Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
Vieraw
/
Kutt
1
0
Fork 0
Súbory Issues 0 Pull requesty 0 Wiki
Strom: 1249bc99ae
Branche Tagy
Kutt
/
server
/
controllers
/
validateBodyController.js

validateBodyController.js 5.9 KB
História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202 
  1. const { promisify } = require('util');
    2. 

  2. const dns = require('dns');
    3. 

  3. const axios = require('axios');
    4. 

  4. const URL = require('url');
    5. 

  5. const urlRegex = require('url-regex');
    6. 

  6. const validator = require('express-validator/check');
    7. 

  7. const { differenceInMinutes, subHours } = require('date-fns/');
    8. 

  8. const { validationResult } = require('express-validator/check');
    9. 

  9. const { addCooldown, banUser, getIPCooldown: getIPCooldownCount } = require('../db/user');
    10. 

  10. const { getBannedDomain, getBannedHost, urlCountFromDate } = require('../db/url');
    11. 

  11. const subDay = require('date-fns/sub_days');
    12. 

  12. const { addProtocol } = require('../utils');
    13. 

  13. 

  14. const dnsLookup = promisify(dns.lookup);
    15. 

  15. 

  16. exports.validationCriterias = [
    17. 

  17.   validator
    18. 

  18.     .body('email')
    19. 

  19.     .exists()
    20. 

  20.     .withMessage('Email must be provided.')
    21. 

  21.     .isEmail()
    22. 

  22.     .withMessage('Email is not valid.')
    23. 

  23.     .trim()
    24. 

  24.     .normalizeEmail(),
    25. 

  25.   validator
    26. 

  26.     .body('password', 'Password must be at least 8 chars long.')
    27. 

  27.     .exists()
    28. 

  28.     .withMessage('Password must be provided.')
    29. 

  29.     .isLength({ min: 8 }),
    30. 

  30. ];
    31. 

  31. 

  32. exports.validateBody = (req, res, next) => {
    33. 

  33.   const errors = validationResult(req);
    34. 

  34.   if (!errors.isEmpty()) {
    35. 

  35.     const errorsObj = errors.mapped();
    36. 

  36.     const emailError = errorsObj.email && errorsObj.email.msg;
    37. 

  37.     const passwordError = errorsObj.password && errorsObj.password.msg;
    38. 

  38.     return res.status(400).json({ error: emailError || passwordError });
    39. 

  39.   }
    40. 

  40.   return next();
    41. 

  41. };
    42. 

  42. 

  43. const preservedUrls = [
    44. 

  44.   'login',
    45. 

  45.   'logout',
    46. 

  46.   'signup',
    47. 

  47.   'reset-password',
    48. 

  48.   'resetpassword',
    49. 

  49.   'url-password',
    50. 

  50.   'url-info',
    51. 

  51.   'settings',
    52. 

  52.   'stats',
    53. 

  53.   'verify',
    54. 

  54.   'api',
    55. 

  55.   '404',
    56. 

  56.   'static',
    57. 

  57.   'images',
    58. 

  58.   'banned',
    59. 

  59.   'terms',
    60. 

  60.   'privacy',
    61. 

  61.   'report',
    62. 

  62. ];
    63. 

  63. 

  64. exports.preservedUrls = preservedUrls;
    65. 

  65. 

  66. exports.validateUrl = async ({ body, user }, res, next) => {
    67. 

  67.   // Validate URL existence
    68. 

  68.   if (!body.target) return res.status(400).json({ error: 'No target has been provided.' });
    69. 

  69. 

  70.   // validate URL length
    71. 

  71.   if (body.target.length > 3000) {
    72. 

  72.     return res.status(400).json({ error: 'Maximum URL length is 3000.' });
    73. 

  73.   }
    74. 

  74. 

  75.   // Validate URL
    76. 

  76.   const isValidUrl = urlRegex({ exact: true, strict: false }).test(body.target);
    77. 

  77.   if (!isValidUrl && !/^\w+:\/\//.test(body.target))
    78. 

  78.     return res.status(400).json({ error: 'URL is not valid.' });
    79. 

  79. 

  80.   // If target is the URL shortener itself
    81. 

  81.   const { host } = URL.parse(addProtocol(body.target));
    82. 

  82.   if (host === process.env.DEFAULT_DOMAIN) {
    83. 

  83.     return res.status(400).json({ error: `${process.env.DEFAULT_DOMAIN} URLs are not allowed.` });
    84. 

  84.   }
    85. 

  85. 

  86.   // Validate password length
    87. 

  87.   if (body.password && body.password.length > 64) {
    88. 

  88.     return res.status(400).json({ error: 'Maximum password length is 64.' });
    89. 

  89.   }
    90. 

  90. 

  91.   // Custom URL validations
    92. 

  92.   if (user && body.customurl) {
    93. 

  93.     // Validate custom URL
    94. 

  94.     if (!/^[a-zA-Z0-9-_]+$/g.test(body.customurl.trim())) {
    95. 

  95.       return res.status(400).json({ error: 'Custom URL is not valid.' });
    96. 

  96.     }
    97. 

  97. 

  98.     // Prevent from using preserved URLs
    99. 

  99.     if (preservedUrls.some(url => url === body.customurl)) {
    100. 

  100.       return res.status(400).json({ error: "You can't use this custom URL name." });
    101. 

  101.     }
    102. 

