Skip to content

Commit 3fe78d3

Browse files
committed
security: add request body size limit to prevent DoS attacks
- Add 10MB limit to bodyParser for JSON and URL-encoded requests - Update security audit document to mark issue as resolved - This prevents memory exhaustion and DoS attacks via large request bodies
1 parent 28838cd commit 3fe78d3

2 files changed

Lines changed: 13 additions & 4 deletions

File tree

doc/develop/SECURITY-AUDIT.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -280,7 +280,7 @@ password: z
280280
281281
## 2. 中危漏洞
282282
283-
### 2.1 限流器使用内存存储
283+
### 2.1 限流器使用内存存储 (可以忽略)
284284
285285
**位置**: `server/middleware/limiter.ts:4-4`
286286
@@ -308,7 +308,7 @@ const limiter = new RateLimiterMemory({
308308
309309
---
310310
311-
### 2.2 缺少请求大小限制
311+
### 2.2 缺少请求大小限制 (已完成修复)
312312
313313
**位置**: `server/server.ts:38-39`
314314

server/server.ts

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,8 +35,17 @@ app.use(rateLimiterMiddleware);
3535
app.use(passport.initialize());
3636

3737
// body parser
38-
app.use(bodyParser.urlencoded({ extended: false }));
39-
app.use(bodyParser.json());
38+
app.use(
39+
bodyParser.urlencoded({
40+
extended: false,
41+
limit: '10mb', // 设置合理的限制,防止内存耗尽攻击
42+
})
43+
);
44+
app.use(
45+
bodyParser.json({
46+
limit: '10mb', // 设置合理的限制,防止内存耗尽攻击
47+
})
48+
);
4049

4150
// CORS 配置 - 从数据库或环境变量读取 allowedOrigins
4251
// 当 credentials: true 时,不能使用 origin: '*',必须明确指定允许的 origin

0 commit comments

Comments
 (0)