[SECURITY] Add Input Validation and Rate Limiting to API #271
Description
🔧 Enhancement: Add Input Validation and Sanitization
Description
The chatbot API endpoint in server.js lacks comprehensive input validation and sanitization, which could lead to security vulnerabilities and poor error handling.
Affected Code
server.js - /api/chat endpoint (lines 56-91)
Current Issues
- Basic Validation Only:
if (!message || typeof message !== 'string' || message.trim().length === 0) {
return res.status(400).json({ error: "Message is required..." });
}- No Length Limits: Users can send extremely long messages
- No Rate Limiting: API can be abused with spam requests
- No Input Sanitization: Potential for injection attacks
- No Request Logging: Hard to debug issues
Security Risks
- DoS Attacks: Large payloads can crash the server
- API Abuse: Unlimited requests can exhaust Gemini API quota
- Injection Attacks: Malicious prompts could manipulate AI responses
- Cost Exploitation: Excessive API calls lead to unexpected costs
Recommended Solution
1. Install Required Packages
npm install express-validator express-rate-limit helmet2. Add Validation Middleware
const { body, validationResult } = require('express-validator');
const rateLimit = require('express-rate-limit');
// Rate limiting
const chatLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 20, // 20 requests per window
message: 'Too many requests, please try again later.',
standardHeaders: true,
legacyHeaders: false,
});
// Validation rules
const chatValidation = [
body('message')
.trim()
.notEmpty().withMessage('Message is required')
.isLength({ min: 1, max: 1000 }).withMessage('Message must be 1-1000 characters')
.escape() // Sanitize HTML
];
// Apply to endpoint
app.post('/api/chat',
chatLimiter,
chatValidation,
async (req, res) => {
// Check validation errors
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
// Rest of the code...
}
);3. Add Request Logging
// Simple logging middleware
app.use((req, res, next) => {
console.log(`${new Date().toISOString()} - ${req.method} ${req.path}`);
next();
});4. Improve Error Handling
// Global error handler
app.use((err, req, res, next) => {
console.error('Error:', err);
res.status(500).json({
error: 'Internal Server Error',
message: process.env.NODE_ENV === 'development' ? err.message : 'Something went wrong'
});
});Additional Recommendations
- Add request ID tracking for debugging
- Implement proper logging (Winston or Pino)
- Add monitoring and alerting
- Set up API usage analytics
- Add CAPTCHA for public endpoints
- Implement user authentication for API access
Benefits
- ✅ Protection against DoS attacks
- ✅ Better error messages for users
- ✅ Reduced API abuse and costs
- ✅ Easier debugging and monitoring
- ✅ Improved security posture
References
Priority
HIGH - Important for security and reliability.