Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
Vieraw
/
Kutt
1
0
Fork 0
Súbory Issues 0 Pull requesty 0 Wiki
Strom: b781a82a2f
Branche Tagy
Kutt
/
server
/
handlers
/
validators.ts

validators.ts 11 KB
História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414 
  1. import { body, param } from "express-validator";
    2. 

  2. import { isAfter, subDays, subHours } from "date-fns";
    3. 

  3. import urlRegex from "url-regex";
    4. 

  4. import { promisify } from "util";
    5. 

  5. import bcrypt from "bcryptjs";
    6. 

  6. import axios from "axios";
    7. 

  7. import dns from "dns";
    8. 

  8. import URL from "url";
    9. 

  9. 

  10. import { CustomError, addProtocol } from "../utils";
    11. 

  11. import query from "../queries";
    12. 

  12. import knex from "../knex";
    13. 

  13. import env from "../env";
    14. 

  14. 

  15. const dnsLookup = promisify(dns.lookup);
    16. 

  16. 

  17. export const preservedUrls = [
    18. 

  18.   "login",
    19. 

  19.   "logout",
    20. 

  20.   "signup",
    21. 

  21.   "reset-password",
    22. 

  22.   "resetpassword",
    23. 

  23.   "url-password",
    24. 

  24.   "url-info",
    25. 

  25.   "settings",
    26. 

  26.   "stats",
    27. 

  27.   "verify",
    28. 

  28.   "api",
    29. 

  29.   "404",
    30. 

  30.   "static",
    31. 

  31.   "images",
    32. 

  32.   "banned",
    33. 

  33.   "terms",
    34. 

  34.   "privacy",
    35. 

  35.   "protected",
    36. 

  36.   "report",
    37. 

  37.   "pricing"
    38. 

  38. ];
    39. 

  39. 

  40. export const checkUser = (value, { req }) => !!req.user;
    41. 

  41. 

  42. export const createLink = [
    43. 

  43.   body("target")
    44. 

  44.     .exists({ checkNull: true, checkFalsy: true })
    45. 

  45.     .withMessage("Target is missing.")
    46. 

  46.     .isString()
    47. 

  47.     .trim()
    48. 

  48.     .isLength({ min: 1, max: 2040 })
    49. 

  49.     .withMessage("Maximum URL length is 2040.")
    50. 

  50.     .customSanitizer(addProtocol)
    51. 

  51.     .custom(
    52. 

  52.       value =>
    53. 

  53.         urlRegex({ exact: true, strict: false }).test(value) ||
    54. 

  54.         /^(?!https?)(\w+):\/\//.test(value)
    55. 

  55.     )
    56. 

  56.     .withMessage("URL is not valid.")
    57. 

  57.     .custom(value => URL.parse(value).host !== env.DEFAULT_DOMAIN)
    58. 

  58.     .withMessage(`${env.DEFAULT_DOMAIN} URLs are not allowed.`),
    59. 

  59.   body("password")
    60. 

  60.     .optional()
    61. 

  61.     .custom(checkUser)
    62. 

  62.     .withMessage("Only users can use this field.")
    63. 

  63.     .isString()
    64. 

  64.     .isLength({ min: 3, max: 64 })
    65. 

  65.     .withMessage("Password length must be between 3 and 64."),
    66. 

  66.   body("customurl")
    67. 

  67.     .optional()
    68. 

  68.     .custom(checkUser)
    69. 

  69.     .withMessage("Only users can use this field.")
    70. 

  70.     .isString()
    71. 

  71.     .trim()
    72. 

  72.     .isLength({ min: 1, max: 64 })
    73. 

  73.     .withMessage("Custom URL length must be between 1 and 64.")
    74. 

  74.     .custom(value => /^[a-zA-Z0-9-_]+$/g.test(value))
    75. 

  75.     .withMessage("Custom URL is not valid")
    76. 

  76.     .custom(value => !preservedUrls.some(url => url.toLowerCase() === value))
    77. 

  77.     .withMessage("You can't use this custom URL."),
    78. 

  78.   body("reuse")
    79. 

  79.     .optional()
    80. 

  80.     .custom(checkUser)
    81. 

