admin/podcastdistributiona
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security & robustness hardening pass

Browse Source 
Cross-cutting input-validation, isolation, and DoS-resistance fixes across
the app, API, billing, queue, and infra layers.

- Runtime validation (zod) for client-supplied admin actions (role/plan/
  limits), series generation index, and all pg-boss queue payloads
- Auth: require email verification before sign-in; reject weak/placeholder/
  short BETTER_AUTH_SECRET in production
- Billing: sanitize Stripe/PayPal errors (log server-side, generic to client);
  race-safe subscription upsert; only count "processed" webhook events as
  handled; verify org membership in getEffectivePlan to block plan escalation
- Series generation: reserve usage up front and refund on failure; bill the
  owning org, not the caller's active org
- Injection defenses: HTML-escape user fields in emails, strip CR/LF from
  subject/recipient, validate ElevenLabs voiceId before URL interpolation
- Media routes: stream off disk instead of buffering whole files; rate-limit
  anonymous public audio/cover endpoints by client IP
This commit is contained in:
Leon Serfaty
2026-06-20 20:59:03 -04:00
parent cd1d6a1a28
commit 51c541ad22
21 changed files with 489 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/email/index.ts
+14 -3
View File
@@ -12,19 +12,30 @@ const FROM = process.env.EMAIL_FROM ?? "Podcast Distribution AI <noreply@podcast
* console (useful in local dev before RESEND_API_KEY is set).
*/
export async function sendEmail({ to, subject, html, text }: SendEmailInput): Promise<void> {
// Defense-in-depth header hygiene: strip CR/LF and other control chars so a
// user-controlled subject/recipient can't inject extra email headers.
const safeSubject = stripControlChars(subject).replace(/[\r\n]+/g, " ").trim();
const safeTo = stripControlChars(to).replace(/[\r\n]+/g, " ").trim();
const apiKey = process.env.RESEND_API_KEY;
if (!apiKey) {
console.info(`[email:dev] To: ${to} | Subject: ${subject}\n${text ?? html}`);
console.info(`[email:dev] To: ${safeTo} | Subject: ${safeSubject}\n${text ?? html}`);
return;
}
const { Resend } = await import("resend");
const resend = new Resend(apiKey);
const { error } = await resend.emails.send({ from: FROM, to, subject, html, text });
const { error } = await resend.emails.send({ from: FROM, to: safeTo, subject: safeSubject, html, text });
if (error) throw new Error(`Resend error: ${error.message}`);
}
/** Remove CR/LF and other ASCII control characters (header-injection defense). */
function stripControlChars(value: string): string {
// eslint-disable-next-line no-control-regex
return value.replace(/[\x00-\x1f\x7f]+/g, " ");
}
/** Escape text for safe interpolation into HTML/attribute contexts. */
function escapeHtml(value: string): string {
export function escapeHtml(value: string): string {
return value
.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")