Fix critical security vulnerabilities in location endpoints
SECURITY FIXES: - Remove dangerous public DELETE /api/locations/:id endpoint - Add rate limiting to POST /api/locations (10 requests per 15 minutes) - Add input validation with length limits (500 chars address, 1000 chars description) - Add suspicious activity logging for abuse detection - Install express-rate-limit for protection against spam/DoS CHANGES: - Removed LocationDeleteRequest interface (no longer needed) - Updated tests to expect new security validation behavior - Added comprehensive tests for length validation - Fixed test setup issue with undefined constants Security Impact: - CRITICAL: Prevents unauthorized deletion of location reports - HIGH: Prevents spam submissions and DoS attacks - MEDIUM: Prevents buffer overflow and injection attacks via oversized inputs All 125 tests passing with new security validations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Claude Code
parent
22e4a9dc45
commit
88f7e72501
5 changed files with 86 additions and 34 deletions
|
|
@ -23,6 +23,7 @@
|
|||
"cors": "^2.8.5",
|
||||
"dotenv": "^17.0.1",
|
||||
"express": "^4.18.2",
|
||||
"express-rate-limit": "^7.5.1",
|
||||
"node-cron": "^3.0.3",
|
||||
"sqlite3": "^5.1.6",
|
||||
"swagger-jsdoc": "^6.2.8",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue