fix security flaws

Rupeshiya · Rupeshiya · commit 51faa6e029aa · 2020-08-23T16:00:44.000+05:30
diff --git a/app.js b/app.js
@@ -8,7 +8,11 @@ const socket = require('socket.io')
 const multer = require('multer')
 const bodyParser = require('body-parser')
 const cors = require('cors')
+const helmet = require('helmet')
+const hpp = require('hpp')
 var winston = require('./config/winston')
+const rateLimiter = require('./app/middleware/rateLimiter')
+const sanitizer = require('./app/middleware/sanitise')
 const fileConstants = require('./config/fileHandlingConstants')
 
 const indexRouter = require('./app/routes/index')
@@ -31,6 +35,7 @@ const server = require('http').Server(app)
 app.use(cors())
 
 app.use(bodyParser.json({ limit: '200mb' }))
+app.use(cookieParser())
 app.use(bodyParser.urlencoded(fileConstants.fileParameters))
 
 const memoryStorage = multer.memoryStorage()
@@ -72,6 +77,23 @@ app.use((req, res, next) => {
   next()
 })
 
+// TO PREVENT DOS ATTACK AND RATE LIMITER
+app.use(rateLimiter.customRateLimiter)
+
+// TO PREVENT XSS ATTACK
+app.use(sanitizer.cleanBody)
+app.use(helmet())
+
+// TO PREVENT CLICK JACKING
+app.use((req, res, next) => {
+  res.append('X-Frame-Options', 'Deny')
+  res.set('Content-Security-Policy', "frame-ancestors 'none';")
+  next()
+})
+
+// TO PREVENT THE QUERY PARAMETER POLLUTION
+app.use(hpp())
+
 app.use('/notification', notificationRouter)
 app.use('/', indexRouter)
 app.use('/auth', authRouter)
@@ -104,7 +126,7 @@ app.use(function (err, req, res, next) {
 
   // render the error page
   res.status(err.status || 500)
-  res.render('error')
+  res.render('error', { csrfToken: req.csrfToken() })
 
   // Socket event error handler (On max event)
   req.io.on('error', function (err) {
diff --git a/app/controllers/auth.js b/app/controllers/auth.js
@@ -4,8 +4,8 @@ const activityHelper = require('../utils/activity-helper')
 
