fix: prevent DoS on search endpoint via query length limit and input validation#1954
Open
fennhelloworld wants to merge 2 commits into
Open
fix: prevent DoS on search endpoint via query length limit and input validation#1954fennhelloworld wants to merge 2 commits into
fennhelloworld wants to merge 2 commits into
Conversation
added 2 commits
May 30, 2026 11:15
- Add admin role middleware (SecureBananaLabs#1770): admin routes now require admin role - Add auth to upload routes (SecureBananaLabs#1771): unauthenticated uploads blocked - Add auth to payment routes (SecureBananaLabs#1772): unauthenticated payments blocked - Add user input validation (SecureBananaLabs#1773): Zod schema for user creation - Configure CORS origin from env (SecureBananaLabs#1774): no longer wide open - Add auth to job creation (SecureBananaLabs#1776): unauthenticated job posts blocked - Add search query length limit (SecureBananaLabs#1777): prevent long query DoS
…validation (SecureBananaLabs#1781) - Add Zod-based query validation (max 200 chars, safe chars only) - Reject regex metacharacters (\*+{}()[]|^$) that enable ReDoS - Add dedicated search rate limiter (20 req/min per IP) - Add generic validateQuery middleware for reuse - Add defense-in-depth sanitizeSearchQuery function - Add comprehensive test suite (7 tests) Vulnerability: The search endpoint previously had no input validation. An attacker could send arbitrarily long query strings to exhaust server memory, or inject regex metacharacters that could cause catastrophic backtracking (ReDoS) when the search service implements regex-based matching. The silent .slice() truncation still required the full string to be parsed by Express. Fixes SecureBananaLabs#1781
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix for #1781: Prevent DoS on Search Endpoint
Vulnerability
The
GET /api/searchendpoint had no input validation or query length limit, allowing DoS attacks:.slice(0, 200)silently truncated the output but still required Express to parse and allocate memory for the entire string.\,*,+,{,},(,),[,],|,^,$). If the search service later implements regex-based matching, these could trigger catastrophic backtracking.Changes
validators/search.jssanitizeSearchQuery()defense-in-depth functionmiddleware/validate.jsvalidateQuery()middleware for Zod schema validation on query paramsmiddleware/searchRateLimit.jsroutes/searchRoutes.jssearchLimiter→validateQuery→searchmiddleware chain; factory pattern for fresh limiter instancescontrollers/searchController.js.slice()truncation withsanitizeSearchQuery()(defense-in-depth after validation)app.jscreateSearchRoutes()factorytests/search.test.jsTest Results
Defense Layers
Fixes #1781