direct-img/direct-img.link
1
0
Fork 0
mirror of https://github.com/direct-img/direct-img.link.git synced 2026-03-17 03:01:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Sanitize queries, limit length, normalize slashes

Browse Source
This commit is contained in:
multipleof4
2026-02-13 21:49:53 -08:00
parent d9466a9c08
commit ac74ce6cbe
1 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
functions/[[path]].js
View File

@@ -13,6 +13,11 @@ export async function onRequest(context) {
return jsonResponse(400, { error: "Empty query" }); return jsonResponse(400, { error: "Empty query" });
} }
// Max query length: 200 chars after normalization
if (query.length > 200) {
return jsonResponse(400, { error: "Query too long (max 200 characters)" });
}
const cacheKey = query; const cacheKey = query;
const r2Key = await sha256(query); const r2Key = await sha256(query);
@@ -143,9 +148,19 @@ async function notify(env, { title, message, tags, priority }) {
function normalizeQuery(path) { function normalizeQuery(path) {
try { try {
const decoded = decodeURIComponent(path.replace(/\+/g, " ")); const decoded = decodeURIComponent(path.replace(/\+/g, " "));
return decoded.toLowerCase().trim(); return decoded
.toLowerCase()
.trim()
.replace(/[\x00-\x1f]/g, "") // Strip null bytes and control chars
.replace(/\/+$/, "") // Strip trailing slashes
.replace(/\s+/g, " "); // Collapse multiple spaces
} catch { } catch {
return path.toLowerCase().trim(); return path
.toLowerCase()
.trim()
.replace(/[\x00-\x1f]/g, "")
.replace(/\/+$/, "")
.replace(/\s+/g, " ");
} }
} }