simplifique/portalweb-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

heath impl

Browse Source
This commit is contained in:
JurTI-BR
2025-04-02 19:31:13 -03:00
parent 15bb11fc4c
commit 8ba6f345c7
32 changed files with 2620 additions and 395 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
src/common/middlewares/dist/rate-limiter.middleware.js vendored Normal file
View File

@@ -0,0 +1,63 @@
"use strict";
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
return c > 3 && r && Object.defineProperty(target, key, r), r;
};
exports.__esModule = true;
exports.RateLimiterMiddleware = void 0;
var common_1 = require("@nestjs/common");
var throttler_1 = require("@nestjs/throttler");
var RateLimiterMiddleware = /** @class */ (function () {
function RateLimiterMiddleware(configService) {
this.configService = configService;
this.store = new Map();
this.ttl = this.configService.get('THROTTLE_TTL', 60);
this.limit = this.configService.get('THROTTLE_LIMIT', 10);
}
RateLimiterMiddleware.prototype.use = function (req, res, next) {
// Skip if the request method is OPTIONS (for CORS preflight)
if (req.method === 'OPTIONS') {
return next();
}
var key = this.generateKey(req);
var now = Date.now();
if (!this.store.has(key)) {
this.store.set(key, { count: 1, expiration: now + this.ttl * 1000 });
this.setRateLimitHeaders(res, 1);
return next();
}
var record = this.store.get(key);
if (record.expiration < now) {
record.count = 1;
record.expiration = now + this.ttl * 1000;
this.setRateLimitHeaders(res, 1);
return next();
}
if (record.count >= this.limit) {
var timeToWait = Math.ceil((record.expiration - now) / 1000);
this.setRateLimitHeaders(res, record.count);
res.header('Retry-After', String(timeToWait));
throw new throttler_1.ThrottlerException("Too Many Requests. Retry after " + timeToWait + " seconds.");
}
record.count++;
this.setRateLimitHeaders(res, record.count);
return next();
};
RateLimiterMiddleware.prototype.generateKey = function (req) {
// Combina IP com rota para rate limiting mais preciso
var ip = req.ip || req.headers['x-forwarded-for'] || 'unknown-ip';
var path = req.path || req.originalUrl || '';
return ip + ":" + path;
};
RateLimiterMiddleware.prototype.setRateLimitHeaders = function (res, count) {
res.header('X-RateLimit-Limit', String(this.limit));
res.header('X-RateLimit-Remaining', String(Math.max(0, this.limit - count)));
};
RateLimiterMiddleware = __decorate([
common_1.Injectable()
], RateLimiterMiddleware);
return RateLimiterMiddleware;
}());
exports.RateLimiterMiddleware = RateLimiterMiddleware;

54
src/common/middlewares/dist/request-sanitizer.middleware.js vendored Normal file
View File

@@ -0,0 +1,54 @@
"use strict";
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
return c > 3 && r && Object.defineProperty(target, key, r), r;
};
exports.__esModule = true;
exports.RequestSanitizerMiddleware = void 0;
var common_1 = require("@nestjs/common");
var RequestSanitizerMiddleware = /** @class */ (function () {
function RequestSanitizerMiddleware() {
}
RequestSanitizerMiddleware.prototype.use = function (req, res, next) {
if (req.headers) {
this.sanitizeObject(req.headers);
}
if (req.query) {
this.sanitizeObject(req.query);
}
if (req.body) {
this.sanitizeObject(req.body);
}
next();
};
RequestSanitizerMiddleware.prototype.sanitizeObject = function (obj) {
var _this = this;
Object.keys(obj).forEach(function (key) {
if (typeof obj[key] === 'string') {
obj[key] = _this.sanitizeString(obj[key]);
}
else if (typeof obj[key] === 'object' && obj[key] !== null) {
_this.sanitizeObject(obj[key]);
}
});
};
RequestSanitizerMiddleware.prototype.sanitizeString = function (str) {
// Remover tags HTML básicas
str = str.replace(/<(|\/|[^>\/bi]|\/[^>bi]|[^\/>][^>]+|\/[^>][^>]+)>/g, '');
// Remover scripts JavaScript
str = str.replace(/javascript:/g, '');
str = str.replace(/on\w+=/g, '');
// Remover comentários HTML
str = str.replace(/<!--[\s\S]*?-->/g, '');
// Sanitizar caracteres especiais para evitar SQL injection
str = str.replace(/'/g, "''");
return str;
};
RequestSanitizerMiddleware = __decorate([
common_1.Injectable()
], RequestSanitizerMiddleware);
return RequestSanitizerMiddleware;
}());
exports.RequestSanitizerMiddleware = RequestSanitizerMiddleware;