  81.     .withMessage("Only users can use this field.")
    82. 

  82.     .isBoolean()
    83. 

  83.     .withMessage("Reuse must be boolean."),
    84. 

  84.   body("domain")
    85. 

  85.     .optional()
    86. 

  86.     .custom(checkUser)
    87. 

  87.     .withMessage("Only users can use this field.")
    88. 

  88.     .isString()
    89. 

  89.     .withMessage("Domain should be string.")
    90. 

  90.     .customSanitizer(value => value.toLowerCase())
    91. 

  91.     .custom(async (address, { req }) => {
    92. 

  92.       const domain = await query.domain.find({
    93. 

  93.         address,
    94. 

  94.         user_id: req.user.id
    95. 

  95.       });
    96. 

  96.       req.body.domain = domain || null;
    97. 

  97. 

  98.       if (!domain) return Promise.reject();
    99. 

  99.     })
    100. 

  100.     .withMessage("You can't use this domain.")
    101. 

  101. ];
    102. 

  102. 

  103. export const editLink = [
    104. 

  104.   body("target")
    105. 

  105.     .optional({ checkFalsy: true, nullable: true })
    106. 

  106.     .isString()
    107. 

  107.     .trim()
    108. 

  108.     .isLength({ min: 1, max: 2040 })
    109. 

  109.     .withMessage("Maximum URL length is 2040.")
    110. 

  110.     .customSanitizer(addProtocol)
    111. 

  111.     .custom(
    112. 

  112.       value =>
    113. 

  113.         urlRegex({ exact: true, strict: false }).test(value) ||
    114. 

  114.         /^(?!https?)(\w+):\/\//.test(value)
    115. 

  115.     )
    116. 

  116.     .withMessage("URL is not valid.")
    117. 

  117.     .custom(value => URL.parse(value).host !== env.DEFAULT_DOMAIN)
    118. 

  118.     .withMessage(`${env.DEFAULT_DOMAIN} URLs are not allowed.`),
    119. 

  119.   body("address")
    120. 

  120.     .optional({ checkFalsy: true, nullable: true })
    121. 

  121.     .isString()
    122. 

  122.     .trim()
    123. 

  123.     .isLength({ min: 1, max: 64 })
    124. 

  124.     .withMessage("Custom URL length must be between 1 and 64.")
    125. 

  125.     .custom(value => /^[a-zA-Z0-9-_]+$/g.test(value))
    126. 

  126.     .withMessage("Custom URL is not valid")
    127. 

  127.     .custom(value => !preservedUrls.some(url => url.toLowerCase() === value))
    128. 

  128.     .withMessage("You can't use this custom URL."),
    129. 

  129.   param("id", "ID is invalid.")
    130. 

  130.     .exists({ checkFalsy: true, checkNull: true })
    131. 

  131.     .isLength({ min: 36, max: 36 })
    132. 

  132. ];
    133. 

  133. 

  134. export const redirectProtected = [
    135. 

  135.   body("password", "Password is invalid.")
    136. 

  136.     .exists({ checkFalsy: true, checkNull: true })
    137. 

  137.     .isString()
    138. 

  138.     .isLength({ min: 3, max: 64 })
    139. 

  139.     .withMessage("Password length must be between 3 and 64."),
    140. 

  140.   param("id", "ID is invalid.")
    141. 

  141.     .exists({ checkFalsy: true, checkNull: true })
    142. 

  142.     .isLength({ min: 36, max: 36 })
    143. 

  143. ];
    144. 

  144. 

  145. export const addDomain = [
    146. 

  146.   body("address", "Domain is not valid")
    147. 

  147.     .exists({ checkFalsy: true, checkNull: true })
    148. 

  148.     .isLength({ min: 3, max: 64 })
    149. 

  149.     .withMessage("Domain length must be between 3 and 64.")
    150. 

  150.     .trim()
    151. 

  151.     .customSanitizer(value => {
    152. 

  152.       const parsed = URL.parse(value);
    153. 

  153.       return parsed.hostname || parsed.href;
    154. 

  154.     })
    155. 

  155.     .custom(value => urlRegex({ exact: true, strict: false }).test(value))
    156. 

