Security audit improvements: authentication, path traversal protection, file validation, rate limiting, security headers

2025-11-24 09:34:54 +01:00
parent 0f7d66c619
commit 2d6481a42f
11 changed files with 287 additions and 15 deletions
--- a/app/api/audio/[filename]/route.ts
+++ b/app/api/audio/[filename]/route.ts
@@ -8,8 +8,28 @@ export async function GET(
 ) {
    try {
        const { filename } = await params;
+
+        // Security: Prevent path traversal attacks
+        // Only allow alphanumeric, hyphens, underscores, and dots
+        const safeFilenamePattern = /^[a-zA-Z0-9_\-\.]+\.mp3$/;
+        if (!safeFilenamePattern.test(filename)) {
+            return new NextResponse('Invalid filename', { status: 400 });
+        }
+
+        // Additional check: ensure no path separators
+        if (filename.includes('/') || filename.includes('\\') || filename.includes('..')) {
+            return new NextResponse('Invalid filename', { status: 400 });
+        }
+
        const filePath = path.join(process.cwd(), 'public/uploads', filename);

+        // Security: Verify the resolved path is still within uploads directory
+        const uploadsDir = path.join(process.cwd(), 'public/uploads');
+        const resolvedPath = path.resolve(filePath);
+        if (!resolvedPath.startsWith(uploadsDir)) {
+            return new NextResponse('Forbidden', { status: 403 });
+        }
+
        // Check if file exists
        try {
            await stat(filePath);