Kharec/goyco
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
33da6503e3716a145bf1784fb1f60eced39b18e9
goyco/internal/security/sanitizer.go

423 lines
10 KiB
Go
Raw Blame History

package security
import (
"fmt"
"html"
"regexp"
"slices"
"strings"
"unicode"
"unicode/utf8"
)
func SanitizeInput(input string) string {
if !utf8.ValidString(input) {
input = strings.ToValidUTF8(input, "")
}
cleaned := strings.TrimSpace(input)
cleaned = html.EscapeString(cleaned)
scriptRegex := regexp.MustCompile(`(?i)<script[^>]*>.*?</script>`)
cleaned = scriptRegex.ReplaceAllString(cleaned, "")
jsRegex := regexp.MustCompile(`(?i)javascript:`)
cleaned = jsRegex.ReplaceAllString(cleaned, "")
eventRegex := regexp.MustCompile(`(?i)\son\w+\s*=\s*"[^"]*"`)
cleaned = eventRegex.ReplaceAllString(cleaned, "")
return cleaned
}
func SanitizeUsername(username string) string {
cleaned := SanitizeInput(username)
reg := regexp.MustCompile(`[^a-zA-Z0-9_-]`)
cleaned = reg.ReplaceAllString(cleaned, "")
if len(cleaned) > 0 && !unicode.IsLetter(rune(cleaned[0])) && !unicode.IsDigit(rune(cleaned[0])) {
cleaned = "user_" + cleaned
}
return cleaned
}
func SanitizeEmail(email string) string {
cleaned := SanitizeInput(email)
cleaned = strings.ToLower(cleaned)
emailRegex := regexp.MustCompile(`^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`)
if !emailRegex.MatchString(cleaned) {
return ""
}
return cleaned
}
func SanitizePostContent(content string) string {
if !utf8.ValidString(content) {
content = strings.ToValidUTF8(content, "")
}
cleaned := strings.TrimSpace(content)
cleaned = html.EscapeString(cleaned)
scriptRegex := regexp.MustCompile(`(?i)<script[^>]*>.*?</script>`)
cleaned = scriptRegex.ReplaceAllString(cleaned, "")
jsRegex := regexp.MustCompile(`(?i)javascript:`)
cleaned = jsRegex.ReplaceAllString(cleaned, "")
eventRegex := regexp.MustCompile(`(?i)\son\w+\s*=\s*"[^"]*"`)
cleaned = eventRegex.ReplaceAllString(cleaned, "")
return cleaned
}
func SanitizeURL(url string) string {
if !utf8.ValidString(url) {
url = strings.ToValidUTF8(url, "")
}
cleaned := strings.TrimSpace(url)
if !strings.HasPrefix(cleaned, "http://") && !strings.HasPrefix(cleaned, "https://") {
return ""
}
privateIPRegex := regexp.MustCompile(`(?i)(localhost|127\.0\.0\.1|0\.0\.0\.0|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)`)
if privateIPRegex.MatchString(cleaned) {
return ""
}
if strings.Contains(cleaned, "169.254.169.254") {
return ""
}
return cleaned
}
type InputSanitizer struct {
MaxUsernameLength int
MaxEmailLength int
MaxTitleLength int
MaxContentLength int
MaxSearchLength int
}
func NewInputSanitizer() *InputSanitizer {
return &InputSanitizer{
MaxUsernameLength: 50,
MaxEmailLength: 100,
MaxTitleLength: 200,
MaxContentLength: 5000,
MaxSearchLength: 100,
}
}
func (s *InputSanitizer) SanitizeUsernameCLI(username string) (string, error) {
if username == "" {
return "", fmt.Errorf("username cannot be empty")
}
username = strings.TrimSpace(username)
if len(username) > s.MaxUsernameLength {
return "", fmt.Errorf("username must be %d characters or less", s.MaxUsernameLength)
}
if len(username) < 3 {
return "", fmt.Errorf("username must be at least 3 characters")
}
validUsernameRegex := regexp.MustCompile(`^[a-zA-Z0-9_-]+$`)
if !validUsernameRegex.MatchString(username) {
