ragusa-it/ragusaitweb
1
0
Fork 0
Code Issues Pull Requests 6 Actions Packages Projects Releases Wiki Activity

🛡️ Sentinel: Enhance input sanitization and update blocked domains #44

Open
ragusa-it wants to merge 1 commits from sentinel-security-enhancement-backticks-and-domains-12355386453957124996 into main
pull from: sentinel-security-enhancement-backticks-and-domains-12355386453957124996
merge into: ragusa-it:main
Conversation 2 Commits 1 Files Changed 3 +15 -1
3 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 4191e829cb - Show all commits

5
.jules/sentinel.md
View File

@@ -27,3 +27,8 @@
**Vulnerability:** Allowing users to register or submit forms with disposable email addresses (e.g., mailinator.com) can lead to spam, abuse, and polluted data.
**Learning:** While true email verification requires a backend or API, a simple client-side blocklist of common disposable domains is a highly effective, low-cost first line of defense.
**Prevention:** Maintain a list of known disposable domains (e.g., `BLOCKED_DOMAINS`) and check the domain part of the email address during validation.
## 2026-02-14 - Backtick Injection in Template Strings
**Vulnerability:** Standard HTML sanitization often ignores backticks (` `), which can be dangerous if the sanitized string is injected into a JavaScript template literal context.
**Learning:** While HTML entities (`<`, `"`) protect HTML contexts, modern JS uses backticks for strings. Failing to escape them allows attackers to break out of the string boundary if the data is used in a JS context.
**Prevention:** Explicitly replace backticks with ``` in sanitization routines intended for general-purpose use.

3
src/utils/security.test.ts
View File

@@ -10,6 +10,7 @@ describe('Security Utils', () => {
expect(sanitizeInput('foo & bar')).toBe('foo & bar');
expect(sanitizeInput('"quotes"')).toBe('"quotes"');
expect(sanitizeInput("'single quotes'")).toBe(''single quotes'');
expect(sanitizeInput('`backticks`')).toBe('`backticks`');
expect(sanitizeInput('>')).toBe('>');
});
@@ -74,6 +75,8 @@ describe('Security Utils', () => {
expect(isValidEmail('spam@mailinator.com')).toBe(false);
expect(isValidEmail('bot@yopmail.com')).toBe(false);
expect(isValidEmail('temp@temp-mail.org')).toBe(false);
expect(isValidEmail('spam@sharklasers.com')).toBe(false);
expect(isValidEmail('bot@maildrop.cc')).toBe(false);
});
it('rejects blocked domains regardless of case', () => {

8
src/utils/security.ts
View File

@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#039;");
.replace(/'/g, "&#039;")
.replace(/`/g, "&#96;");
}
// Common disposable email providers and invalid domains
@@ -25,8 +26,13 @@ const BLOCKED_DOMAINS = new Set([
"yopmail.com",
"temp-mail.org",
"guerrillamail.com",
"guerrillamail.net",
"10minutemail.com",
"trashmail.com",
"sharklasers.com",
"dispostable.com",
"maildrop.cc",
"getairmail.com",
]);
/**