Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| META_TITLE_MAX: 70, | ||
| META_DESC_MAX: 160, | ||
| KEYWORD_MAX: 10, | ||
| URL_PATTERN: /^(https?:\/\/)?([\da-z.-]+)\.([a-z.]{2,6})([\/\w .-]*)*\/?$/ |
Check failure
Code scanning / CodeQL
Inefficient regular expression High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
The fix is to refactor the problematic [\/\w .-]* character class to remove ambiguity that leads to excessive backtracking. In this regex, [\/\w .-]* allows for spaces, dots, dashes, slashes, and word characters (alphanumeric plus underscore). To avoid inefficient matching, it is often best to restrict the set to characters that do not overlap in meaning or combine with alternation. For URL paths, a more robust pattern is [^\s]* or [A-Za-z0-9\/_.-]*, which excludes spaces (as URLs rarely contain them) and avoids poorly performing ambiguous branches.
How to fix:
- On line 8 (
SEO_CONSTRAINTS.URL_PATTERN), replace[\/\w .-]*with[A-Za-z0-9\/_.-]*or[A-Za-z0-9\/_.-]*(remove the space and combine word chars with dots and dashes explicitly). - This change is isolated to line 8 in
models/seoSchema.js. - No new imports or method definitions are required.
| @@ -5,7 +5,7 @@ | ||
| META_TITLE_MAX: 70, | ||
| META_DESC_MAX: 160, | ||
| KEYWORD_MAX: 10, | ||
| URL_PATTERN: /^(https?:\/\/)?([\da-z.-]+)\.([a-z.]{2,6})([\/\w .-]*)*\/?$/ | ||
| URL_PATTERN: /^(https?:\/\/)?([\da-z.-]+)\.([a-z.]{2,6})([A-Za-z0-9\/_.-]*)*\/?$/ | ||
| }; | ||
|
|
||
| const SocialMediaSchema = new mongoose.Schema({ |
| router.get('/services/:id/structured-data', getStructuredData); | ||
|
|
||
| // Protected routes (require authentication and admin role) | ||
| router.use(protect); |
Check failure
Code scanning / CodeQL
Missing rate limiting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, we should add a rate limiting middleware to the routes that require protection, particularly on the sensitive PUT operation. The industry-standard solution is to use the express-rate-limit package, which can be installed as a dependency. The best way to implement this without changing existing functionality is to import (require) express-rate-limit, define a suitable rate limiter (for example, allow a maximum number of requests per user within a time window), and apply it to the sensitive route(s).
Specifically:
- Add
const rateLimit = require('express-rate-limit');at the top of the file. - Define a limiter (e.g., 100 requests per 15 minutes).
- Apply the limiter to the
router.put('/services/:id/seo', ...)route, right before the validation/auth handlers. - The rest of the router code remains unchanged.
| @@ -1,9 +1,18 @@ | ||
| const express = require('express'); | ||
| const router = express.Router(); | ||
| const rateLimit = require('express-rate-limit'); | ||
| const { updateSeo, getSeo, getStructuredData } = require('../controllers/seoController'); | ||
| const validateSeoData = require('../middleware/seoValidator'); | ||
| const { protect, authorize } = require('../middleware/auth'); | ||
|
|
||
| // Define rate limiter for protected routes | ||
| const limiter = rateLimit({ | ||
| windowMs: 15 * 60 * 1000, // 15 minutes | ||
| max: 100, // limit each IP to 100 requests per windowMs | ||
| standardHeaders: true, | ||
| legacyHeaders: false, | ||
| }); | ||
|
|
||
| // Public routes | ||
| router.get('/services/:id/seo', getSeo); | ||
| router.get('/services/:id/structured-data', getStructuredData); | ||
| @@ -11,6 +16,6 @@ | ||
| // Protected routes (require authentication and admin role) | ||
| router.use(protect); | ||
|
|
||
| router.put('/services/:id/seo', validateSeoData, updateSeo); | ||
| router.put('/services/:id/seo', limiter, validateSeoData, updateSeo); | ||
|
|
||
| module.exports = router; |
2 participants
No description provided.