#Simple express app ( not finished yet)

14 messages · Page 1 of 1 (latest)

lone prairie Dec 18, 2023, 12:47 PM

I would like to hear some tips to improve the app. Thank you. I am interested in the security part of the auth system. Thank you

https://github.com/vAndrewKarma/forum

GitHub

GitHub - vAndrewKarma/forum

Contribute to vAndrewKarma/forum development by creating an account on GitHub.

stone pawn Dec 18, 2023, 8:58 PM

function deepReplaceEscapeSequences(input) {
  if (Array.isArray(input)) {
    return input.map(deepReplaceEscapeSequences);
  } else if (typeof input === 'object') {
    return Object.keys(input).reduce((acc, key) => {
      acc[key] = deepReplaceEscapeSequences(input[key]);
      return acc;
    }, {});
  } else if (input !== undefined && input !== null) {
    return input.toString().replace(/\\([0-9a-fA-F]{2})|[\x00-\x1F\x7F-\x9F]|\\u([0-9a-fA-F]{4})|[|`]|\\/g, '');
  } else {
    return input; // Return input as-is if it's undefined or null
  }
}
/**
 * Takes an input and performs various transformations based on its type.
 * to ensure proper sanitization of the input by removing all potential escape characters!
 * @param {any} input - The input value to be transformed.
 * @return {any} - The transformed value.
 */
function s(input) {
  if (typeof input !== 'string' && typeof input === 'number') {
    // Handle numeric input
    input = input.toString().replace(/\\([0-9a-fA-F]{2})|[\x00-\x1F\x7F-\x9F]|\\u([0-9a-fA-F]{4})|[|`]|\\/g, '');
    return Number(input);
  }

  // Handle arrays
  if (Array.isArray(input)) {
    return deepReplaceEscapeSequences(input);
  }

  // Handle objects
  if (typeof input === 'object') {
    return deepReplaceEscapeSequences(input);
  }

  // Handle non-object input
  if (input !== undefined || null) {
    input = input.toString().replace(/\\([0-9a-fA-F]{2})|[\x00-\x1F\x7F-\x9F]|\\u([0-9a-fA-F]{4})|[|`]|\\/g, '');
  }

  return input;
}

Utilize these functions for sanitizing the data the user is passing like there email and such where ever your calling this module
https://github.com/vAndrewKarma/forum/blob/main/backend/src/services/user.service.ts
This module when you call the createUser sanitize the data with function s();
this will help to protect the server from asic unicode and escape sequences and string literals and templates.

GitHub

forum/backend/src/services/user.service.ts at main · vAndrewKarma/f...

Contribute to vAndrewKarma/forum development by creating an account on GitHub.

if this server is a localhost server nevermind then you can ignore this advice...

but if its a server that is allowing public clients to connect to it. I'd recommend it maybe include buffer size check on request and header size check to prevent overflow attacks, and also if you really wanna take a extra precaution sanitize the headers before using em. using this s() function

But your auth system is secure in general sense once you add in these extra security precautions i mention it will prevent an attacker from sending a certain infected message to instead make the server respond with its environment variables and such this would allow access to those tokens so once you implement the escape character injection protection you will be fine.
when ever you declare a var like so


const data = JSON.parse(req.body);
var a = data.id

this poses for injection within the const variable of Data and also another injection from the var a = data.id

so if you update to this

const data = JSON.parse(s(req.body));
var a = s(data.id);

will double sanitize the data to ensure you really don't need to do the double check with the extra var a after sanitizing before parsing
also might need to stringify the object returned as such

const data = JSON.parse(JSON.stringify(s(req.body)));
var a = s(data.id);

this ensures we arent injected from any variables or anything passed in the req.body of the server

and no tokens can be leaked

now if you are calling any req.headers you should probably do the same thing

lone prairie Dec 19, 2023, 12:05 PM

stone pawn and no tokens can be leaked

Hi, thank you for your feedback, i understand what are you saying, your ideea seems good, i want to use this app as a forum ( not really a business or something, but something secure at least ). What do you think, should i use it or should i rebuild the whole auth part using things such as auth0 or something like that?

Someone told me that I should use auth0, but i find it better for my portofolio to create my own auth system and handle all the security issues.

stone pawn Dec 19, 2023, 7:45 PM

You could always implement some jsonwebtokens to improve your own authorization system!
but if you dont want to have to i would go with what they recommended auth0 they probably know more then me im only year developer in nodejs more of Java developer lol

main dagger Dec 26, 2023, 11:29 AM

Honestly, for schema validation on the incoming body request I would throw zod at it to allow it to do 3 things. 1. Validate the incoming data is of the right types. 2.cast any if the values , if needed to the correct type (I.e date string to date object if needed) and 3.to rip out any unexpected fields lowering the attack vector for bad actors