Startsida Utforska Hjälp
Logga in
Vieraw
/
Kutt
1
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Träd: e129db2d78
Grenar Taggar
Kutt
/
server
/
controllers
/
validateBodyController.ts

validateBodyController.ts 6.3 KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229 
  1. import { RequestHandler } from 'express';
    2. 

  2. import { promisify } from 'util';
    3. 

  3. import dns from 'dns';
    4. 

  4. import axios from 'axios';
    5. 

  5. import URL from 'url';
    6. 

  6. import urlRegex from 'url-regex';
    7. 

  7. import validator from 'express-validator/check';
    8. 

  8. import { differenceInMinutes, subHours, subDays } from 'date-fns';
    9. 

  9. import { validationResult } from 'express-validator/check';
    10. 

  10. 

  11. import { IUser } from '../models/user';
    12. 

  12. import { addCooldown, banUser } from '../db/user';
    13. 

  13. import { getIP } from '../db/ip';
    14. 

  14. import { getUserLinksCount } from '../db/link';
    15. 

  15. import { getDomain } from '../db/domain';
    16. 

  16. import { getHost } from '../db/host';
    17. 

  17. import { addProtocol } from '../utils';
    18. 

  18. 

  19. const dnsLookup = promisify(dns.lookup);
    20. 

  20. 

  21. export const validationCriterias = [
    22. 

  22.   validator
    23. 

  23.     .body('email')
    24. 

  24.     .exists()
    25. 

  25.     .withMessage('Email must be provided.')
    26. 

  26.     .isEmail()
    27. 

  27.     .withMessage('Email is not valid.')
    28. 

  28.     .trim()
    29. 

  29.     .normalizeEmail(),
    30. 

  30.   validator
    31. 

  31.     .body('password', 'Password must be at least 8 chars long.')
    32. 

  32.     .exists()
    33. 

  33.     .withMessage('Password must be provided.')
    34. 

  34.     .isLength({ min: 8 }),
    35. 

  35. ];
    36. 

  36. 

  37. export const validateBody = (req, res, next) => {
    38. 

  38.   const errors = validationResult(req);
    39. 

  39.   if (!errors.isEmpty()) {
    40. 

  40.     const errorsObj = errors.mapped();
    41. 

  41.     const emailError = errorsObj.email && errorsObj.email.msg;
    42. 

  42.     const passwordError = errorsObj.password && errorsObj.password.msg;
    43. 

  43.     return res.status(400).json({ error: emailError || passwordError });
    44. 

  44.   }
    45. 

  45.   return next();
    46. 

  46. };
    47. 

  47. 

  48. export const preservedUrls = [
    49. 

  49.   'login',
    50. 

  50.   'logout',
    51. 

  51.   'signup',
    52. 

  52.   'reset-password',
    53. 

  53.   'resetpassword',
    54. 

  54.   'url-password',
    55. 

  55.   'url-info',
    56. 

  56.   'settings',
    57. 

  57.   'stats',
    58. 

  58.   'verify',
    59. 

  59.   'api',
    60. 

  60.   '404',
    61. 

  61.   'static',
    62. 

  62.   'images',
    63. 

  63.   'banned',
    64. 

  64.   'terms',
    65. 

  65.   'privacy',
    66. 

  66.   'report',
    67. 

  67.   'pricing',
    68. 

  68. ];
    69. 

  69. 

  70. export const validateUrl: RequestHandler = async (req, res, next) => {
    71. 

  71.   // Validate URL existence
    72. 

  72.   if (!req.body.target)
    73. 

  73.     return res.status(400).json({ error: 'No target has been provided.' });
    74. 

  74. 

  75.   // validate URL length
    76. 

  76.   if (req.body.target.length > 3000) {
    77. 

  77.     return res.status(400).json({ error: 'Maximum URL length is 3000.' });
    78. 

  78.   }
    79. 

  79. 

  80.   // Validate URL
    81. 

  81.   const isValidUrl = urlRegex({ exact: true, strict: false }).test(
    82. 

  82.     req.body.target
    83. 

  83.   );
    84. 

  84.   if (!isValidUrl && !/^\w+:\/\//.test(req.body.target))
    85. 

  85.     return res.status(400).json({ error: 'URL is not valid.' });
    86. 

  86. 

  87.   // If target is the URL shortener itself
    88. 

  88.   const { host } = URL.parse(addProtocol(req.body.target));
    89. 

  89.   if (host === process.env.DEFAULT_DOMAIN) {
    90. 

  90.     return res
    91. 

  91.       .status(400)
    92. 

  92.       .json({ error: `${process.env.DEFAULT_DOMAIN} URLs are not allowed.` });
    93. 

  93.   }
    94. 

  94. 

  95.   // Validate password length
    96. 

  96.   if (req.body.password && req.body.password.length > 64) {
    97. 

  97.     return res.status(400).json({ error: 'Maximum password length is 64.' });
    98. 

  98.   }
    99. 

  99. 

  100.   // Custom URL validations
    101. 

  101.   if (req.user && req.body.customurl) {
    102. 

  102.     // Validate custom URL
    103. 

  103.     if (!/^[a-zA-Z0-9-_]+$/g.test(req.body.customurl.trim())) {
    104. 

  104.       return res.status(400).json({ error: 'Custom URL is not valid.' });
    105. 

  105.     }
    106. 

  106. 

  107.     // Prevent from using preserved URLs
    108. 

  108.     if (preservedUrls.some(url => url === req.body.customurl)) {
    109. 

  109.       return res
    110. 

  110.         .status(400)
    111. 

  111.         .json({ error: "You can't use this custom URL name." });
    112. 

  112.     }
    113. 

  113. 

  114.     // Validate custom URL length
    115. 