  102. 

  103.     // Validate custom URL length
    104. 

  104.     if (body.customurl.length > 64) {
    105. 

  105.       return res.status(400).json({ error: 'Maximum custom URL length is 64.' });
    106. 

  106.     }
    107. 

  107.   }
    108. 

  108. 

  109.   return next();
    110. 

  110. };
    111. 

  111. 

  112. exports.cooldownCheck = async user => {
    113. 

  113.   if (user && user.cooldowns) {
    114. 

  114.     if (user.cooldowns.length > 4) {
    115. 

  115.       await banUser(user);
    116. 

  116.       throw new Error('Too much malware requests. You are now banned.');
    117. 

  117.     }
    118. 

  118.     const hasCooldownNow = user.cooldowns.some(
    119. 

  119.       cooldown => cooldown > subHours(new Date(), 12).toJSON()
    120. 

  120.     );
    121. 

  121.     if (hasCooldownNow) {
    122. 

  122.       throw new Error('Cooldown because of a malware URL. Wait 12h');
    123. 

  123.     }
    124. 

  124.   }
    125. 

  125. };
    126. 

  126. 

  127. exports.ipCooldownCheck = async (req, res, next) => {
    128. 

  128.   const cooldonwConfig = Number(process.env.NON_USER_COOLDOWN);
    129. 

  129.   if (req.user || !cooldonwConfig) return next();
    130. 

  130.   const cooldownDate = await getIPCooldownCount(req.realIp);
    131. 

  131.   if (cooldownDate) {
    132. 

  132.     const timeToWait = cooldonwConfig - differenceInMinutes(new Date(), cooldownDate);
    133. 

  133.     return res
    134. 

  134.       .status(400)
    135. 

  135.       .json({ error: `Non-logged in users are limited. Wait ${timeToWait} minutes or log in.` });
    136. 

  136.   }
    137. 

  137.   next();
    138. 

  138. };
    139. 

  139. 

  140. exports.malwareCheck = async (user, target) => {
    141. 

  141.   const isMalware = await axios.post(
    142. 

  142.     `https://safebrowsing.googleapis.com/v4/threatMatches:find?key=${
    143. 

  143.       process.env.GOOGLE_SAFE_BROWSING_KEY
    144. 

  144.     }`,
    145. 

  145.     {
    146. 

  146.       client: {
    147. 

  147.         clientId: process.env.DEFAULT_DOMAIN.toLowerCase().replace('.', ''),
    148. 

  148.         clientVersion: '1.0.0',
    149. 

  149.       },
    150. 

  150.       threatInfo: {
    151. 

  151.         threatTypes: [
    152. 

  152.           'THREAT_TYPE_UNSPECIFIED',
    153. 

  153.           'MALWARE',
    154. 

  154.           'SOCIAL_ENGINEERING',
    155. 

  155.           'UNWANTED_SOFTWARE',
    156. 

  156.           'POTENTIALLY_HARMFUL_APPLICATION',
    157. 

  157.         ],
    158. 

  158.         platformTypes: ['ANY_PLATFORM', 'PLATFORM_TYPE_UNSPECIFIED'],
    159. 

  159.         threatEntryTypes: ['EXECUTABLE', 'URL', 'THREAT_ENTRY_TYPE_UNSPECIFIED'],
    160. 

  160.         threatEntries: [{ url: target }],
    161. 

  161.       },
    162. 

  162.     }
    163. 

  163.   );
    164. 

  164.   if (isMalware.data && isMalware.data.matches) {
    165. 

  165.     if (user) {
    166. 

  166.       await addCooldown(user);
    167. 

  167.     }
    168. 

  168.     throw new Error(user ? 'Malware detected! Cooldown for 12h.' : 'Malware detected!');
    169. 

  169.   }
    170. 

  170. };
    171. 

  171. 

  172. exports.urlCountsCheck = async email => {
    173. 

  173.   const { count } = await urlCountFromDate({
    174. 

  174.     email,
    175. 

  175.     date: subDay(new Date(), 1).toJSON(),
    176. 

  176.   });
    177. 

  177.   if (count > Number(process.env.USER_LIMIT_PER_DAY)) {
    178. 

  178.     throw new Error(
    179. 

  179.       `You have reached your daily limit (${process.env.USER_LIMIT_PER_DAY}). Please wait 24h.`
    180. 

  180.     );
    181. 

  181.   }
    182. 

  182. };
    183. 

  183. 

  184. exports.checkBannedDomain = async domain => {
    185. 

  185.   const isDomainBanned = await getBannedDomain(domain);
    186. 

  186.   if (isDomainBanned) {
    187. 

  187.     throw new Error('URL is containing malware/scam.');
    188. 

  188.   }
    189. 

  189. };
    190. 

  190. 

  191. exports.checkBannedHost = async domain => {
    192. 

  192.   let isHostBanned;
    193. 

  193.   try {
    194. 

  194.     const dnsRes = await dnsLookup(domain);
    195. 

  195.     isHostBanned = await getBannedHost(dnsRes && dnsRes.address);
    196. 

  196.   } catch (error) {
    197. 

  197.     isHostBanned = null;
    198. 

  198.   }
    199. 

  199.   if (isHostBanned) {
    200. 

  200.     throw new Error('URL is containing malware/scam.');
    201. 

  201.   }
    202. 

  202. };
    203.