  156.     .custom(value => value !== env.DEFAULT_DOMAIN)
    157. 

  157.     .withMessage("You can't use the default domain.")
    158. 

  158.     .custom(async (value, { req }) => {
    159. 

  159.       const domains = await query.domain.get({ user_id: req.user.id });
    160. 

  160.       if (domains.length !== 0) return Promise.reject();
    161. 

  161.     })
    162. 

  162.     .withMessage("You already own a domain. Contact support if you need more.")
    163. 

  163.     .custom(async value => {
    164. 

  164.       const domain = await query.domain.find({ address: value });
    165. 

  165.       if (domain?.user_id || domain?.banned) return Promise.reject();
    166. 

  166.     })
    167. 

  167.     .withMessage("You can't add this domain."),
    168. 

  168.   body("homepage")
    169. 

  169.     .optional({ checkFalsy: true, nullable: true })
    170. 

  170.     .customSanitizer(addProtocol)
    171. 

  171.     .custom(value => urlRegex({ exact: true, strict: false }).test(value))
    172. 

  172.     .withMessage("Homepage is not valid.")
    173. 

  173. ];
    174. 

  174. 

  175. export const removeDomain = [
    176. 

  176.   param("id", "ID is invalid.")
    177. 

  177.     .exists({
    178. 

  178.       checkFalsy: true,
    179. 

  179.       checkNull: true
    180. 

  180.     })
    181. 

  181.     .isLength({ min: 36, max: 36 })
    182. 

  182. ];
    183. 

  183. 

  184. export const deleteLink = [
    185. 

  185.   param("id", "ID is invalid.")
    186. 

  186.     .exists({
    187. 

  187.       checkFalsy: true,
    188. 

  188.       checkNull: true
    189. 

  189.     })
    190. 

  190.     .isLength({ min: 36, max: 36 })
    191. 

  191. ];
    192. 

  192. 

  193. export const reportLink = [
    194. 

  194.   body("link", "No link has been provided.")
    195. 

  195.     .exists({
    196. 

  196.       checkFalsy: true,
    197. 

  197.       checkNull: true
    198. 

  198.     })
    199. 

  199.     .customSanitizer(addProtocol)
    200. 

  200.     .custom(value => URL.parse(value).hostname === env.DEFAULT_DOMAIN)
    201. 

  201.     .withMessage(`You can only report a ${env.DEFAULT_DOMAIN} link.`)
    202. 

  202. ];
    203. 

  203. 

  204. export const banLink = [
    205. 

  205.   param("id", "ID is invalid.")
    206. 

  206.     .exists({
    207. 

  207.       checkFalsy: true,
    208. 

  208.       checkNull: true
    209. 

  209.     })
    210. 

  210.     .isLength({ min: 36, max: 36 }),
    211. 

  211.   body("host", '"host" should be a boolean.')
    212. 

  212.     .optional({
    213. 

  213.       nullable: true
    214. 

  214.     })
    215. 

  215.     .isBoolean(),
    216. 

  216.   body("user", '"user" should be a boolean.')
    217. 

  217.     .optional({
    218. 

  218.       nullable: true
    219. 

  219.     })
    220. 

  220.     .isBoolean(),
    221. 

  221.   body("userlinks", '"userlinks" should be a boolean.')
    222. 

  222.     .optional({
    223. 

  223.       nullable: true
    224. 

  224.     })
    225. 

  225.     .isBoolean(),
    226. 

  226.   body("domain", '"domain" should be a boolean.')
    227. 

  227.     .optional({
    228. 

  228.       nullable: true
    229. 

  229.     })
    230. 

  230.     .isBoolean()
    231. 

  231. ];
    232. 

  232. 

  233. export const getStats = [
    234. 

  234.   param("id", "ID is invalid.")
    235. 

  235.     .exists({
    236. 

  236.       checkFalsy: true,
    237. 

  237.       checkNull: true
    238. 

  238.     })
    239. 

  239.     .isLength({ min: 36, max: 36 })
    240. 

  240. ];
    241. 

  241. 

  242. export const signup = [
    243. 

  243.   body("password", "Password is not valid.")
    244. 

  244.     .exists({ checkFalsy: true, checkNull: true })
    245. 