  115.     if (req.body.customurl.length > 64) {
    116. 

  116.       return res
    117. 

  117.         .status(400)
    118. 

  118.         .json({ error: 'Maximum custom URL length is 64.' });
    119. 

  119.     }
    120. 

  120.   }
    121. 

  121. 

  122.   return next();
    123. 

  123. };
    124. 

  124. 

  125. export const cooldownCheck = async (user: IUser) => {
    126. 

  126.   if (user && user.cooldowns) {
    127. 

  127.     if (user.cooldowns.length > 4) {
    128. 

  128.       await banUser(user._id);
    129. 

  129.       throw new Error('Too much malware requests. You are now banned.');
    130. 

  130.     }
    131. 

  131.     const hasCooldownNow = user.cooldowns.some(
    132. 

  132.       cooldown => cooldown.toJSON() > subHours(new Date(), 12).toJSON()
    133. 

  133.     );
    134. 

  134.     if (hasCooldownNow) {
    135. 

  135.       throw new Error('Cooldown because of a malware URL. Wait 12h');
    136. 

  136.     }
    137. 

  137.   }
    138. 

  138. };
    139. 

  139. 

  140. export const ipCooldownCheck: RequestHandler = async (req, res, next) => {
    141. 

  141.   const cooldownConfig = Number(process.env.NON_USER_COOLDOWN);
    142. 

  142.   if (req.user || !cooldownConfig) return next();
    143. 

  143.   const ip = await getIP(req.realIP);
    144. 

  144.   if (ip) {
    145. 

  145.     const timeToWait =
    146. 

  146.       cooldownConfig - differenceInMinutes(new Date(), ip.createdAt);
    147. 

  147.     return res.status(400).json({
    148. 

  148.       error:
    149. 

  149.         `Non-logged in users are limited. Wait ${timeToWait} ` +
    150. 

  150.         'minutes or log in.',
    151. 

  151.     });
    152. 

  152.   }
    153. 

  153.   next();
    154. 

  154. };
    155. 

  155. 

  156. export const malwareCheck = async (user: IUser, target: string) => {
    157. 

  157.   const isMalware = await axios.post(
    158. 

  158.     `https://safebrowsing.googleapis.com/v4/threatMatches:find?key=${
    159. 

  159.       process.env.GOOGLE_SAFE_BROWSING_KEY
    160. 

  160.     }`,
    161. 

  161.     {
    162. 

  162.       client: {
    163. 

  163.         clientId: process.env.DEFAULT_DOMAIN.toLowerCase().replace('.', ''),
    164. 

  164.         clientVersion: '1.0.0',
    165. 

  165.       },
    166. 

  166.       threatInfo: {
    167. 

  167.         threatTypes: [
    168. 

  168.           'THREAT_TYPE_UNSPECIFIED',
    169. 

  169.           'MALWARE',
    170. 

  170.           'SOCIAL_ENGINEERING',
    171. 

  171.           'UNWANTED_SOFTWARE',
    172. 

  172.           'POTENTIALLY_HARMFUL_APPLICATION',
    173. 

  173.         ],
    174. 

  174.         platformTypes: ['ANY_PLATFORM', 'PLATFORM_TYPE_UNSPECIFIED'],
    175. 

  175.         threatEntryTypes: [
    176. 

  176.           'EXECUTABLE',
    177. 

  177.           'URL',
    178. 

  178.           'THREAT_ENTRY_TYPE_UNSPECIFIED',
    179. 

  179.         ],
    180. 

  180.         threatEntries: [{ url: target }],
    181. 

  181.       },
    182. 

  182.     }
    183. 

  183.   );
    184. 

  184.   if (isMalware.data && isMalware.data.matches) {
    185. 

  185.     if (user) {
    186. 

  186.       await addCooldown(user._id);
    187. 

  187.     }
    188. 

  188.     throw new Error(
    189. 

  189.       user ? 'Malware detected! Cooldown for 12h.' : 'Malware detected!'
    190. 

  190.     );
    191. 

  191.   }
    192. 

  192. };
    193. 

  193. 

  194. export const urlCountsCheck = async (user: IUser) => {
    195. 

  195.   const count = await getUserLinksCount({
    196. 

  196.     user: user._id,
    197. 

  197.     date: subDays(new Date(), 1),
    198. 

  198.   });
    199. 

  199.   if (count > Number(process.env.USER_LIMIT_PER_DAY)) {
    200. 

  200.     throw new Error(
    201. 

  201.       `You have reached your daily limit (${
    202. 

  202.         process.env.USER_LIMIT_PER_DAY
    203. 

  203.       }). Please wait 24h.`
    204. 

  204.     );
    205. 

  205.   }
    206. 

  206. };
    207. 

  207. 

  208. export const checkBannedDomain = async (domain: string) => {
    209. 

  209.   const bannedDomain = await getDomain({ name: domain, banned: true });
    210. 

  210.   if (bannedDomain) {
    211. 

  211.     throw new Error('URL is containing malware/scam.');
    212. 

  212.   }
    213. 

  213. };
    214. 

  214. 

  215. export const checkBannedHost = async (domain: string) => {
    216. 

  216.   let isHostBanned;
    217. 

  217.   try {
    218. 

  218.     const dnsRes = await dnsLookup(domain);
    219. 

  219.     isHostBanned = await getHost({
    220. 

  220.       address: dnsRes && dnsRes.address,
    221. 

  221.       banned: true,
    222. 

  222.     });
    223. 

  223.   } catch (error) {
    224. 

  224.     isHostBanned = null;
    225. 

  225.   }
    226. 

  226.   if (isHostBanned) {
    227. 

  227.     throw new Error('URL is containing malware/scam.');
    228. 

  228.   }
    229. 

  229. };
    230.