@vex-chat/spire 0.7.4 → 1.0.0

package/src/server/avatar.ts

@@ -0,0 +1,141 @@
+import type { Database } from "../Database.ts";
+import type winston from "winston";
+
+import * as fs from "node:fs";
+import * as fsp from "node:fs/promises";
+
+import express from "express";
+
+import { XUtils } from "@vex-chat/crypto";
+import { FilePayloadSchema } from "@vex-chat/types";
+
+import { fileTypeFromBuffer, fileTypeFromFile } from "file-type";
+import multer from "multer";
+import { z } from "zod/v4";
+
+import { uploadLimiter } from "./rateLimit.ts";
+import { getParam, getUser } from "./utils.ts";
+
+import { ALLOWED_IMAGE_TYPES, protect } from "./index.ts";
+
+const safePathParam = z.string().regex(/^[a-zA-Z0-9._-]+$/);
+
+export const getAvatarRouter = (db: Database, log: winston.Logger) => {
+    const router = express.Router();
+
+    router.get("/:userID", async (req, res) => {
+        const safeId = safePathParam.safeParse(getParam(req, "userID"));
+        if (!safeId.success) {
+            res.sendStatus(400);
+            return;
+        }
+        const filePath = "./avatars/" + safeId.data;
+        const typeDetails = await fileTypeFromFile(filePath).catch(() => null);
+        if (!typeDetails) {
+            res.sendStatus(404);
+            return;
+        }
+        res.set("Content-type", typeDetails.mime);
+        res.set("Cache-control", "public, max-age=31536000");
+
+        const stream = fs.createReadStream(filePath);
+        stream.on("error", (err) => {
+            log.error(err.toString());
+            res.sendStatus(500);
+        });
+        stream.pipe(res);
+    });
+
+    router.post("/:userID/json", protect, async (req, res) => {
+        const parsed = FilePayloadSchema.safeParse(req.body);
+        if (!parsed.success) {
+            res.status(400).json({
+                error: "Invalid file payload",
+                issues: parsed.error.issues,
+            });
+            return;
+        }
+        const payload = parsed.data;
+        const userDetails = getUser(req);
+        const deviceDetails = req.device;
+
+        if (!deviceDetails) {
+            res.sendStatus(401);
+            return;
+        }
+
+        if (!payload.file) {
+            log.warn("MISSING FILE");
+            res.sendStatus(400);
+            return;
+        }
+
+        const buf = Buffer.from(XUtils.decodeBase64(payload.file));
+        const mimeType = await fileTypeFromBuffer(buf);
+        if (!ALLOWED_IMAGE_TYPES.includes(mimeType?.mime || "no/type")) {
+            res.status(400).send({
+                error:
+                    "Unsupported file type. Expected jpeg, png, gif, apng, avif, or svg but received " +
+                    String(mimeType?.ext),
+            });
+            return;
+        }
+
+        try {
+            // write the file to disk
+            await fsp.writeFile("avatars/" + userDetails.userID, buf);
+            log.info("Wrote new avatar " + userDetails.userID);
+            res.sendStatus(200);
+        } catch (err: unknown) {
+            log.warn(String(err));
+            res.sendStatus(500);
+        }
+    });
+
+    router.post(
+        "/:userID",
+        uploadLimiter,
+        protect,
+        multer().single("avatar"),
+        async (req, res) => {
+            const userDetails = getUser(req);
+            const deviceDetails = req.device;
+
+            if (!deviceDetails) {
+                res.sendStatus(401);
+                return;
+            }
+
+            if (!req.file) {
+                log.warn("MISSING FILE");
+                res.sendStatus(400);
+                return;
+            }
+
+            const mimeType = await fileTypeFromBuffer(req.file.buffer);
+            if (!ALLOWED_IMAGE_TYPES.includes(mimeType?.mime || "no/type")) {
+                res.status(400).send({
+                    error:
+                        "Unsupported file type. Expected jpeg, png, gif, apng, avif, or svg but received " +
+                        String(mimeType?.ext),
+                });
+                return;
+            }
+
+            try {
+                // write the file to disk
+                await fsp.writeFile(
+                    "avatars/" + userDetails.userID,
+                    req.file.buffer,
+                );
+                log.info("Wrote new avatar " + userDetails.userID);
+                res.sendStatus(200);
+            } catch (err: unknown) {
+                log.warn(String(err));
+                res.sendStatus(500);
+            }
+        },
+    );
+
+    return router;
+};

