@miraj181/ipingyou 2.0.8 → 2.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/server.js +13 -1
package/package.json
CHANGED
package/src/server.js
CHANGED
|
@@ -79,8 +79,11 @@ function recordViolation(req) {
|
|
|
79
79
|
}
|
|
80
80
|
}
|
|
81
81
|
|
|
82
|
-
// ───
|
|
82
|
+
// ─── Constants & Limits ──────────────────────────────────────
|
|
83
83
|
const TTL_MS = 60 * 60 * 1000; // 1 hour
|
|
84
|
+
const MAX_UIDS = 50000; // Max concurrent tunnels (prevent memory leak)
|
|
85
|
+
const MAX_VIOLATIONS = 50000; // Max tracked malicious IPs before reset
|
|
86
|
+
|
|
84
87
|
const store = new Map(); // uid → { iv, ciphertext, salt, createdAt, clients: [] }
|
|
85
88
|
|
|
86
89
|
function pruneExpired() {
|
|
@@ -91,6 +94,10 @@ function pruneExpired() {
|
|
|
91
94
|
console.log(`🗑️ Expired UID: ${uid}`);
|
|
92
95
|
}
|
|
93
96
|
}
|
|
97
|
+
|
|
98
|
+
// Strict check to prevent malicious OOM overflow
|
|
99
|
+
if (ipViolations.size > MAX_VIOLATIONS) ipViolations.clear();
|
|
100
|
+
if (blacklistedIPs.size > MAX_VIOLATIONS) blacklistedIPs.clear();
|
|
94
101
|
}
|
|
95
102
|
|
|
96
103
|
// Run pruning every 5 minutes
|
|
@@ -136,6 +143,11 @@ app.post('/register', strictLimiter, (req, res) => {
|
|
|
136
143
|
return res.status(400).json({ error: 'Invalid ciphertext' });
|
|
137
144
|
}
|
|
138
145
|
|
|
146
|
+
// Prevent broker OOM
|
|
147
|
+
if (store.size >= MAX_UIDS && !store.has(uid)) {
|
|
148
|
+
return res.status(503).json({ error: 'Broker is at maximum capacity. Please try again later.' });
|
|
149
|
+
}
|
|
150
|
+
|
|
139
151
|
// Store the encrypted blob as-is — broker NEVER decrypts
|
|
140
152
|
store.set(uid, {
|
|
141
153
|
iv,
|