return "", fmt.Errorf("username can only contain letters, numbers, underscores, and hyphens")
}
reservedUsernames := []string{
"admin", "administrator", "root", "system", "api", "www", "mail",
"ftp", "localhost", "test", "demo", "guest", "user", "support",
"help", "info", "contact", "about", "privacy", "terms", "login",
"register", "signup", "signin", "logout", "profile", "settings",
"account", "dashboard", "home", "index", "default", "null", "undefined",
}
lowerUsername := strings.ToLower(username)
if slices.Contains(reservedUsernames, lowerUsername) {
return "", fmt.Errorf("username '%s' is reserved and cannot be used", username)
}
if strings.Contains(username, "__") || strings.Contains(username, "--") {
return "", fmt.Errorf("username cannot contain consecutive underscores or hyphens")
}
if strings.HasPrefix(username, "_") || strings.HasPrefix(username, "-") ||
strings.HasSuffix(username, "_") || strings.HasSuffix(username, "-") {
return "", fmt.Errorf("username cannot start or end with underscore or hyphen")
}
return username, nil
}
func (s *InputSanitizer) SanitizeEmailCLI(email string) (string, error) {
if email == "" {
return "", fmt.Errorf("email cannot be empty")
}
email = strings.TrimSpace(strings.ToLower(email))
if len(email) > s.MaxEmailLength {
return "", fmt.Errorf("email must be %d characters or less", s.MaxEmailLength)
}
emailRegex := regexp.MustCompile(`^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`)
if !emailRegex.MatchString(email) {
return "", fmt.Errorf("invalid email format")
}
suspiciousPatterns := []string{
"..", "++", "--", "__", "%%",
}
for _, pattern := range suspiciousPatterns {
if strings.Contains(email, pattern) {
return "", fmt.Errorf("email contains invalid characters")
}
}
dotCount := strings.Count(email, ".")
if dotCount > 3 {
return "", fmt.Errorf("email contains too many dots")
}
return email, nil
}
func (s *InputSanitizer) SanitizePasswordCLI(password string) error {
if password == "" {
return fmt.Errorf("password cannot be empty")
}
if len(password) < 8 {
return fmt.Errorf("password must be at least 8 characters")
}
if len(password) > 128 {
return fmt.Errorf("password must be 128 characters or less")
}
weakPasswords := []string{
"password", "123456", "12345678", "qwerty", "abc123",
"password123", "admin", "letmein", "welcome", "monkey",
"dragon", "master", "hello", "login", "princess",
}
lowerPassword := strings.ToLower(password)
if slices.Contains(weakPasswords, lowerPassword) {
return fmt.Errorf("password is too common, please choose a stronger password")
}
hasUpper := false
hasLower := false
hasDigit := false
hasSpecial := false
for _, char := range password {
switch {
case unicode.IsUpper(char):
hasUpper = true
case unicode.IsLower(char):
hasLower = true
case unicode.IsDigit(char):
hasDigit = true
case unicode.IsPunct(char) || unicode.IsSymbol(char):
hasSpecial = true
}
}
countBools := func(bools ...bool) int {
count := 0
for _, b := range bools {
if b {
count++
}
}
return count
}
if countBools(hasUpper, hasLower, hasDigit, hasSpecial) < 3 {
return fmt.Errorf("password must contain at least 3 different character types (uppercase, lowercase, digits, special characters)")
}
return nil
}
func (s *InputSanitizer) SanitizeSearchTerm(term string) (string, error) {
if term == "" {
return "", nil
}
if !utf8.ValidString(term) {
term = strings.ToValidUTF8(term, "")
