Domů Procházet Nápověda
Přihlásit se
Vieraw
/
Kutt
1
0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Strom: 752dc7cd6c
Větve Značky
Kutt
/
server
/
controllers
/
validateBodyController.ts

validateBodyController.ts 6.2 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224 
  1. import { RequestHandler } from "express";
    2. 

  2. import { promisify } from "util";
    3. 

  3. import dns from "dns";
    4. 

  4. import axios from "axios";
    5. 

  5. import URL from "url";
    6. 

  6. import urlRegex from "url-regex";
    7. 

  7. import validator from "express-validator/check";
    8. 

  8. import { differenceInMinutes, subHours, subDays, isAfter } from "date-fns";
    9. 

  9. import { validationResult } from "express-validator/check";
    10. 

  10. 

  11. import { addCooldown, banUser } from "../db/user";
    12. 

  12. import { getIP } from "../db/ip";
    13. 

  13. import { getUserLinksCount } from "../db/link";
    14. 

  14. import { getDomain } from "../db/domain";
    15. 

  15. import { getHost } from "../db/host";
    16. 

  16. import { addProtocol } from "../utils";
    17. 

  17. 

  18. const dnsLookup = promisify(dns.lookup);
    19. 

  19. 

  20. export const validationCriterias = [
    21. 

  21.   validator
    22. 

  22.     .body("email")
    23. 

  23.     .exists()
    24. 

  24.     .withMessage("Email must be provided.")
    25. 

  25.     .isEmail()
    26. 

  26.     .withMessage("Email is not valid.")
    27. 

  27.     .trim()
    28. 

  28.     .normalizeEmail(),
    29. 

  29.   validator
    30. 

  30.     .body("password", "Password must be at least 8 chars long.")
    31. 

  31.     .exists()
    32. 

  32.     .withMessage("Password must be provided.")
    33. 

  33.     .isLength({ min: 8 })
    34. 

  34. ];
    35. 

  35. 

  36. export const validateBody = (req, res, next) => {
    37. 

  37.   const errors = validationResult(req);
    38. 

  38.   if (!errors.isEmpty()) {
    39. 

  39.     const errorsObj = errors.mapped();
    40. 

  40.     const emailError = errorsObj.email && errorsObj.email.msg;
    41. 

  41.     const passwordError = errorsObj.password && errorsObj.password.msg;
    42. 

  42.     return res.status(400).json({ error: emailError || passwordError });
    43. 

  43.   }
    44. 

  44.   return next();
    45. 

  45. };
    46. 

  46. 

  47. export const preservedUrls = [
    48. 

  48.   "login",
    49. 

  49.   "logout",
    50. 

  50.   "signup",
    51. 

  51.   "reset-password",
    52. 

  52.   "resetpassword",
    53. 

  53.   "url-password",
    54. 

  54.   "url-info",
    55. 

  55.   "settings",
    56. 

  56.   "stats",
    57. 

  57.   "verify",
    58. 

  58.   "api",
    59. 

  59.   "404",
    60. 

  60.   "static",
    61. 

  61.   "images",
    62. 

  62.   "banned",
    63. 

  63.   "terms",
    64. 

  64.   "privacy",
    65. 

  65.   "report",
    66. 

  66.   "pricing"
    67. 

  67. ];
    68. 

  68. 

  69. export const validateUrl: RequestHandler = async (req, res, next) => {
    70. 

  70.   // Validate URL existence
    71. 

  71.   if (!req.body.target)
    72. 

  72.     return res.status(400).json({ error: "No target has been provided." });
    73. 

  73. 

  74.   // validate URL length
    75. 

  75.   if (req.body.target.length > 3000) {
    76. 

  76.     return res.status(400).json({ error: "Maximum URL length is 3000." });
    77. 

  77.   }
    78. 

  78. 

  79.   // Validate URL
    80. 

  80.   const isValidUrl = urlRegex({ exact: true, strict: false }).test(
    81. 

  81.     req.body.target
    82. 

  82.   );
    83. 

  83.   if (!isValidUrl && !/^\w+:\/\//.test(req.body.target))
    84. 

  84.     return res.status(400).json({ error: "URL is not valid." });
    85. 

  85. 

  86.   // If target is the URL shortener itself
    87. 

  87.   const { host } = URL.parse(addProtocol(req.body.target));
    88. 

  88.   if (host === process.env.DEFAULT_DOMAIN) {
    89. 

  89.     return res
    90. 

  90.       .status(400)
    91. 

  91.       .json({ error: `${process.env.DEFAULT_DOMAIN} URLs are not allowed.` });
    92. 

  92.   }
    93. 

  93. 

  94.   // Validate password length
    95. 

  95.   if (req.body.password && req.body.password.length > 64) {
    96. 

  96.     return res.status(400).json({ error: "Maximum password length is 64." });
    97. 

  97.   }
    98. 

  98. 

  99.   // Custom URL validations
    100. 

  100.   if (req.user && req.body.customurl) {
    101. 

  101.     // Validate custom URL
    102. 

  102.     if (!/^[a-zA-Z0-9-_]+$/g.test(req.body.customurl.trim())) {
    103. 

  103.       return res.status(400).json({ error: "Custom URL is not valid." });
    104. 

  104.     }
    105. 

  105. 

  106.     // Prevent from using preserved URLs
    107. 

  107.     if (preservedUrls.some(url => url === req.body.customurl)) {
    108. 

  108.       return res
    109. 

  109.         .status(400)
    110. 

  110.         .json({ error: "You can't use this custom URL name." });
    111. 

  111.     }
    112. 

  112. 

  113.     // Validate custom URL length
    114. 

