Skip to content

fix(security): Architecture hardening - input validation & DoS protection#25

Merged
Sceat merged 1 commit intoedgefrom
modernize-2025
Nov 6, 2025
Merged

fix(security): Architecture hardening - input validation & DoS protection#25
Sceat merged 1 commit intoedgefrom
modernize-2025

Conversation

@Sceat
Copy link
Member

@Sceat Sceat commented Nov 6, 2025

Summary

Implements critical security fixes identified in the architecture audit:

CRITICAL Fixes (Priority 1)

  • Lambda adapter: Added try-catch for JSON.parse() to prevent unhandled exceptions (DoS vector)
  • All adapters: Request body validation with 100KB query size limit (prevents memory exhaustion attacks)
  • Base handler: build_context timeout wrapper (5s default) prevents hanging requests

Implementation Details

New validation module (src/validation.js):

  • validate_request_body(): Validates request structure, type checks, size limits
  • with_timeout(): Wrapper function for Promise timeout protection

Updated adapters:

  • All 4 adapters (Koa, Fastify, Lambda, TinyHttp) now validate input at entry point
  • Early return pattern with null values prevents further processing after validation errors
  • Consistent error handling across all adapters

Test-Driven Development:

  • Added 6 new tests covering all validation scenarios
  • Tests for: JSON parse errors, size limits, timeouts, malformed input
  • All tests follow TDD RED → GREEN → REFACTOR cycle

Test Results

✓ 33/33 tests passing
✓ Coverage: 86.68% stmts, 80% branch, 73.68% funcs
✓ All coverage thresholds met (75%+ lines, 70%+ branches/functions)

Security Impact

Addresses the following vulnerabilities:

  1. DoS via malformed JSON (Lambda) - CRITICAL
  2. Memory exhaustion via large queries - CRITICAL
  3. Request hanging via slow context builders - HIGH
  4. Type confusion attacks - HIGH

Breaking Changes

None. All changes are backward compatible.

🤖 Generated with Claude Code

@Sceat Sceat requested a review from DeltaEvo as a code owner November 6, 2025 18:50
@Sceat @claude
fix(security): architecture hardening - input validation & DoS protec…
be5d13a 
…tion

Implements critical security fixes identified in architecture audit:

**CRITICAL Fixes**:
- Lambda: Added try-catch for JSON.parse to prevent unhandled exceptions (DoS vector)
- All adapters: Request body validation with 100KB query size limit (memory exhaustion protection)
- Base: build_context timeout wrapper (5s default) prevents hanging requests

**Implementation**:
- New validation.js module with validate_request_body() and with_timeout()
- All adapters (Koa, Fastify, Lambda, TinyHttp) now validate input at entry point
- Early return pattern with null values prevents further processing after validation errors
- TDD approach: Added 6 new tests covering all validation scenarios

**Test Coverage**:
- 33/33 tests passing
- Coverage: 86.68% stmts, 80% branch, 73.68% funcs (all above thresholds)
- New tests: JSON parse errors, size limits, timeouts, malformed input

Addresses Priority 1 (CRITICAL) and Priority 2 (HIGH) issues from architecture audit.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@Sceat Sceat merged commit 9b544f3 into edge Nov 6, 2025
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DeltaEvo DeltaEvo Awaiting requested review from DeltaEvo DeltaEvo is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Sceat