64
src/common/middlewares/rate-limiter.middleware.ts Normal file
View File

@@ -0,0 +1,64 @@
import { Injectable, NestMiddleware } from '@nestjs/common';
import { ThrottlerException } from '@nestjs/throttler';
import { Request, Response, NextFunction } from 'express';
import { ConfigService } from '@nestjs/config';
@Injectable()
export class RateLimiterMiddleware implements NestMiddleware {
private readonly ttl: number;
private readonly limit: number;
private readonly store: Map<string, { count: number; expiration: number }> = new Map();
constructor(private configService: ConfigService) {
this.ttl = this.configService.get<number>('THROTTLE_TTL', 60);
this.limit = this.configService.get<number>('THROTTLE_LIMIT', 10);
}
use(req: Request, res: Response, next: NextFunction): void {
// Skip if the request method is OPTIONS (for CORS preflight)
if (req.method === 'OPTIONS') {
return next();
}
const key = this.generateKey(req);
const now = Date.now();
if (!this.store.has(key)) {
this.store.set(key, { count: 1, expiration: now + this.ttl * 1000 });
this.setRateLimitHeaders(res, 1);
return next();
}
const record = this.store.get(key);
if (record.expiration < now) {
record.count = 1;
record.expiration = now + this.ttl * 1000;
this.setRateLimitHeaders(res, 1);
return next();
}
if (record.count >= this.limit) {
const timeToWait = Math.ceil((record.expiration - now) / 1000);
this.setRateLimitHeaders(res, record.count);
res.header('Retry-After', String(timeToWait));
throw new ThrottlerException(`Too Many Requests. Retry after ${timeToWait} seconds.`);
}
record.count++;
this.setRateLimitHeaders(res, record.count);
return next();
}
private generateKey(req: Request): string {
// Combina IP com rota para rate limiting mais preciso
const ip = req.ip || req.headers['x-forwarded-for'] as string || 'unknown-ip';
const path = req.path || req.originalUrl || '';
return `${ip}:${path}`;
}
private setRateLimitHeaders(res: Response, count: number): void {
res.header('X-RateLimit-Limit', String(this.limit));
res.header('X-RateLimit-Remaining', String(Math.max(0, this.limit - count)));
}
}

48
src/common/middlewares/request-sanitizer.middleware.ts Normal file
View File

@@ -0,0 +1,48 @@
import { Injectable, NestMiddleware } from '@nestjs/common';
import { Request, Response, NextFunction } from 'express';
@Injectable()
export class RequestSanitizerMiddleware implements NestMiddleware {
use(req: Request, res: Response, next: NextFunction) {
if (req.headers) {
this.sanitizeObject(req.headers);
}
if (req.query) {
this.sanitizeObject(req.query);
}
if (req.body) {
this.sanitizeObject(req.body);
}
next();
}
private sanitizeObject(obj: any) {
Object.keys(obj).forEach(key => {
if (typeof obj[key] === 'string') {
obj[key] = this.sanitizeString(obj[key]);
} else if (typeof obj[key] === 'object' && obj[key] !== null) {
this.sanitizeObject(obj[key]);
}
});
}
private sanitizeString(str: string): string {
// Remover tags HTML básicas
str = str.replace(/<(|\/|[^>\/bi]|\/[^>bi]|[^\/>][^>]+|\/[^>][^>]+)>/g, '');
// Remover scripts JavaScript
str = str.replace(/javascript:/g, '');
str = str.replace(/on\w+=/g, '');
// Remover comentários HTML
str = str.replace(/<!--[\s\S]*?-->/g, '');
// Sanitizar caracteres especiais para evitar SQL injection
str = str.replace(/'/g, "''");
return str;
}
}

68
src/common/validators/dist/sanitize.validator.js vendored Normal file
View File