  114.     if (req.body.customurl.length > 64) {
    115. 

  115.       return res
    116. 

  116.         .status(400)
    117. 

  117.         .json({ error: "Maximum custom URL length is 64." });
    118. 

  118.     }
    119. 

  119.   }
    120. 

  120. 

  121.   return next();
    122. 

  122. };
    123. 

  123. 

  124. export const cooldownCheck = async (user: User) => {
    125. 

  125.   if (user && user.cooldowns) {
    126. 

  126.     if (user.cooldowns.length > 4) {
    127. 

  127.       await banUser(user.id);
    128. 

  128.       throw new Error("Too much malware requests. You are now banned.");
    129. 

  129.     }
    130. 

  130.     const hasCooldownNow = user.cooldowns.some(cooldown =>
    131. 

  131.       isAfter(subHours(new Date(), 12), cooldown)
    132. 

  132.     );
    133. 

  133.     if (hasCooldownNow) {
    134. 

  134.       throw new Error("Cooldown because of a malware URL. Wait 12h");
    135. 

  135.     }
    136. 

  136.   }
    137. 

  137. };
    138. 

  138. 

  139. export const ipCooldownCheck: RequestHandler = async (req, res, next) => {
    140. 

  140.   const cooldownConfig = Number(process.env.NON_USER_COOLDOWN);
    141. 

  141.   if (req.user || !cooldownConfig) return next();
    142. 

  142.   const ip = await getIP(req.realIP);
    143. 

  143.   if (ip) {
    144. 

  144.     const timeToWait =
    145. 

  145.       cooldownConfig - differenceInMinutes(new Date(), ip.created_at);
    146. 

  146.     return res.status(400).json({
    147. 

  147.       error:
    148. 

  148.         `Non-logged in users are limited. Wait ${timeToWait} ` +
    149. 

  149.         "minutes or log in."
    150. 

  150.     });
    151. 

  151.   }
    152. 

  152.   next();
    153. 

  153. };
    154. 

  154. 

  155. export const malwareCheck = async (user: User, target: string) => {
    156. 

  156.   const isMalware = await axios.post(
    157. 

  157.     `https://safebrowsing.googleapis.com/v4/threatMatches:find?key=${process.env.GOOGLE_SAFE_BROWSING_KEY}`,
    158. 

  158.     {
    159. 

  159.       client: {
    160. 

  160.         clientId: process.env.DEFAULT_DOMAIN.toLowerCase().replace(".", ""),
    161. 

  161.         clientVersion: "1.0.0"
    162. 

  162.       },
    163. 

  163.       threatInfo: {
    164. 

  164.         threatTypes: [
    165. 

  165.           "THREAT_TYPE_UNSPECIFIED",
    166. 

  166.           "MALWARE",
    167. 

  167.           "SOCIAL_ENGINEERING",
    168. 

  168.           "UNWANTED_SOFTWARE",
    169. 

  169.           "POTENTIALLY_HARMFUL_APPLICATION"
    170. 

  170.         ],
    171. 

  171.         platformTypes: ["ANY_PLATFORM", "PLATFORM_TYPE_UNSPECIFIED"],
    172. 

  172.         threatEntryTypes: [
    173. 

  173.           "EXECUTABLE",
    174. 

  174.           "URL",
    175. 

  175.           "THREAT_ENTRY_TYPE_UNSPECIFIED"
    176. 

  176.         ],
    177. 

  177.         threatEntries: [{ url: target }]
    178. 

  178.       }
    179. 

  179.     }
    180. 

  180.   );
    181. 

  181.   if (isMalware.data && isMalware.data.matches) {
    182. 

  182.     if (user) {
    183. 

  183.       await addCooldown(user.id);
    184. 

  184.     }
    185. 

  185.     throw new Error(
    186. 

  186.       user ? "Malware detected! Cooldown for 12h." : "Malware detected!"
    187. 

  187.     );
    188. 

  188.   }
    189. 

  189. };
    190. 

  190. 

  191. export const urlCountsCheck = async (user: User) => {
    192. 

  192.   const count = await getUserLinksCount({
    193. 

  193.     user_id: user.id,
    194. 

  194.     date: subDays(new Date(), 1)
    195. 

  195.   });
    196. 

  196.   if (count > Number(process.env.USER_LIMIT_PER_DAY)) {
    197. 

  197.     throw new Error(
    198. 

  198.       `You have reached your daily limit (${process.env.USER_LIMIT_PER_DAY}). Please wait 24h.`
    199. 

  199.     );
    200. 

  200.   }
    201. 

  201. };
    202. 

  202. 

  203. export const checkBannedDomain = async (domain: string) => {
    204. 

  204.   const bannedDomain = await getDomain({ address: domain, banned: true });
    205. 

  205.   if (bannedDomain) {
    206. 

  206.     throw new Error("URL is containing malware/scam.");
    207. 

  207.   }
    208. 

  208. };
    209. 

  209. 

  210. export const checkBannedHost = async (domain: string) => {
    211. 

  211.   let isHostBanned;
    212. 

  212.   try {
    213. 

  213.     const dnsRes = await dnsLookup(domain);
    214. 

  214.     isHostBanned = await getHost({
    215. 

  215.       address: dnsRes && dnsRes.address,
    216. 

  216.       banned: true
    217. 

  217.     });
    218. 

  218.   } catch (error) {
    219. 

  219.     isHostBanned = null;
    220. 

  220.   }
    221. 

  221.   if (isHostBanned) {
    222. 

  222.     throw new Error("URL is containing malware/scam.");
    223. 

  223.   }
    224. 

  224. };
    225.