feat: enhance security, performance, and stability

This commit introduces a range of improvements across the application: - **Security:** - Adds authentication to the CSP metrics endpoint. - Hardens CSP bypass detection regex to prevent ReDoS attacks. - Improves CORS headers for the CSP metrics API. - Adds filtering for acknowledged alerts in security monitoring. - **Performance:** - Optimizes database connection pooling for NeonDB. - Improves session fetching with abort controller. - **Stability:** - Adds error handling to the tRPC demo component. - Fixes type inconsistencies in session data mapping. - **Docs & DX:** - Ignores files in git. - Fixes a token placeholder in the documentation.
2026-01-16 18:52:08 +01:00 · 2025-07-12 01:03:52 +02:00
parent 314326400e
commit 7a3eabccd9
9 changed files with 173 additions and 97 deletions
--- a/lib/csp.ts
+++ b/lib/csp.ts
@ -401,30 +401,30 @@ export function parseCSPViolation(report: CSPViolationReport): {
 }

 /**
- * CSP bypass detection patterns
+ * CSP bypass detection patterns - optimized to prevent ReDoS attacks
 */
 export const CSP_BYPASS_PATTERNS = [
-  // Common XSS bypass attempts
-  /javascript:/i,
-  /data:text\/html/i,
-  /vbscript:/i,
-  /livescript:/i,
+  // Common XSS bypass attempts (exact matches to prevent ReDoS)
+  /^javascript:/i,
+  /^data:text\/html/i,
+  /^vbscript:/i,
+  /^livescript:/i,

-  // Base64 encoded attempts
-  /data:.*base64.*script/i,
-  /data:text\/javascript/i,
-  /data:application\/javascript/i,
+  // Base64 encoded attempts (limited quantifiers to prevent ReDoS)
+  /^data:[^;]{0,50};base64[^,]{0,100},.*script/i,
+  /^data:text\/javascript/i,
+  /^data:application\/javascript/i,

-  // JSONP callback manipulation
-  /callback=.*script/i,
+  // JSONP callback manipulation (limited lookahead)
+  /callback=[^&]{0,200}script/i,

-  // Common CSP bypass techniques
-  /location\.href.*javascript/i,
-  /document\.write.*script/i,
-  /eval\(/i,
+  // Common CSP bypass techniques (limited quantifiers)
+  /location\.href[^;]{0,100}javascript/i,
+  /document\.write[^;]{0,100}script/i,
+  /\beval\s*\(/i,
  /\bnew\s+Function\s*\(/i,
-  /setTimeout\s*\(\s*['"`].*['"`]/i,
-  /setInterval\s*\(\s*['"`].*['"`]/i,
+  /setTimeout\s*\(\s*['"`][^'"`]{0,500}['"`]/i,
+  /setInterval\s*\(\s*['"`][^'"`]{0,500}['"`]/i,
 ];

 /**
@ -550,14 +550,14 @@ export function detectCSPBypass(content: string): {
    }
  }

-  // Determine risk level based on pattern types
+  // Determine risk level based on pattern types (ReDoS-safe patterns)
  const highRiskPatterns = [
-    /javascript:/i,
-    /eval\(/i,
+    /^javascript:/i,
+    /\beval\s*\(/i,
    /\bnew\s+Function\s*\(/i,
-    /data:text\/javascript/i,
-    /data:application\/javascript/i,
-    /data:.*base64.*script/i,
+    /^data:text\/javascript/i,
+    /^data:application\/javascript/i,
+    /^data:[^;]{0,50};base64[^,]{0,100},.*script/i,
  ];

  const hasHighRiskPattern = detectedPatterns.some((pattern) =>