Enhance security and validation across multiple routes:

- Escape XML and HTML special characters to prevent injection attacks. - Implement rate limiting for various endpoints to mitigate abuse. - Add validation for email formats, password lengths, and field limits. - Ensure proper access control for recordings and room management.
2026-02-28 19:49:29 +01:00
parent 616442a82a
commit 7466f3513d
10 changed files with 398 additions and 47 deletions
--- a/server/routes/admin.js
+++ b/server/routes/admin.js
@@ -3,6 +3,8 @@ import bcrypt from 'bcryptjs';
 import { getDb } from '../config/database.js';
 import { authenticateToken, requireAdmin } from '../middleware/auth.js';

+const EMAIL_RE = /^[^\s@]{1,64}@[^\s@]{1,253}\.[^\s@]{2,}$/;
+
 const router = Router();

 // POST /api/admin/users - Create user (admin)
@@ -14,13 +16,23 @@ router.post('/users', authenticateToken, requireAdmin, async (req, res) => {
      return res.status(400).json({ error: 'All fields are required' });
    }

+    // L4: display_name length limit
+    if (display_name.length > 100) {
+      return res.status(400).json({ error: 'Display name must not exceed 100 characters' });
+    }
+
    const usernameRegex = /^[a-zA-Z0-9_-]{3,30}$/;
    if (!usernameRegex.test(name)) {
      return res.status(400).json({ error: 'Username may only contain letters, numbers, _ and - (3–30 chars)' });
    }

-    if (password.length < 6) {
-      return res.status(400).json({ error: 'Password must be at least 6 characters long' });
+    if (password.length < 8) {
+      return res.status(400).json({ error: 'Password must be at least 8 characters long' });
+    }
+
+    // M9: email format validation
+    if (!EMAIL_RE.test(email)) {
+      return res.status(400).json({ error: 'Invalid email address' });
    }

    const validRole = ['user', 'admin'].includes(role) ? role : 'user';
@@ -131,8 +143,8 @@ router.delete('/users/:id', authenticateToken, requireAdmin, async (req, res) =>
 router.put('/users/:id/password', authenticateToken, requireAdmin, async (req, res) => {
  try {
    const { newPassword } = req.body;
-    if (!newPassword || newPassword.length < 6) {
-      return res.status(400).json({ error: 'Password must be at least 6 characters long' });
+    if (!newPassword || typeof newPassword !== 'string' || newPassword.length < 8) {
+      return res.status(400).json({ error: 'Password must be at least 8 characters long' });
    }

    const db = getDb();