portalweb-api/src/common/middlewares/dist/request-sanitizer.middleware.js

"use strict";
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
    return c > 3 && r && Object.defineProperty(target, key, r), r;
};
exports.__esModule = true;
exports.RequestSanitizerMiddleware = void 0;
var common_1 = require("@nestjs/common");
var RequestSanitizerMiddleware = /** @class */ (function () {
    function RequestSanitizerMiddleware() {
    }
    RequestSanitizerMiddleware.prototype.use = function (req, res, next) {
        if (req.headers) {
            this.sanitizeObject(req.headers);
        }
        if (req.query) {
            this.sanitizeObject(req.query);
        }
        if (req.body) {
            this.sanitizeObject(req.body);
        }
        next();
    };
    RequestSanitizerMiddleware.prototype.sanitizeObject = function (obj) {
        var _this = this;
        Object.keys(obj).forEach(function (key) {
            if (typeof obj[key] === 'string') {
                obj[key] = _this.sanitizeString(obj[key]);
            }
            else if (typeof obj[key] === 'object' && obj[key] !== null) {
                _this.sanitizeObject(obj[key]);
            }
        });
    };
    RequestSanitizerMiddleware.prototype.sanitizeString = function (str) {
        // Remover tags HTML básicas
        str = str.replace(/<(|\/|[^>\/bi]|\/[^>bi]|[^\/>][^>]+|\/[^>][^>]+)>/g, '');
        // Remover scripts JavaScript
        str = str.replace(/javascript:/g, '');
        str = str.replace(/on\w+=/g, '');
        // Remover comentários HTML
        str = str.replace(/<!--[\s\S]*?-->/g, '');
        // Sanitizar caracteres especiais para evitar SQL injection
        str = str.replace(/'/g, "''");
        return str;
    };
    RequestSanitizerMiddleware = __decorate([
        common_1.Injectable()
    ], RequestSanitizerMiddleware);
    return RequestSanitizerMiddleware;
}());
exports.RequestSanitizerMiddleware = RequestSanitizerMiddleware;