Merge pull request #264 from StreetSupport/fix/security-hardening

fix: address security vulnerabilities across CSP, sanitisation, rate limiting, and env exposure

Author: james-cross

next.config.ts

@@ -2,12 +2,29 @@ import {withSentryConfig} from '@sentry/nextjs';
 import dotenv from 'dotenv';
 dotenv.config({ path: '.env.local' });
 
+const cspDirectives = [
+  "default-src 'self'",
+  "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://maps.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://*.sentry-cdn.com",
+  "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+  "img-src 'self' data: blob: https://streetsupportstorageprod.blob.core.windows.net https://maps.googleapis.com https://maps.gstatic.com https://*.ggpht.com https://www.google-analytics.com https://www.googletagmanager.com",
+  "font-src 'self' https://fonts.gstatic.com",
+  "connect-src 'self' https://maps.googleapis.com https://www.google-analytics.com https://www.googletagmanager.com https://*.ingest.sentry.io https://*.sentry.io",
+  "frame-src https://www.youtube.com https://www.youtube-nocookie.com",
+  "frame-ancestors 'none'",
+  "object-src 'none'",
+  "base-uri 'self'",
+  "form-action 'self'",
+];
+
+const contentSecurityPolicy = cspDirectives.join('; ');
+
 const nextConfig = {
   async headers() {
     return [
       {
         source: '/(.*)',
         headers: [
+          { key: 'Content-Security-Policy', value: contentSecurityPolicy },
           { key: 'X-Content-Type-Options', value: 'nosniff' },
           { key: 'X-Frame-Options', value: 'DENY' },
           { key: 'X-XSS-Protection', value: '1; mode=block' },
@@ -39,7 +56,6 @@ const nextConfig = {
   reactStrictMode: true,
   env: {
     NEXT_PUBLIC_GOOGLE_MAPS_API_KEY: process.env.NEXT_PUBLIC_GOOGLE_MAPS_API_KEY,
-    MONGODB_URI: process.env.MONGODB_URI,
   },
   // Enable response compression for better performance
   compress: true,

src/app/api/geocode/route.ts

@@ -1,6 +1,29 @@
 import { NextRequest } from 'next/server';
+import { checkRateLimit } from '@/utils/rateLimit';
+
+const GEOCODE_RATE_LIMIT = {
+  maxRequests: 30,
+  windowMs: 60_000,
+};
 
 export async function GET(req: NextRequest) {
+  const { allowed, remaining, resetTime } = checkRateLimit(req, GEOCODE_RATE_LIMIT);
+
+  if (!allowed) {
+    return new Response(
+      JSON.stringify({ error: 'Too many requests. Please try again later.' }),
+      {
+        status: 429,
+        headers: {
+          'Content-Type': 'application/json',
+          'Retry-After': String(Math.ceil((resetTime - Date.now()) / 1000)),
+          'X-RateLimit-Limit': String(GEOCODE_RATE_LIMIT.maxRequests),
+          'X-RateLimit-Remaining': '0',
+        },
+      }
+    );
+  }
+
   const { searchParams } = new URL(req.url);
   const postcode = searchParams.get('postcode');
 
@@ -31,7 +54,11 @@ export async function GET(req: NextRequest) {
       const location = data.results[0].geometry.location;
       return new Response(JSON.stringify({ location }), {
         status: 200,
-        headers: { 'Content-Type': 'application/json' },
+        headers: {
+          'Content-Type': 'application/json',
+          'X-RateLimit-Limit': String(GEOCODE_RATE_LIMIT.maxRequests),
+          'X-RateLimit-Remaining': String(remaining),
+        },
       });
     } else {
       return new Response(

src/components/ui/MarkdownContent.tsx

@@ -2,6 +2,14 @@
 
 import React from 'react';
 import { decodeHtmlEntities } from '@/utils/htmlDecode';
+import { sanitiseHtml } from '@/utils/sanitiseHtml';
+
+const MARKDOWN_ALLOWED_TAGS = [
+  'p', 'br',
+  'strong', 'em', 'b', 'i',
+  'ul', 'ol', 'li',
+  'a',
+];
 