 module.exports = {
   authenticateUser: async (req, res, next) => {
-    const email = req.body.email
-    const password = req.body.password
+    const email = escape(req.body.email)
+    const password = escape(req.body.password)
     try {
       const user = await User.findByCredentials(email, password)
       const token = await user.generateAuthToken()
diff --git a/app/controllers/user.js b/app/controllers/user.js
@@ -45,7 +45,8 @@ module.exports = {
       // create redis db for activity for the user
       const activity = new Activity({ userId: data._id })
       await activity.save()
-
+      // hide password
+      user.password = undefined
       return res.status(HttpStatus.CREATED).json({ user: user, token: token })
     } catch (error) {
       return res.status(HttpStatus.NOT_ACCEPTABLE).json({ error: error })
@@ -81,6 +82,9 @@ module.exports = {
       if (!user) {
         return res.status(HttpStatus.NOT_FOUND).json({ msg: 'No such user exist!' })
       }
+      // hide password and tokens
+      user.password = undefined
+      user.tokens = []
       return res.status(HttpStatus.OK).json({ user })
     } catch (error) {
       HANDLER.handleError(res, error)
@@ -94,6 +98,7 @@ module.exports = {
       'phone',
       'info',
       'about',
+      'socialMedia',
       'isDeactivated'
     ]
     // added control as per org settings
@@ -118,6 +123,9 @@ module.exports = {
         user[update] = req.body[update]
       })
       await user.save()
+      // hide password and tokens
+      user.password = undefined
+      user.tokens = []
       return res.status(HttpStatus.OK).json({ data: user })
     } catch (error) {
       return res.status(HttpStatus.BAD_REQUEST).json({ error })
@@ -308,6 +316,9 @@ module.exports = {
         .populate('followers', ['name.firstName', 'name.lastName', 'info.about.designation', '_id', 'isAdmin'])
         .populate('blocked', ['name.firstName', 'name.lastName', 'info.about.designation', '_id', 'isAdmin'])
         .exec()
+      // hide password and tokens
+      userData.password = undefined
+      userData.tokens = []
       return res.status(HttpStatus.OK).json({ user: userData })
     } catch (error) {
       HANDLER.handleError(res, error)
@@ -358,6 +369,9 @@ module.exports = {
         .populate('followers', ['name.firstName', 'name.lastName', 'info.about.designation', '_id', 'isAdmin'])
         .populate('blocked', ['name.firstName', 'name.lastName', 'info.about.designation', '_id', 'isAdmin'])
         .exec()
+      // hide password and tokens
+      userData.password = undefined
+      userData.tokens = []
       return res.status(HttpStatus.OK).json({ user: userData })
     } catch (error) {
       HANDLER.handleError(res, error)
@@ -404,6 +418,9 @@ module.exports = {
         if (unblockIndex !== -1) {
           user.blocked.splice(unblockIndex, 1)
           await user.save()
+          // hide password and tokens
+          user.password = undefined
+          user.tokens = []
           return res.status(HttpStatus.OK).json({ user })
         }
         return res.status(HttpStatus.NOT_FOUND).json({ user })
@@ -441,6 +458,9 @@ module.exports = {
       }
       user.isRemoved = true
       await user.save()
+      // hide password and tokens
+      user.password = undefined
+      user.tokens = []
       return res.status(HttpStatus.OK).json({ user })
     } catch (error) {
       HANDLER.handleError(res, error)
@@ -451,6 +471,9 @@ module.exports = {
     try {
       req.user.isActivated = !req.user.isActivated
       const user = await req.user.save()
+      // hide password and tokens
+      user.password = undefined
+      user.tokens = []
       return res.status(HttpStatus.OK).json({ user })
     } catch (error) {
       HANDLER.handleError(error)
diff --git a/app/middleware/rateLimiter.js b/app/middleware/rateLimiter.js
@@ -0,0 +1,81 @@
+const redis = require('../../config/redis')
+const redisClient = redis.redisClient
+const moment = require('moment')
+const WINDOW_SIZE_IN_HOURS = 24
+const MAX_WINDOW_REQUEST_COUNT = 100
+const WINDOW_LOG_INTERVAL_IN_HOURS = 1
+
+module.exports = {
+  customRateLimiter: (req, res, next) => {
+    try {
+      // check if redis exists
+      if (!redisClient) {
+        throw new Error('RedisClient not found on the server')
+      }
+      // if exists check if request made earlier from same ip
+      redisClient.get(req.ip, (err, reply) => {
+        if (err) {
+          console.log('Error in fetching data from redis', err)
+        }
+        const currentRequestTime = moment()
+        // if no reply from redis then store the users request to the server in redis
+        if (reply === null) {
+          const newRecord = []
+          const info = {
+            requestTimeStamp: currentRequestTime.unix(),
+            requestCount: 1
+          }
+          newRecord.unshift(info)
+          // set to redis => ip => [{ requestTimeStamp, requestCount }]
+          redisClient.set(req.ip, JSON.stringify(newRecord))
+          next()
+        }
+
+        // if record is found, parse it's value and calculate number of requests users has made within the last window
+        const data = JSON.parse(reply)
+
+        const windowStartTimestamp = moment()
+          .subtract(WINDOW_SIZE_IN_HOURS, 'hours')
+          .unix()
+
+        const requestsWithinWindow = data.filter(entry => {
+          return entry.requestTimeStamp > windowStartTimestamp
+        })
+
+        const totalWindowRequestsCount = requestsWithinWindow.reduce((accumulator, entry) => {
+          return accumulator + entry.requestCount
+        }, 0)
+
+        // if number of requests made is greater than or equal to the desired maximum, return error
+        if (totalWindowRequestsCount >= MAX_WINDOW_REQUEST_COUNT) {
+          return res.status(429).json({
+            error: `You have exceeded the ${MAX_WINDOW_REQUEST_COUNT} requests in ${WINDOW_SIZE_IN_HOURS} hrs limit!`
+          })
+        } else {
+          // if number of requests made is less than allowed maximum, log new entry
+          const lastRequestLog = data[data.length - 1]
+          const potentialCurrentWindowIntervalStartTimeStamp = currentRequestTime
+            .subtract(WINDOW_LOG_INTERVAL_IN_HOURS, 'hours')
+            .unix()
+
+          //  if interval has not passed since last request log, increment counter
+          if (lastRequestLog.requestTimeStamp > potentialCurrentWindowIntervalStartTimeStamp) {
+            lastRequestLog.requestCount++
+            data[data.length - 1] = lastRequestLog
+          } else {
+            //  if interval has passed, log new entry for current user and timestamp
+            data.unshift({
+              requestTimeStamp: currentRequestTime.unix(),
+              requestCount: 1
+            })
+          }
+          redisClient.set(req.ip, JSON.stringify(data))
+          next()
+        }
+      })
+    } catch (error) {
+      console.log('Error in rateLimiter', error)
+      next(error)
+    }
+  }
+}
diff --git a/app/middleware/sanitise.js b/app/middleware/sanitise.js
@@ -0,0 +1,7 @@
+const sanitize = require('mongo-sanitize')
+module.exports = {
+  cleanBody: (req, res, next) => {
+    req.body = sanitize(req.body)
+    next()
+  }
+}
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
