fix(security): enforce explicit payload size limits and Zod max() con…#242
Open
ShantelPeters wants to merge 1 commit intoCalebux:mainfrom
Open
fix(security): enforce explicit payload size limits and Zod max() con…#242ShantelPeters wants to merge 1 commit intoCalebux:mainfrom
ShantelPeters wants to merge 1 commit intoCalebux:mainfrom
Conversation
…straints ## Problem - express.json() was called without an explicit limit (defaulting to 100kb) - No per-route overrides for endpoints with different payload profiles - All Zod schemas lacked max() constraints on string fields - Bulk endpoint had no cap on the number of IDs - No structured 413 error response for oversized payloads ## Changes ### src/index.ts - Set global JSON/urlencoded body limit to 10kb - Per-route override: /api/audit → 100kb (batch audit events) - Per-route override: /api/admin → 50kb (admin config payloads) - Added global 4-argument error handler returning clean 413 JSON - Fixed import ordering (moved mid-file imports to top) - Fixed error handler placement (before app.listen()) ### src/routes/subscriptions.ts - createSubscriptionSchema: name max 100, description max 500, price max 1000000, category max 50, notes max 1000, URLs max 2000 - updateSubscriptionSchema: same limits on all optional fields - bulkOperationSchema (new): ids array max 50, operation enum, data fields all bounded - attachGiftCardSchema (new): giftCardHash max 256, provider max 100 ### src/routes/webhooks.ts - URL fields: .max(2000) + http/https refine - events array: .max(6) - description: max 255 ### src/routes/merchants.ts - createMerchantSchema: name max 100, description max 500, category max 50, URLs max 2000, email max 254, country max 2 - updateMerchantSchema: all fields partial ### src/routes/team.ts - inviteSchema: email max 254 + format, role enum with default - updateRoleSchema: role enum ### src/routes/audit.ts - auditEventSchema: action/resource_type max 100, resource_id max 255, user_id/session_id max 128, status/severity enums - auditBatchSchema: events array min 1, max 100 ### tests/payload-limits.test.ts (new) - 46 tests covering all acceptance criteria: - 413 responses for global 10kb, /api/audit 100kb, /api/admin 50kb - Zod schema max() enforcement for all route schemas Closes: payload size limit security issue Tests: 46 passed, 0 failed (new tests); 0 regressions in existing suite
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…straints
Problem
Changes
src/index.ts
src/routes/subscriptions.ts
src/routes/webhooks.ts
src/routes/merchants.ts
src/routes/team.ts
src/routes/audit.ts
tests/payload-limits.test.ts (new)
Closes: payload size limit security issue
Tests: 46 passed, 0 failed (new tests); 0 regressions in existing suite
CLOSES #144