Skip to content

fix(provider): length-bound and sanitise request inputs across endpoints#2709

Merged
goastler merged 7 commits into
mainfrom
fix/provider-input-sanitisation
Jun 23, 2026
Merged

fix(provider): length-bound and sanitise request inputs across endpoints#2709
goastler merged 7 commits into
mainfrom
fix/provider-input-sanitisation

Conversation

@goastler

Copy link
Copy Markdown
Member

Summary

Mirrors the input-sanitisation hardening done on the private API (fix/input-length-limits) for the public provider package. Every request string field is now length-bounded, and the body parser has a tighter coarse cap.

Changes

  • New packages/types/src/api/sanitise.ts — shared zod helpers INPUT_LIMITS, boundedString, safeText, safeLine (length caps + control-character rejection; safeLine also rejects line breaks). Exported from api/index.ts.
  • packages/types/src/provider/api.ts — replaced bare string() with bounded variants across all request-body schemas: image/pow/puzzle captcha challenge & solution bodies, frictionless challenge, server verify bodies, DNS event ingestion, sitekey register/remove, detector-key and decision-machine admin bodies. Caps by field nature — accounts/site-keys/hashes/ids → ID; signatures/tokens/behavioural+simd readings → TOKEN; emails → EMAIL (keeping .email() checks); decision-machine source → LONG_TEXT; paths → URL. Response/DB schemas left untouched.
  • packages/provider/src/api/captcha/checkSpamEmail.ts — inline request body now uses bounded email/dapp.
  • packages/provider/src/api/startProviderApi.ts — lowered express.json body cap from 50 MB to 1 MB as a coarse oversized-payload backstop.

Verification

  • npm run -w @prosopo/types build:tsc and npm run -w @prosopo/provider build:tsc both pass.
  • Runtime-tested the helpers: null bytes rejected, tab/newline allowed in safeText, newline rejected in safeLine, max enforced.

🤖 Generated with Claude Code

Add shared zod helpers in @prosopo/types (INPUT_LIMITS, boundedString,
safeText, safeLine) and apply length bounds across the provider API
request schemas (captcha challenge/solution, frictionless, server verify,
DNS event ingestion, sitekey + decision-machine admin bodies, spam-email
check). Lower the express.json body cap from 50mb to 1mb as a coarse
oversized-payload backstop.
Copilot AI review requested due to automatic review settings June 16, 2026 23:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the public provider API request parsing by introducing shared Zod helpers for per-field input length limits and applying them across provider request-body schemas, plus tightening the Express JSON body-size cap as a coarse backstop.

Changes:

  • Added @prosopo/types request sanitisation helpers (INPUT_LIMITS, boundedString, safeText, safeLine) and exported them via api/index.ts.
  • Replaced many provider request-body string() fields with length-bounded variants in packages/types/src/provider/api.ts, and updated the provider spam-email endpoint request schema to use bounded fields.
  • Reduced the Provider API JSON parser limit from 50mb to 1mb.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
packages/types/src/provider/api.ts Applies bounded string helpers across many provider request-body schemas.
packages/types/src/api/sanitise.ts Introduces centralized input limits and Zod string helpers.
packages/types/src/api/index.ts Re-exports sanitisation helpers from the public API surface.
packages/provider/src/api/startProviderApi.ts Lowers Express JSON body size limit for coarse payload protection.
packages/provider/src/api/captcha/checkSpamEmail.ts Uses new bounded helpers for request body parsing.
.changeset/provider-input-sanitisation.md Declares patch releases for types/provider with summary of hardening.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/types/src/provider/api.ts Outdated
Comment thread packages/types/src/provider/api.ts
Comment thread packages/types/src/provider/api.ts Outdated
Comment thread packages/types/src/provider/api.ts Outdated
Comment thread packages/types/src/provider/api.ts Outdated
@goastler goastler marked this pull request as draft June 17, 2026 00:48
goastler added 2 commits June 23, 2026 08:51
…nitisation

# Conflicts:
#	packages/provider/src/api/startProviderApi.ts
#	packages/types/src/provider/api.ts
Address review feedback: length-bound ProcaptchaTokenSpec, captcha
solution fields, and signature schemas at the request-body level so
oversized nested payloads are rejected. Fix biome import ordering in
checkSpamEmail.
@goastler goastler marked this pull request as ready for review June 23, 2026 08:11
Copilot AI review requested due to automatic review settings June 23, 2026 08:11
@goastler goastler enabled auto-merge (squash) June 23, 2026 08:11

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Comment thread packages/types/src/provider/api.ts Outdated
Copilot AI review requested due to automatic review settings June 23, 2026 11:35

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Comment thread packages/types/src/provider/api.ts
Comment thread packages/types/src/provider/api.ts
Comment thread packages/types/src/provider/api.ts
Comment thread packages/types/src/provider/api.ts
Comment thread packages/provider/src/api/captcha/checkSpamEmail.ts
Comment thread .changeset/provider-input-sanitisation.md
@goastler

Copy link
Copy Markdown
Member Author

Babysitting note — pushed two follow-ups and resolved all Copilot threads:

  • dd07549: length-bound fingerprintProof in SubmitPowCaptchaSolutionBody (boundedString(INPUT_LIMITS.TOKEN)), addressing the last open Copilot thread.
  • 509729e: widen headHash in GetFrictionlessCaptchaChallengeRequestBody from INPUT_LIMITS.ID (256) to INPUT_LIMITS.TOKEN. The client-bundle-example cypress e2e was failing on 509729e's parent — the frictionless challenge endpoint rejected real headHash fingerprint values with too_big maximum:256. ID was too small for that field; TOKEN matches the sibling token/simdReadings fields in the same body.

CI is now fully green on 509729e.

goastler and others added 2 commits June 23, 2026 17:51
…elds to reject control chars

honeypot text and decision-machine source -> safeText; user_agent,
decision-machine name, spam-check email/dapp -> safeLine. Matches the
changeset's control-character-rejection claim.
Copilot AI review requested due to automatic review settings June 23, 2026 23:31

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.

@goastler goastler merged commit b166037 into main Jun 23, 2026
12 checks passed
@goastler goastler deleted the fix/provider-input-sanitisation branch June 23, 2026 23:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants