Update /checkout.js with issue #963 from AppSec Hack Pod #972
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… Pod Key Improvements to post req create-checkout-session: 1. Input Validation with Joi: Ensures the incoming data (like donation, user, and letter) is valid before processing. * donation: Must be a positive number. * user: Must be a valid email. * letter: Has a character limit to prevent overflows. 2. Origin Validation: Validates the origin header against a list of trusted domains. Requests from untrusted origins are rejected with a 403 Forbidden response. **This must be hardcoded, added in config files, or DB** (Line 55) 3. Error Handling: Catches validation errors and any unexpected errors to provide meaningful responses to the client while logging them for debugging. 4. Secure Logging: Avoids logging sensitive data. Logs only the origin if it’s valid, and logs warnings for untrusted origins. Key Improvements to sessionSchema for least privilege: 1. Donation limit: The donation is capped at a reasonable value (max(10000)), reducing the risk of abuse from excessive amounts. 2. Scoped user object: We are limiting the user field to just an email address (instead of allowing any arbitrary data structure). This limits the amount of user data passed into the session. 3. Error messages: Explicit error messages are provided to make validation clearer for users without revealing too much information. 4. Letter size: The max length for the letter is reduced from 500 to 300 characters, limiting the potential impact of large data inputs. 5. Strict schema: By adding .unknown(false), we ensure that no extraneous data is accepted, enforcing stricter input control for least privilege.
2 tasks
|
|
|
Hello there, thanks for opening your first Pull Request. Someone will review it soon. |
Ran Prettier linter and removed some lines of code that prematurely returned from the function, making code below it unreachable. Previously lines ~86 - 90
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Key Improvements to post req create-checkout-session:
Origin Validation: Validates the origin header against a list of trusted domains. Requests from untrusted origins are rejected with a 403 Forbidden response. This must be hardcoded, added in config files, or DB (Line 55)
Error Handling: Catches validation errors and any unexpected errors to provide meaningful responses to the client while logging them for debugging.
Secure Logging: Avoids logging sensitive data. Logs only the origin if it’s valid, and logs warnings for untrusted origins.
Key Improvements to sessionSchema for least privilege:
Donation limit: The donation is capped at a reasonable value (max(10000)), reducing the risk of abuse from excessive amounts.
Scoped user object: We are limiting the user field to just an email address (instead of allowing any arbitrary data structure). This limits the amount of user data passed into the session.
Error messages: Explicit error messages are provided to make validation clearer for users without revealing too much information.
Letter size: The max length for the letter is reduced from 500 to 300 characters, limiting the potential impact of large data inputs.
Strict schema: By adding .unknown(false), we ensure that no extraneous data is accepted, enforcing stricter input control for least privilege.