@miraj181/ipingyou 2.0.8 → 2.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/server.js +13 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@miraj181/ipingyou",
3
- "version": "2.0.8",
3
+ "version": "2.0.9",
4
4
  "description": "SecureLink-CLI — Secure peer-to-peer remote access via SSH & Cloudflare Tunnels",
5
5
  "main": "src/cli.js",
6
6
  "bin": {
package/src/server.js CHANGED
@@ -79,8 +79,11 @@ function recordViolation(req) {
79
79
  }
80
80
  }
81
81
 
82
- // ─── In-memory store auto-expire after TTL ─────────────────
82
+ // ─── Constants & Limits ──────────────────────────────────────
83
83
  const TTL_MS = 60 * 60 * 1000; // 1 hour
84
+ const MAX_UIDS = 50000; // Max concurrent tunnels (prevent memory leak)
85
+ const MAX_VIOLATIONS = 50000; // Max tracked malicious IPs before reset
86
+
84
87
  const store = new Map(); // uid → { iv, ciphertext, salt, createdAt, clients: [] }
85
88
 
86
89
  function pruneExpired() {
@@ -91,6 +94,10 @@ function pruneExpired() {
91
94
  console.log(`🗑️ Expired UID: ${uid}`);
92
95
  }
93
96
  }
97
+
98
+ // Strict check to prevent malicious OOM overflow
99
+ if (ipViolations.size > MAX_VIOLATIONS) ipViolations.clear();
100
+ if (blacklistedIPs.size > MAX_VIOLATIONS) blacklistedIPs.clear();
94
101
  }
95
102
 
96
103
  // Run pruning every 5 minutes
@@ -136,6 +143,11 @@ app.post('/register', strictLimiter, (req, res) => {
136
143
  return res.status(400).json({ error: 'Invalid ciphertext' });
137
144
  }
138
145
 
146
+ // Prevent broker OOM
147
+ if (store.size >= MAX_UIDS && !store.has(uid)) {
148
+ return res.status(503).json({ error: 'Broker is at maximum capacity. Please try again later.' });
149
+ }
150
+
139
151
  // Store the encrypted blob as-is — broker NEVER decrypts
140
152
  store.set(uid, {
141
153
  iv,