  245.     .isLength({ min: 8, max: 64 })
    246. 

  246.     .withMessage("Password length must be between 8 and 64."),
    247. 

  247.   body("email", "Email is not valid.")
    248. 

  248.     .exists({ checkFalsy: true, checkNull: true })
    249. 

  249.     .trim()
    250. 

  250.     .isEmail()
    251. 

  251.     .isLength({ min: 0, max: 255 })
    252. 

  252.     .withMessage("Email length must be max 255.")
    253. 

  253.     .custom(async (value, { req }) => {
    254. 

  254.       const user = await query.user.find({ email: value });
    255. 

  255. 

  256.       if (user) {
    257. 

  257.         req.user = user;
    258. 

  258.       }
    259. 

  259. 

  260.       if (user?.verified) return Promise.reject();
    261. 

  261.     })
    262. 

  262.     .withMessage("You can't use this email address.")
    263. 

  263. ];
    264. 

  264. 

  265. export const login = [
    266. 

  266.   body("password", "Password is not valid.")
    267. 

  267.     .exists({ checkFalsy: true, checkNull: true })
    268. 

  268.     .isLength({ min: 8, max: 64 })
    269. 

  269.     .withMessage("Password length must be between 8 and 64."),
    270. 

  270.   body("email", "Email is not valid.")
    271. 

  271.     .exists({ checkFalsy: true, checkNull: true })
    272. 

  272.     .trim()
    273. 

  273.     .isEmail()
    274. 

  274.     .isLength({ min: 0, max: 255 })
    275. 

  275.     .withMessage("Email length must be max 255.")
    276. 

  276. ];
    277. 

  277. 

  278. export const changePassword = [
    279. 

  279.   body("password", "Password is not valid.")
    280. 

  280.     .exists({ checkFalsy: true, checkNull: true })
    281. 

  281.     .isLength({ min: 8, max: 64 })
    282. 

  282.     .withMessage("Password length must be between 8 and 64.")
    283. 

  283. ];
    284. 

  284. 

  285. export const resetPasswordRequest = [
    286. 

  286.   body("email", "Email is not valid.")
    287. 

  287.     .exists({ checkFalsy: true, checkNull: true })
    288. 

  288.     .trim()
    289. 

  289.     .isEmail()
    290. 

  290.     .isLength({ min: 0, max: 255 })
    291. 

  291.     .withMessage("Email length must be max 255.")
    292. 

  292. ];
    293. 

  293. 

  294. export const deleteUser = [
    295. 

  295.   body("password", "Password is not valid.")
    296. 

  296.     .exists({ checkFalsy: true, checkNull: true })
    297. 

  297.     .isLength({ min: 8, max: 64 })
    298. 

  298.     .custom(async (password, { req }) => {
    299. 

  299.       const isMatch = await bcrypt.compare(password, req.user.password);
    300. 

  300.       if (!isMatch) return Promise.reject();
    301. 

  301.     })
    302. 

  302. ];
    303. 

  303. 

  304. export const cooldown = (user: User) => {
    305. 

  305.   if (!env.GOOGLE_SAFE_BROWSING_KEY || !user || !user.cooldowns) return;
    306. 

  306. 

  307.   // If has active cooldown then throw error
    308. 

  308.   const hasCooldownNow = user.cooldowns.some(cooldown =>
    309. 

  309.     isAfter(subHours(new Date(), 12), new Date(cooldown))
    310. 

  310.   );
    311. 

  311. 

  312.   if (hasCooldownNow) {
    313. 

  313.     throw new CustomError("Cooldown because of a malware URL. Wait 12h");
    314. 

  314.   }
    315. 

  315. };
    316. 

  316. 

  317. export const malware = async (user: User, target: string) => {
    318. 

  318.   if (!env.GOOGLE_SAFE_BROWSING_KEY) return;
    319. 

  319. 

  320.   const isMalware = await axios.post(
    321. 

  321.     `https://safebrowsing.googleapis.com/v4/threatMatches:find?key=${env.GOOGLE_SAFE_BROWSING_KEY}`,
    322. 

  322.     {
    323. 

  323.       client: {
    324. 

