diff options
| author | Fuwn <[email protected]> | 2026-02-07 05:35:28 -0800 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2026-02-07 05:35:28 -0800 |
| commit | c4b2813cc07a72ad7186347a2e003c01cf0d4fb0 (patch) | |
| tree | ef9e2991084139e649dc7f6d3ada0795789a55f0 /apps/web/app/api/share | |
| parent | fix: dynamically calculate detail panel equal split from current layout (diff) | |
| download | asa.news-c4b2813cc07a72ad7186347a2e003c01cf0d4fb0.tar.xz asa.news-c4b2813cc07a72ad7186347a2e003c01cf0d4fb0.zip | |
security: remove unsafe-eval CSP, fix host header injection, harden API routes
- Remove unsafe-eval from script-src CSP (not needed in production)
- Replace Host/Origin header fallback with NEXT_PUBLIC_APP_URL in share
and checkout routes to prevent host header injection
- Add .catch() to request.json() in share POST and PATCH routes
- Add rate limiting (3/min) to account deletion endpoint
Diffstat (limited to 'apps/web/app/api/share')
| -rw-r--r-- | apps/web/app/api/share/[token]/route.ts | 5 | ||||
| -rw-r--r-- | apps/web/app/api/share/route.ts | 26 |
2 files changed, 19 insertions, 12 deletions
diff --git a/apps/web/app/api/share/[token]/route.ts b/apps/web/app/api/share/[token]/route.ts index d1d57b5..20de1ae 100644 --- a/apps/web/app/api/share/[token]/route.ts +++ b/apps/web/app/api/share/[token]/route.ts @@ -48,7 +48,10 @@ export async function PATCH( } const { token } = await params - const body = await request.json() + const body = await request.json().catch(() => null) + if (!body || typeof body !== "object") { + return NextResponse.json({ error: "invalid request body" }, { status: 400 }) + } const rawNote = body.note let note: string | null = null diff --git a/apps/web/app/api/share/route.ts b/apps/web/app/api/share/route.ts index f330bd0..e1252bf 100644 --- a/apps/web/app/api/share/route.ts +++ b/apps/web/app/api/share/route.ts @@ -4,15 +4,10 @@ import { createSupabaseServerClient } from "@/lib/supabase/server" const MAX_NOTE_LENGTH = 1000 -function buildOrigin(request: Request): string { - if (process.env.NEXT_PUBLIC_APP_URL) { - return process.env.NEXT_PUBLIC_APP_URL.replace(/\/$/, "") - } - - return ( - request.headers.get("origin") ?? - `https://${request.headers.get("host")}` - ) +function getAppOrigin(): string | null { + const url = process.env.NEXT_PUBLIC_APP_URL + if (!url) return null + return url.replace(/\/$/, "") } export async function POST(request: Request) { @@ -37,7 +32,10 @@ export async function POST(request: Request) { Date.now() + expiryDays * 24 * 60 * 60 * 1000 ).toISOString() - const body = await request.json() + const body = await request.json().catch(() => null) + if (!body || typeof body !== "object") { + return NextResponse.json({ error: "invalid request body" }, { status: 400 }) + } const entryIdentifier = body.entryIdentifier as string const rawNote = body.note @@ -92,7 +90,13 @@ export async function POST(request: Request) { ) } - const origin = buildOrigin(request) + const origin = getAppOrigin() + if (!origin) { + return NextResponse.json( + { error: "application URL is not configured" }, + { status: 500 } + ) + } const { data: existingShare } = await supabaseClient .from("shared_entries") |