🛡️ : Security Enhancements (#1681)

* fix: sanitize HTTP params and do not send whole error objects backs

* fix: prevent path traversal

* fix: send custom error message for tokenizer route

* chore: handle info exposure vector

* chore(oauth): skip check due to false positive as oauth routes are rate-limited

* chore(app): disable `x-powered-by`

* chore: disable false positives or flagging of hardcoded secrets when they are fake values

* chore: add path traversal safety check

api/server/routes/__tests__/config.spec.js

@@ -1,7 +1,9 @@
 const request = require('supertest');
 const express = require('express');
 const routes = require('../');
+// file deepcode ignore UseCsurfForExpress/test: test
 const app = express();
+app.disable('x-powered-by');
 app.use('/api/config', routes.config);
 
 afterEach(() => {

api/server/routes/convos.js

@@ -1,14 +1,20 @@
 const express = require('express');
-const router = express.Router();
 const { getConvosByPage, deleteConvos } = require('~/models/Conversation');
 const requireJwtAuth = require('~/server/middleware/requireJwtAuth');
 const { getConvo, saveConvo } = require('~/models');
 const { logger } = require('~/config');
 
+const router = express.Router();
 router.use(requireJwtAuth);
 
 router.get('/', async (req, res) => {
-  const pageNumber = req.query.pageNumber || 1;
+  let pageNumber = req.query.pageNumber || 1;
+  pageNumber = parseInt(pageNumber, 10);
+
+  if (isNaN(pageNumber) || pageNumber < 1) {
+    return res.status(400).json({ error: 'Invalid page number' });
+  }
+
   res.status(200).send(await getConvosByPage(req.user.id, pageNumber));
 });
 
@@ -17,7 +23,7 @@ router.get('/:conversationId', async (req, res) => {
   const convo = await getConvo(req.user.id, conversationId);
 
   if (convo) {
-    res.status(200).send(convo);
+    res.status(200).json(convo);
   } else {
     res.status(404).end();
   }
@@ -39,10 +45,10 @@ router.post('/clear', async (req, res) => {
 
   try {
     const dbResponse = await deleteConvos(req.user.id, filter);
-    res.status(201).send(dbResponse);
+    res.status(201).json(dbResponse);
   } catch (error) {
     logger.error('Error clearing conversations', error);
-    res.status(500).send(error);
+    res.status(500).send('Error clearing conversations');
   }
 });
 
@@ -51,10 +57,10 @@ router.post('/update', async (req, res) => {
 
   try {
     const dbResponse = await saveConvo(req.user.id, update);
-    res.status(201).send(dbResponse);
+    res.status(201).json(dbResponse);
   } catch (error) {
     logger.error('Error updating conversation', error);
-    res.status(500).send(error);
+    res.status(500).send('Error updating conversation');
   }
 });
 

api/server/routes/files/images.js

@@ -1,4 +1,5 @@
 const { z } = require('zod');
+const path = require('path');
 const fs = require('fs').promises;
 const express = require('express');
 const upload = require('./multer');
@@ -39,7 +40,12 @@ router.post('/', upload.single('file'), async (req, res) => {
   } catch (error) {
     logger.error('[/files/images] Error processing file:', error);
     try {
-      await fs.unlink(file.path);
+      const filepath = path.join(
+        req.app.locals.paths.imageOutput,
+        req.user.id,
+        path.basename(file.filename),
+      );
+      await fs.unlink(filepath);
     } catch (error) {
       logger.error('[/files/images] Error deleting file:', error);
     }

api/server/routes/messages.js

@@ -36,7 +36,7 @@ router.put('/:conversationId/:messageId', validateMessageReq, async (req, res) =
   const { messageId, model } = req.params;
   const { text } = req.body;
   const tokenCount = await countTokens(text, model);
-  res.status(201).send(await updateMessage({ messageId, text, tokenCount }));
+  res.status(201).json(await updateMessage({ messageId, text, tokenCount }));
 });
 
 // DELETE

api/server/routes/oauth.js

@@ -1,3 +1,5 @@
+// file deepcode ignore NoRateLimitingForLogin: Rate limiting is handled by the `loginLimiter` middleware
+
 const passport = require('passport');
 const express = require('express');
 const router = express.Router();

api/server/routes/presets.js

@@ -5,27 +5,28 @@ const requireJwtAuth = require('~/server/middleware/requireJwtAuth');
 const { logger } = require('~/config');
 
 const router = express.Router();
+router.use(requireJwtAuth);
 
-router.get('/', requireJwtAuth, async (req, res) => {
+router.get('/', async (req, res) => {
   const presets = (await getPresets(req.user.id)).map((preset) => preset);
-  res.status(200).send(presets);
+  res.status(200).json(presets);
 });
 
-router.post('/', requireJwtAuth, async (req, res) => {
+router.post('/', async (req, res) => {
   const update = req.body || {};
 
   update.presetId = update?.presetId || crypto.randomUUID();
 
   try {
     const preset = await savePreset(req.user.id, update);
-    res.status(201).send(preset);
+    res.status(201).json(preset);
   } catch (error) {
     logger.error('[/presets] error saving preset', error);
-    res.status(500).send(error);
+    res.status(500).send('There was an error when saving the preset');
   }
 });
 
-router.post('/delete', requireJwtAuth, async (req, res) => {
+router.post('/delete', async (req, res) => {
   let filter = {};
   const { presetId } = req.body || {};
 
@@ -37,10 +38,10 @@ router.post('/delete', requireJwtAuth, async (req, res) => {
 
   try {
     const deleteCount = await deletePresets(req.user.id, filter);
-    res.status(201).send(deleteCount);
+    res.status(201).json(deleteCount);
   } catch (error) {
     logger.error('[/presets/delete] error deleting presets', error);
-    res.status(500).send(error);
+    res.status(500).send('There was an error deleting the presets');
   }
 });
 

api/server/routes/tokenizer.js

@@ -11,7 +11,7 @@ router.post('/', requireJwtAuth, async (req, res) => {
     res.send({ count });
   } catch (e) {
     logger.error('[/tokenizer] Error counting tokens', e);
-    res.status(500).send(e.message);
+    res.status(500).json('Error counting tokens');
   }
 });