}
term = strings.TrimSpace(term)
if len(term) > s.MaxSearchLength {
return "", fmt.Errorf("search term must be %d characters or less", s.MaxSearchLength)
}
dangerousChars := []string{
"<", ">", "\"", "'", "&", "|", ";", "`", "$", "(", ")", "{", "}",
"[", "]", "\\", "/", "*", "?", "!", "@", "#", "%", "^", "~",
}
for _, char := range dangerousChars {
term = strings.ReplaceAll(term, char, "")
}
term = regexp.MustCompile(`\s+`).ReplaceAllString(term, " ")
if s.hasExcessiveRepetition(term) {
return "", fmt.Errorf("search term contains excessive repetition")
}
return term, nil
}
func (s *InputSanitizer) SanitizeTitleCLI(title string) (string, error) {
if title == "" {
return "", fmt.Errorf("title cannot be empty")
}
if !utf8.ValidString(title) {
title = strings.ToValidUTF8(title, "")
}
title = strings.TrimSpace(title)
if len(title) > s.MaxTitleLength {
return "", fmt.Errorf("title must be %d characters or less", s.MaxTitleLength)
}
if len(title) < 3 {
return "", fmt.Errorf("title must be at least 3 characters")
}
htmlTagRegex := regexp.MustCompile(`<[^>]*>`)
title = htmlTagRegex.ReplaceAllString(title, "")
title = regexp.MustCompile(`\s+`).ReplaceAllString(title, " ")
return title, nil
}
func (s *InputSanitizer) SanitizeContentCLI(content string) (string, error) {
if content == "" {
return "", fmt.Errorf("content cannot be empty")
}
if !utf8.ValidString(content) {
content = strings.ToValidUTF8(content, "")
}
content = strings.TrimSpace(content)
if len(content) > s.MaxContentLength {
return "", fmt.Errorf("content must be %d characters or less", s.MaxContentLength)
}
if len(content) < 10 {
return "", fmt.Errorf("content must be at least 10 characters")
}
dangerousTags := []string{
"<script", "</script>", "<iframe", "</iframe>", "<object", "</object>",
"<embed", "</embed>", "<form", "</form>", "<input", "<button",
"<link", "<meta", "<style", "</style>",
}
for _, tag := range dangerousTags {
content = regexp.MustCompile(`(?i)`+regexp.QuoteMeta(tag)).ReplaceAllString(content, "")
}
content = regexp.MustCompile(`\s+`).ReplaceAllString(content, " ")
return content, nil
}
func (s *InputSanitizer) hasExcessiveRepetition(text string) bool {
if s.hasRepeatedCharacters(text, 5) {
return true
}
words := strings.Fields(text)
wordCount := make(map[string]int)
for _, word := range words {
wordCount[strings.ToLower(word)]++
if wordCount[strings.ToLower(word)] > 3 {
return true
}
}
return false
}
func (s *InputSanitizer) hasRepeatedCharacters(str string, maxRepeats int) bool {
if len(str) <= maxRepeats {
return false
}
currentChar := rune(0)
count := 0
for _, char := range str {
if char == currentChar {
count++
if count > maxRepeats {
return true
}
} else {
currentChar = char
count = 1
}
}
return false
}
func (s *InputSanitizer) SanitizeID(idStr string) (uint, error) {
if idStr == "" {
return 0, fmt.Errorf("ID cannot be empty")
}
idStr = strings.TrimSpace(idStr)
if !regexp.MustCompile(`^\d+$`).MatchString(idStr) {
return 0, fmt.Errorf("ID must be a positive integer")
}
var id uint
_, err := fmt.Sscanf(idStr, "%d", &id)
if err != nil {
return 0, fmt.Errorf("invalid ID format: %s", idStr)
}
if id == 0 {
return 0, fmt.Errorf("ID must be greater than 0")
}
if id > 1000000 {
return 0, fmt.Errorf("ID is too large")
}
return id, nil
}
Reference in New Issue View Git Blame Copy Permalink