 interface MarkdownContentProps {
   content: string;
@@ -41,7 +49,7 @@ function processSimpleMarkdown(text: string): string {
       // Output the collected bullet items as a list
       if (currentBulletItems.length > 0) {
         const listItems = currentBulletItems.map(item => `<li>${item}</li>`).join('');
-        result.push(`<ul style="list-style-type: disc; padding-left: 1.5rem; margin: 0.5rem 0;">${listItems}</ul>`);
+        result.push(`<ul>${listItems}</ul>`);
         currentBulletItems = [];
       }
       inBulletSection = false;
@@ -58,7 +66,7 @@ function processSimpleMarkdown(text: string): string {
   // Handle any remaining bullet items at the end
   if (currentBulletItems.length > 0) {
     const listItems = currentBulletItems.map(item => `<li>${item}</li>`).join('');
-    result.push(`<ul style="list-style-type: disc; padding-left: 1.5rem; margin: 0.5rem 0;">${listItems}</ul>`);
+    result.push(`<ul>${listItems}</ul>`);
   }
 
   const finalResult = result.join('\n')
@@ -81,7 +89,7 @@ function processSimpleMarkdown(text: string): string {
       looseLiItems.push(line.trim());
     } else {
       if (looseLiItems.length > 0) {
-        wrappedResult.push(`<ul style="list-style-type: disc; padding-left: 1.5rem; margin: 0.5rem 0;">${looseLiItems.join('')}</ul>`);
+        wrappedResult.push(`<ul>${looseLiItems.join('')}</ul>`);
         looseLiItems = [];
       }
       wrappedResult.push(line);
@@ -90,7 +98,7 @@ function processSimpleMarkdown(text: string): string {
 
   // Handle any remaining loose items
   if (looseLiItems.length > 0) {
-    wrappedResult.push(`<ul style="list-style-type: disc; padding-left: 1.5rem; margin: 0.5rem 0;">${looseLiItems.join('')}</ul>`);
+    wrappedResult.push(`<ul>${looseLiItems.join('')}</ul>`);
   }
 
   return wrappedResult.join('\n')
@@ -110,11 +118,12 @@ function processSimpleMarkdown(text: string): string {
 export default function MarkdownContent({ content, className = '' }: MarkdownContentProps) {
   const decodedContent = decodeHtmlEntities(content);
   const processedContent = processSimpleMarkdown(decodedContent);
+  const sanitisedContent = sanitiseHtml(processedContent, MARKDOWN_ALLOWED_TAGS);
 
   return (
     <div
       className={`prose prose-gray max-w-none leading-relaxed prose-sm prose-p:text-sm prose-p:leading-normal prose-p:text-gray-800 ${className}`}
-      dangerouslySetInnerHTML={{ __html: processedContent }}
+      dangerouslySetInnerHTML={{ __html: sanitisedContent }}
     />
   );
 }

src/utils/rateLimit.ts

@@ -0,0 +1,59 @@
+import { NextRequest } from 'next/server';
+
+interface RateLimitEntry {
+  count: number;
+  resetTime: number;
+}
+
+const store = new Map<string, RateLimitEntry>();
+
+const CLEANUP_INTERVAL_MS = 60_000;
+let lastCleanup = Date.now();
+
+function cleanup() {
+  const now = Date.now();
+  if (now - lastCleanup < CLEANUP_INTERVAL_MS) return;
+  lastCleanup = now;
+  for (const [key, entry] of store) {
+    if (now > entry.resetTime) {
+      store.delete(key);
+    }
+  }
+}
+
+interface RateLimitOptions {
+  maxRequests: number;
+  windowMs: number;
+}
+
+interface RateLimitResult {
+  allowed: boolean;
+  remaining: number;
+  resetTime: number;
+}
+
+export function checkRateLimit(
+  req: NextRequest,
+  { maxRequests, windowMs }: RateLimitOptions
+): RateLimitResult {
+  cleanup();
+
+  const forwarded = req.headers.get('x-forwarded-for');
+  const ip = forwarded?.split(',')[0]?.trim() || 'unknown';
+  const now = Date.now();
+
+  const entry = store.get(ip);
+
+  if (!entry || now > entry.resetTime) {
+    store.set(ip, { count: 1, resetTime: now + windowMs });
+    return { allowed: true, remaining: maxRequests - 1, resetTime: now + windowMs };
+  }
+
+  entry.count += 1;
+
+  if (entry.count > maxRequests) {
+    return { allowed: false, remaining: 0, resetTime: entry.resetTime };
+  }
+
+  return { allowed: true, remaining: maxRequests - entry.count, resetTime: entry.resetTime };
+}

