Problem
The API proxy (src/server/api/apis-proxy.ts) has three hardening gaps:
- Encoded path traversal — only checks
path.includes('..') which misses encoded variants like %2e%2e
- No fetch timeout — upstream requests can hang indefinitely, tying up server resources
- No request body size limit — arbitrarily large payloads accepted, potential DoS vector
These matter because the proxy accepts user input from the "Try it out" API playground in the browser.
Suggested Fix
- Use
path.resolve() with a prefix whitelist check instead of string matching
- Add
AbortSignal.timeout(30_000) to the upstream fetch() call
- Validate
Content-Length header and reject bodies over a reasonable limit (e.g. 1MB)
Problem
The API proxy (
src/server/api/apis-proxy.ts) has three hardening gaps:path.includes('..')which misses encoded variants like%2e%2eThese matter because the proxy accepts user input from the "Try it out" API playground in the browser.
Suggested Fix
path.resolve()with a prefix whitelist check instead of string matchingAbortSignal.timeout(30_000)to the upstreamfetch()callContent-Lengthheader and reject bodies over a reasonable limit (e.g. 1MB)