@@ -0,0 +1,68 @@
"use strict";
exports.__esModule = true;
exports.IsSecureId = exports.IsSanitized = void 0;
var class_validator_1 = require("class-validator");
// Decorator para sanitizar strings e prevenir SQL/NoSQL injection
function IsSanitized(validationOptions) {
return function (object, propertyName) {
class_validator_1.registerDecorator({
name: 'isSanitized',
target: object.constructor,
propertyName: propertyName,
options: validationOptions,
validator: {
validate: function (value, args) {
if (typeof value !== 'string')
return true; // Skip non-string values
// Check for common SQL injection patterns
var sqlInjectionRegex = /('|"|;|--|\/\*|\*\/|@@|@|char|nchar|varchar|nvarchar|alter|begin|cast|create|cursor|declare|delete|drop|end|exec|execute|fetch|insert|kill|open|select|sys|sysobjects|syscolumns|table|update|xp_)/i;
if (sqlInjectionRegex.test(value)) {
return false;
}
// Check for NoSQL injection patterns (MongoDB)
var noSqlInjectionRegex = /(\$where|\$ne|\$gt|\$lt|\$gte|\$lte|\$in|\$nin|\$or|\$and|\$regex|\$options|\$elemMatch|\{.*\:.*\})/i;
if (noSqlInjectionRegex.test(value)) {
return false;
}
// Check for XSS attempts
var xssRegex = /(<script|javascript:|on\w+\s*=|<%=|<img|<iframe|alert\(|window\.|document\.)/i;
if (xssRegex.test(value)) {
return false;
}
return true;
},
defaultMessage: function (args) {
return 'A entrada contém caracteres inválidos ou padrões potencialmente maliciosos';
}
}
});
};
}
exports.IsSanitized = IsSanitized;
// Decorator para validar IDs seguros (evita injeção em IDs)
function IsSecureId(validationOptions) {
return function (object, propertyName) {
class_validator_1.registerDecorator({
name: 'isSecureId',
target: object.constructor,
propertyName: propertyName,
options: validationOptions,
validator: {
validate: function (value, args) {
if (typeof value !== 'string' && typeof value !== 'number')
return false;
if (typeof value === 'string') {
// Permitir apenas: letras, números, hífens, underscores e GUIDs
return /^[a-zA-Z0-9\-_]+$|^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value);
}
// Se for número, deve ser positivo
return value > 0;
},
defaultMessage: function (args) {
return 'O ID fornecido não é seguro ou está em formato inválido';
}
}
});
};
}
exports.IsSecureId = IsSecureId;

69
src/common/validators/sanitize.validator.ts Normal file
View File

@@ -0,0 +1,69 @@
import { registerDecorator, ValidationOptions, ValidationArguments } from 'class-validator';
// Decorator para sanitizar strings e prevenir SQL/NoSQL injection
export function IsSanitized(validationOptions?: ValidationOptions) {
return function (object: Object, propertyName: string) {
registerDecorator({
name: 'isSanitized',
target: object.constructor,
propertyName: propertyName,
options: validationOptions,
validator: {
validate(value: any, args: ValidationArguments) {
if (typeof value !== 'string') return true; // Skip non-string values
// Check for common SQL injection patterns
const sqlInjectionRegex = /('|"|;|--|\/\*|\*\/|@@|@|char|nchar|varchar|nvarchar|alter|begin|cast|create|cursor|declare|delete|drop|end|exec|execute|fetch|insert|kill|open|select|sys|sysobjects|syscolumns|table|update|xp_)/i;
if (sqlInjectionRegex.test(value)) {
return false;
}
// Check for NoSQL injection patterns (MongoDB)
const noSqlInjectionRegex = /(\$where|\$ne|\$gt|\$lt|\$gte|\$lte|\$in|\$nin|\$or|\$and|\$regex|\$options|\$elemMatch|\{.*\:.*\})/i;
if (noSqlInjectionRegex.test(value)) {
return false;
}
// Check for XSS attempts
const xssRegex = /(<script|javascript:|on\w+\s*=|<%=|<img|<iframe|alert\(|window\.|document\.)/i;
if (xssRegex.test(value)) {
return false;
}
return true;
},
defaultMessage(args: ValidationArguments) {
return 'A entrada contém caracteres inválidos ou padrões potencialmente maliciosos';
},
},
});
};
}
// Decorator para validar IDs seguros (evita injeção em IDs)
export function IsSecureId(validationOptions?: ValidationOptions) {
return function (object: Object, propertyName: string) {
registerDecorator({
name: 'isSecureId',
target: object.constructor,
propertyName: propertyName,
options: validationOptions,
validator: {
validate(value: any, args: ValidationArguments) {
if (typeof value !== 'string' && typeof value !== 'number') return false;
if (typeof value === 'string') {
// Permitir apenas: letras, números, hífens, underscores e GUIDs
return /^[a-zA-Z0-9\-_]+$|^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value);
}
// Se for número, deve ser positivo
return value > 0;
},
defaultMessage(args: ValidationArguments) {
return 'O ID fornecido não é seguro ou está em formato inválido';
},
},
});
};
}