signal-works/ice
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Fix critical security vulnerabilities in location endpoints

Browse source 
SECURITY FIXES:
- Remove dangerous public DELETE /api/locations/:id endpoint
- Add rate limiting to POST /api/locations (10 requests per 15 minutes)
- Add input validation with length limits (500 chars address, 1000 chars description)
- Add suspicious activity logging for abuse detection
- Install express-rate-limit for protection against spam/DoS

CHANGES:
- Removed LocationDeleteRequest interface (no longer needed)
- Updated tests to expect new security validation behavior
- Added comprehensive tests for length validation
- Fixed test setup issue with undefined constants

Security Impact:
- CRITICAL: Prevents unauthorized deletion of location reports
- HIGH: Prevents spam submissions and DoS attacks
- MEDIUM: Prevents buffer overflow and injection attacks via oversized inputs

All 125 tests passing with new security validations.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Claude Code 2025-07-05 21:54:23 -04:00
parent 22e4a9dc45
commit 88f7e72501
5 changed files with 86 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

16
package-lock.json generated
View file

@ -13,6 +13,7 @@
"cors": "^2.8.5",
"dotenv": "^17.0.1",
"express": "^4.18.2",
"express-rate-limit": "^7.5.1",
"node-cron": "^3.0.3",
"sqlite3": "^5.1.6",
"swagger-jsdoc": "^6.2.8",
@ -3674,6 +3675,21 @@
"url": "https://opencollective.com/express"
}
},
"node_modules/express-rate-limit": {
"version": "7.5.1",
"resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.1.tgz",
"integrity": "sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==",
"license": "MIT",
"engines": {
"node": ">= 16"
},
"funding": {
"url": "https://github.com/sponsors/express-rate-limit"
},
"peerDependencies": {
"express": ">= 4.11"
}
},
"node_modules/fast-json-stable-stringify": {
"version": "2.1.0",
"resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz",