From 91eb95520e1fdfdbc10ba2f78e949ddf9fbd9420 Mon Sep 17 00:00:00 2001 From: Heidi Date: Thu, 14 May 2026 16:05:44 +0100 Subject: [PATCH] bug fix --- vite.config.js | 58 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/vite.config.js b/vite.config.js index 6ad0f7a..ff85799 100644 --- a/vite.config.js +++ b/vite.config.js @@ -2,8 +2,64 @@ import { defineConfig } from 'vite' import react from '@vitejs/plugin-react' import tailwindcss from '@tailwindcss/vite' +const MAX_TEAM_NAME_LENGTH = 80 + +function isAllowedApiUrl(req) { + if (req.method !== 'GET' && req.method !== 'HEAD') return false + + const url = new URL(req.url, 'http://localhost') + const params = url.searchParams + + if (url.pathname === '/api/tss/leaderboard/teams') { + const keys = [...params.keys()] + const limit = Number(params.get('limit') || 100) + return keys.every((key) => key === 'limit') && Number.isInteger(limit) && limit >= 1 && limit <= 100 + } + + if (url.pathname === '/api/tss/teams/resolve') { + const keys = [...params.keys()] + const name = params.get('name') || '' + return keys.every((key) => key === 'name') && name.length >= 2 && name.length <= MAX_TEAM_NAME_LENGTH + } + + if ([...params.keys()].length) return false + + try { + const match = url.pathname.match(/^\/api\/tss\/teams\/([^/]+)(?:\/(history|games))?$/) + const teamName = match ? decodeURIComponent(match[1]) : '' + return Boolean(teamName) && teamName.length <= MAX_TEAM_NAME_LENGTH + } catch { + return false + } +} + +function apiGuard() { + return { + name: 'api-guard', + configureServer(server) { + server.middlewares.use((req, res, next) => { + if (!req.url?.startsWith('/api/')) { + next() + return + } + + if (isAllowedApiUrl(req)) { + next() + return + } + + res.writeHead(404, { + 'content-type': 'application/json; charset=utf-8', + 'x-content-type-options': 'nosniff', + }) + res.end(JSON.stringify({ error: 'API route not found' })) + }) + }, + } +} + export default defineConfig({ - plugins: [react(), tailwindcss()], + plugins: [apiGuard(), react(), tailwindcss()], server: { host: '0.0.0.0', port: 3001,