hermes - 💡(How to fix) Fix security(server): prevent potential ReDoS in username validation [1 participants]

TL;DR

Migrate route input validation from manual regexes to Zod schemas to avoid potential Regular Expression Denial of Service (ReDoS) vulnerabilities.

Guidance

• Identify all instances of manual regex validation in route handlers, such as the /api/users endpoint, and replace them with Zod schema validations.
• Use Zod's built-in string validation methods, like z.string().min(3).max(15).regex(/^[a-zA-Z0-9]+$/), to define validation rules for usernames.
• Consider creating a centralized validation schema for user input to ensure consistency across all endpoints.
• Review the Zod documentation to understand how to integrate it with your existing route handlers and error handling mechanisms.

Example

import { z } from 'zod';

const usernameSchema = z.string().min(3).max(15).regex(/^[a-zA-Z0-9]+$/);
const userSchema = z.object({ username: usernameSchema });

// Example usage in a route handler
app.post('/api/users', (req, res) => {
  const userInput = userSchema.safeParse(req.body);
  if (!userInput.success) {
    return res.status(400).send({ error: 'Invalid username' });
  }
  // Proceed with validated user input
});

Notes

This solution assumes that Zod is already installed and imported in the project. If not, you may need to add it as a dependency and import it in your route handlers.

Recommendation

Apply workaround by migrating to Zod schemas, as it provides a more robust and maintainable way to handle input validation, reducing the risk of ReDoS vulnerabilities.