(
    178. 

  178.       `You have reached your daily limit (${process.env.USER_LIMIT_PER_DAY}). Please wait 24h.`
    179. 

  179.     );
    180. 

  180.   }
    181. 

  181. };
    182. 

  182. 

  183. exports.checkBannedDomain = async domain => {
    184. 

  184.   const isDomainBanned = await getBannedDomain(domain);
    185. 

  185.   if (isDomainBanned) {
    186. 

  186.     throw new Error('URL is containing malware/scam.');
    187. 

  187.   }
    188. 

  188. };
    189. 

  189. 

  190. exports.checkBannedHost = async domain => {
    191. 

  191.   let isHostBanned;
    192. 

  192.   try {
    193. 

  193.     const dnsRes = await dnsLookup(domain);
    194. 

  194.     isHostBanned = await getBannedHost(dnsRes && dnsRes.address);
    195. 

  195.   } catch (error) {
    196. 

  196.     isHostBanned = null;
    197. 

  197.   }
    198. 

  198.   if (isHostBanned) {
    199. 

  199.     throw new Error('URL is containing malware/scam.');
    200. 

  200.   }
    201. 

  201. };
    202.