tests/__tests__/utils/rateLimit.test.ts

@@ -0,0 +1,90 @@
+import { checkRateLimit } from '../../../src/utils/rateLimit';
+import { NextRequest } from 'next/server';
+
+function makeRequest(ip: string = '127.0.0.1'): NextRequest {
+  const req = new NextRequest('http://localhost/api/geocode?postcode=M1+1AA', {
+    headers: { 'x-forwarded-for': ip },
+  });
+  return req;
+}
+
+describe('checkRateLimit', () => {
+  const options = { maxRequests: 3, windowMs: 60_000 };
+
+  it('should allow requests within the limit', () => {
+    const ip = '10.0.0.1';
+    const result1 = checkRateLimit(makeRequest(ip), options);
+    expect(result1.allowed).toBe(true);
+    expect(result1.remaining).toBe(2);
+
+    const result2 = checkRateLimit(makeRequest(ip), options);
+    expect(result2.allowed).toBe(true);
+    expect(result2.remaining).toBe(1);
+
+    const result3 = checkRateLimit(makeRequest(ip), options);
+    expect(result3.allowed).toBe(true);
+    expect(result3.remaining).toBe(0);
+  });
+
+  it('should block requests exceeding the limit', () => {
+    const ip = '10.0.0.2';
+    for (let i = 0; i < 3; i++) {
+      checkRateLimit(makeRequest(ip), options);
+    }
+
+    const blocked = checkRateLimit(makeRequest(ip), options);
+    expect(blocked.allowed).toBe(false);
+    expect(blocked.remaining).toBe(0);
+  });
+
+  it('should track different IPs independently', () => {
+    const ipA = '10.0.0.3';
+    const ipB = '10.0.0.4';
+
+    for (let i = 0; i < 3; i++) {
+      checkRateLimit(makeRequest(ipA), options);
+    }
+
+    const blockedA = checkRateLimit(makeRequest(ipA), options);
+    expect(blockedA.allowed).toBe(false);
+
+    const allowedB = checkRateLimit(makeRequest(ipB), options);
+    expect(allowedB.allowed).toBe(true);
+    expect(allowedB.remaining).toBe(2);
+  });
+
+  it('should reset after the window expires', () => {
+    const ip = '10.0.0.5';
+    const shortWindow = { maxRequests: 1, windowMs: 50 };
+
+    const result1 = checkRateLimit(makeRequest(ip), shortWindow);
+    expect(result1.allowed).toBe(true);
+
+    const blocked = checkRateLimit(makeRequest(ip), shortWindow);
+    expect(blocked.allowed).toBe(false);
+
+    return new Promise<void>((resolve) => {
+      setTimeout(() => {
+        const result2 = checkRateLimit(makeRequest(ip), shortWindow);
+        expect(result2.allowed).toBe(true);
+        resolve();
+      }, 60);
+    });
+  });
+
+  it('should include a resetTime in the result', () => {
+    const ip = '10.0.0.6';
+    const before = Date.now();
+    const result = checkRateLimit(makeRequest(ip), options);
+    const after = Date.now();
+
+    expect(result.resetTime).toBeGreaterThanOrEqual(before + options.windowMs);
+    expect(result.resetTime).toBeLessThanOrEqual(after + options.windowMs);
+  });
+
+  it('should handle missing x-forwarded-for header', () => {
+    const req = new NextRequest('http://localhost/api/geocode?postcode=M1+1AA');
+    const result = checkRateLimit(req, { maxRequests: 100, windowMs: 60_000 });
+    expect(result.allowed).toBe(true);
+  });
+});

vercel.json

@@ -18,6 +18,10 @@
     {
       "source": "/(.*)",
       "headers": [
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://maps.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://*.sentry-cdn.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob: https://streetsupportstorageprod.blob.core.windows.net https://maps.googleapis.com https://maps.gstatic.com https://*.ggpht.com https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://maps.googleapis.com https://www.google-analytics.com https://www.googletagmanager.com https://*.ingest.sentry.io https://*.sentry.io; frame-src https://www.youtube.com https://www.youtube-nocookie.com; frame-ancestors 'none'; object-src 'none'; base-uri 'self'; form-action 'self'"
+        },
         {
           "key": "X-Content-Type-Options",
           "value": "nosniff"