logging and eslint fixes. Prevent log injection and properly import as types

5 months ago · 970b22e7e6
parent c11c11b283
commit 970b22e7e6
2 changed files with 17 additions and 7 deletions
--- a/server/index.ts
+++ b/server/index.ts
@ -35,6 +35,8 @@ import next from 'next';
 import path from 'path';
 import swaggerUi from 'swagger-ui-express';
 import YAML from 'yamljs';
+import xss from 'xss';
+import validator from 'validator';

 const API_SPEC_PATH = path.join(__dirname, '../overseerr-api.yml');

@ -45,12 +47,19 @@ const handle = app.getRequestHandler();

 const logMiddleware = (req: Request, res: Response, next: NextFunction) => {
  // Log information about the incoming request
-  logger.debug(`Request Method: ${req.method}`);
-  logger.debug(`Request URL: ${req.url}`);
-  logger.debug(`Request Headers: ${JSON.stringify(req.headers)}`);
-  logger.debug(`Request Body: ${JSON.stringify(req.body)}`);
+  logger.debug(`Request Method: ${xss(req.method)}`);
+  logger.debug(`Request URL: ${xss(req.url)}`);
+
+  const sanitizedHeaders = JSON.stringify(req.headers, (key, value) =>
+    typeof value === 'string' ? validator.escape(value) : value
+  );
+  logger.debug(`Request Headers: ${sanitizedHeaders}`);
+
+  const sanitizedBody = JSON.stringify(req.body, (key, value) =>
+    typeof value === 'string' ? validator.escape(value) : value
+  );
+  logger.debug(`Request Body: ${sanitizedBody}`);

-  // Continue processing the request
  next();
 };

--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@ -6,14 +6,15 @@ import { Permission } from '@server/lib/permissions';
 import { getSettings } from '@server/lib/settings';
 import logger from '@server/logger';
 import { isAuthenticated } from '@server/middleware/auth';
-import { Router, Request } from 'express';
+import { Router} from 'express';
+import type { Request } from 'express';
 /* eslint-disable @typescript-eslint/no-unused-vars */
 import {
  createJwtSchema,
  getOIDCRedirectUrl,
  getOIDCWellknownConfiguration,
-  OIDCJwtPayload,
 } from '@server/utils/oidc';
+import type { OIDCJwtPayload } from '@server/utils/oidc';
 import { randomBytes } from 'crypto';
 import gravatarUrl from 'gravatar-url';
 import decodeJwt from 'jwt-decode';