fix(provider): length-bound and sanitise request inputs across endpoints#2709
Merged
Conversation
Add shared zod helpers in @prosopo/types (INPUT_LIMITS, boundedString, safeText, safeLine) and apply length bounds across the provider API request schemas (captcha challenge/solution, frictionless, server verify, DNS event ingestion, sitekey + decision-machine admin bodies, spam-email check). Lower the express.json body cap from 50mb to 1mb as a coarse oversized-payload backstop.
Contributor
There was a problem hiding this comment.
Pull request overview
Hardens the public provider API request parsing by introducing shared Zod helpers for per-field input length limits and applying them across provider request-body schemas, plus tightening the Express JSON body-size cap as a coarse backstop.
Changes:
- Added
@prosopo/typesrequest sanitisation helpers (INPUT_LIMITS,boundedString,safeText,safeLine) and exported them viaapi/index.ts. - Replaced many provider request-body
string()fields with length-bounded variants inpackages/types/src/provider/api.ts, and updated the provider spam-email endpoint request schema to use bounded fields. - Reduced the Provider API JSON parser limit from
50mbto1mb.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/types/src/provider/api.ts | Applies bounded string helpers across many provider request-body schemas. |
| packages/types/src/api/sanitise.ts | Introduces centralized input limits and Zod string helpers. |
| packages/types/src/api/index.ts | Re-exports sanitisation helpers from the public API surface. |
| packages/provider/src/api/startProviderApi.ts | Lowers Express JSON body size limit for coarse payload protection. |
| packages/provider/src/api/captcha/checkSpamEmail.ts | Uses new bounded helpers for request body parsing. |
| .changeset/provider-input-sanitisation.md | Declares patch releases for types/provider with summary of hardening. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…nitisation # Conflicts: # packages/provider/src/api/startProviderApi.ts # packages/types/src/provider/api.ts
Address review feedback: length-bound ProcaptchaTokenSpec, captcha solution fields, and signature schemas at the request-body level so oversized nested payloads are rejected. Fix biome import ordering in checkSpamEmail.
…e accepts real fingerprint hashes
Member
Author
|
Babysitting note — pushed two follow-ups and resolved all Copilot threads:
CI is now fully green on 509729e. |
…elds to reject control chars honeypot text and decision-machine source -> safeText; user_agent, decision-machine name, spam-check email/dapp -> safeLine. Matches the changeset's control-character-rejection claim.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Mirrors the input-sanitisation hardening done on the private API (
fix/input-length-limits) for the public provider package. Every request string field is now length-bounded, and the body parser has a tighter coarse cap.Changes
packages/types/src/api/sanitise.ts— shared zod helpersINPUT_LIMITS,boundedString,safeText,safeLine(length caps + control-character rejection;safeLinealso rejects line breaks). Exported fromapi/index.ts.packages/types/src/provider/api.ts— replaced barestring()with bounded variants across all request-body schemas: image/pow/puzzle captcha challenge & solution bodies, frictionless challenge, server verify bodies, DNS event ingestion, sitekey register/remove, detector-key and decision-machine admin bodies. Caps by field nature — accounts/site-keys/hashes/ids →ID; signatures/tokens/behavioural+simd readings →TOKEN; emails →EMAIL(keeping.email()checks); decision-machine source →LONG_TEXT; paths →URL. Response/DB schemas left untouched.packages/provider/src/api/captcha/checkSpamEmail.ts— inline request body now uses bounded email/dapp.packages/provider/src/api/startProviderApi.ts— loweredexpress.jsonbody cap from 50 MB to 1 MB as a coarse oversized-payload backstop.Verification
npm run -w @prosopo/types build:tscandnpm run -w @prosopo/provider build:tscboth pass.safeText, newline rejected insafeLine, max enforced.🤖 Generated with Claude Code