  324.         clientId: env.DEFAULT_DOMAIN.toLowerCase().replace(".", ""),
    325. 

  325.         clientVersion: "1.0.0"
    326. 

  326.       },
    327. 

  327.       threatInfo: {
    328. 

  328.         threatTypes: [
    329. 

  329.           "THREAT_TYPE_UNSPECIFIED",
    330. 

  330.           "MALWARE",
    331. 

  331.           "SOCIAL_ENGINEERING",
    332. 

  332.           "UNWANTED_SOFTWARE",
    333. 

  333.           "POTENTIALLY_HARMFUL_APPLICATION"
    334. 

  334.         ],
    335. 

  335.         platformTypes: ["ANY_PLATFORM", "PLATFORM_TYPE_UNSPECIFIED"],
    336. 

  336.         threatEntryTypes: [
    337. 

  337.           "EXECUTABLE",
    338. 

  338.           "URL",
    339. 

  339.           "THREAT_ENTRY_TYPE_UNSPECIFIED"
    340. 

  340.         ],
    341. 

  341.         threatEntries: [{ url: target }]
    342. 

  342.       }
    343. 

  343.     }
    344. 

  344.   );
    345. 

  345.   if (!isMalware.data || !isMalware.data.matches) return;
    346. 

  346. 

  347.   if (user) {
    348. 

  348.     const [updatedUser] = await query.user.update(
    349. 

  349.       { id: user.id },
    350. 

  350.       {
    351. 

  351.         cooldowns: knex.raw("array_append(cooldowns, ?)", [
    352. 

  352.           new Date().toISOString()
    353. 

  353.         ]) as any
    354. 

  354.       }
    355. 

  355.     );
    356. 

  356. 

  357.     // Ban if too many cooldowns
    358. 

  358.     if (updatedUser.cooldowns.length > 2) {
    359. 

  359.       await query.user.update({ id: user.id }, { banned: true });
    360. 

  360.       throw new CustomError("Too much malware requests. You are now banned.");
    361. 

  361.     }
    362. 

  362.   }
    363. 

  363. 

  364.   throw new CustomError(
    365. 

  365.     user ? "Malware detected! Cooldown for 12h." : "Malware detected!"
    366. 

  366.   );
    367. 

  367. };
    368. 

  368. 

  369. export const linksCount = async (user?: User) => {
    370. 

  370.   if (!user) return;
    371. 

  371. 

  372.   const count = await query.link.total({
    373. 

  373.     user_id: user.id,
    374. 

  374.     created_at: [">", subDays(new Date(), 1).toISOString()]
    375. 

  375.   });
    376. 

  376. 

  377.   if (count > env.USER_LIMIT_PER_DAY) {
    378. 

  378.     throw new CustomError(
    379. 

  379.       `You have reached your daily limit (${env.USER_LIMIT_PER_DAY}). Please wait 24h.`
    380. 

  380.     );
    381. 

  381.   }
    382. 

  382. };
    383. 

  383. 

  384. export const bannedDomain = async (domain: string) => {
    385. 

  385.   const isBanned = await query.domain.find({
    386. 

  386.     address: domain,
    387. 

  387.     banned: true
    388. 

  388.   });
    389. 

  389. 

  390.   if (isBanned) {
    391. 

  391.     throw new CustomError("URL is containing malware/scam.", 400);
    392. 

  392.   }
    393. 

  393. };
    394. 

  394. 

  395. export const bannedHost = async (domain: string) => {
    396. 

  396.   let isBanned;
    397. 

  397. 

  398.   try {
    399. 

  399.     const dnsRes = await dnsLookup(domain);
    400. 

  400. 

  401.     if (!dnsRes || !dnsRes.address) return;
    402. 

  402. 

  403.     isBanned = await query.host.find({
    404. 

  404.       address: dnsRes.address,
    405. 

  405.       banned: true
    406. 

  406.     });
    407. 

  407.   } catch (error) {
    408. 

  408.     isBanned = null;
    409. 

  409.   }
    410. 

  410. 

  411.   if (isBanned) {
    412. 

  412.     throw new CustomError("URL is containing malware/scam.", 400);
    413. 

  413.   }
    414. 

  414. };
    415.