🛡️ Sentinel: [security improvement] Harden input sanitization and domain blocking #62
@@ -27,3 +27,8 @@
|
|||||||
**Vulnerability:** Allowing users to register or submit forms with disposable email addresses (e.g., mailinator.com) can lead to spam, abuse, and polluted data.
|
**Vulnerability:** Allowing users to register or submit forms with disposable email addresses (e.g., mailinator.com) can lead to spam, abuse, and polluted data.
|
||||||
**Learning:** While true email verification requires a backend or API, a simple client-side blocklist of common disposable domains is a highly effective, low-cost first line of defense.
|
**Learning:** While true email verification requires a backend or API, a simple client-side blocklist of common disposable domains is a highly effective, low-cost first line of defense.
|
||||||
**Prevention:** Maintain a list of known disposable domains (e.g., `BLOCKED_DOMAINS`) and check the domain part of the email address during validation.
|
**Prevention:** Maintain a list of known disposable domains (e.g., `BLOCKED_DOMAINS`) and check the domain part of the email address during validation.
|
||||||
|
|
||||||
|
## 2026-02-14 - Incomplete Sanitization Implementation
|
||||||
|
**Vulnerability:** Security utilities (`sanitizeInput`) did not fully implement the documented protection (missing backtick escaping), and blocklists were incomplete.
|
||||||
|
**Learning:** Documentation and guidelines (even memories) can diverge from implementation. Regular audits are necessary to ensure the code actually matches the security specifications.
|
||||||
|
**Prevention:** Add specific unit tests for every character and domain in security specifications to prevent regression or incomplete implementation.
|
||||||
|
|||||||
@@ -10,6 +10,7 @@ describe('Security Utils', () => {
|
|||||||
expect(sanitizeInput('foo & bar')).toBe('foo & bar');
|
expect(sanitizeInput('foo & bar')).toBe('foo & bar');
|
||||||
expect(sanitizeInput('"quotes"')).toBe('"quotes"');
|
expect(sanitizeInput('"quotes"')).toBe('"quotes"');
|
||||||
expect(sanitizeInput("'single quotes'")).toBe(''single quotes'');
|
expect(sanitizeInput("'single quotes'")).toBe(''single quotes'');
|
||||||
|
expect(sanitizeInput('`backticks`')).toBe('`backticks`');
|
||||||
expect(sanitizeInput('>')).toBe('>');
|
expect(sanitizeInput('>')).toBe('>');
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -74,6 +75,8 @@ describe('Security Utils', () => {
|
|||||||
expect(isValidEmail('spam@mailinator.com')).toBe(false);
|
expect(isValidEmail('spam@mailinator.com')).toBe(false);
|
||||||
expect(isValidEmail('bot@yopmail.com')).toBe(false);
|
expect(isValidEmail('bot@yopmail.com')).toBe(false);
|
||||||
expect(isValidEmail('temp@temp-mail.org')).toBe(false);
|
expect(isValidEmail('temp@temp-mail.org')).toBe(false);
|
||||||
|
expect(isValidEmail('spam@sharklasers.com')).toBe(false);
|
||||||
|
expect(isValidEmail('spam@guerrillamail.net')).toBe(false);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('rejects blocked domains regardless of case', () => {
|
it('rejects blocked domains regardless of case', () => {
|
||||||
|
|||||||
@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
|
|||||||
.replace(/</g, "<")
|
.replace(/</g, "<")
|
||||||
.replace(/>/g, ">")
|
.replace(/>/g, ">")
|
||||||
.replace(/"/g, """)
|
.replace(/"/g, """)
|
||||||
.replace(/'/g, "'");
|
.replace(/'/g, "'")
|
||||||
|
.replace(/`/g, "`");
|
||||||
}
|
}
|
||||||
|
|
||||||
// Common disposable email providers and invalid domains
|
// Common disposable email providers and invalid domains
|
||||||
@@ -25,6 +26,8 @@ const BLOCKED_DOMAINS = new Set([
|
|||||||
"yopmail.com",
|
"yopmail.com",
|
||||||
"temp-mail.org",
|
"temp-mail.org",
|
||||||
"guerrillamail.com",
|
"guerrillamail.com",
|
||||||
|
"guerrillamail.net",
|
||||||
|
"sharklasers.com",
|
||||||
"10minutemail.com",
|
"10minutemail.com",
|
||||||
"trashmail.com",
|
"trashmail.com",
|
||||||
]);
|
]);
|
||||||
|
|||||||
Reference in New Issue
Block a user