package/src/server/errors.ts

@@ -0,0 +1,133 @@
+/**
+ * Centralized HTTP error handling.
+ *
+ * Fixes two classes of CodeQL findings:
+ *
+ * - **CWE-209 / CWE-497 — Information exposure through stack trace.**
+ *   Previously, every route catch block did
+ *   `res.status(500).send(String(err))`, leaking raw error objects
+ *   (which include database internals, file paths, and stack traces)
+ *   back to the client. The new pattern: throw `AppError(status, msg)`
+ *   or let an unknown error propagate, and the single 4-arg middleware
+ *   below converts it into a JSON response with a generic message
+ *   while logging the full internals server-side via winston.
+ *
+ * - **CWE-79 / CWE-116 — Exception text reinterpreted as HTML.** Express's
+ *   default finalhandler sends thrown `Error` objects as
+ *   `Content-Type: text/html`, which means `throw new Error("bad param: "
+ *   + req.params.name)` became reflected XSS when the error page
+ *   rendered. The handler below ALWAYS sends `application/json`, so
+ *   even if a message somehow contains user input, the browser can't
+ *   execute it. The companion fix is `getParam()` in `utils.ts` now
+ *   throwing `AppError(400, "Missing route parameter")` with no user
+ *   input in the message string.
+ *
+ * Express 5 has native async support, so throwing from an async
+ * handler auto-forwards to `next(err)` and hits this middleware. No
+ * `express-async-errors` shim needed.
+ */
+import type { ErrorRequestHandler } from "express";
+import type winston from "winston";
+
+import { randomUUID } from "node:crypto";
+
+import { ZodError } from "zod/v4";
+
+/**
+ * Operational HTTP errors that are safe to surface to the client.
+ *
+ * - `status` — HTTP status code (400, 401, 403, 404, 409, etc.)
+ * - `message` — client-safe message, MUST NOT contain request data
+ *   (route params, body fields, query strings). Anything operator-
+ *   only (database errors, file paths) belongs in winston logs, not
+ *   in this string.
+ *
+ * Anything that isn't an `AppError` (raw `Error`, `TypeError`, a
+ * rejected promise from a DB query, etc.) is treated by the central
+ * handler as a **programmer error** — the client gets a generic 500
+ * with no detail, and the real error is logged server-side.
+ */
+export class AppError extends Error {
+    public readonly status: number;
+
+    constructor(status: number, message: string) {
+        super(message);
+        this.name = "AppError";
+        this.status = status;
+    }
+}
+
+/**
+ * Factory producing the central Express 5 error middleware.
+ *
+ * Register this as the LAST middleware in the app, after every
+ * route and router has been mounted:
+ *
+ *     api.use("/user", userRouter);
+ *     // ... all other routers ...
+ *     api.use(errorHandler(log));
+ */
+export const errorHandler =
+    (log: winston.Logger): ErrorRequestHandler =>
+    (err, req, res, _next) => {
+        // If headers already went out there's nothing safe to do except
+        // let Express's default handler close the socket.
+        if (res.headersSent) {
+            _next(err);
+            return;
+        }
+
+        const requestId = randomUUID();
+
+        let status = 500;
+        let clientMessage = "Internal Server Error";
+        let details: unknown;
+
+        if (err instanceof ZodError) {
+            // Validation failure at a trust boundary. The issue list is
+            // structured JSON (no raw user input as a rendered string),
+            // so it's safe to surface to help clients fix their payload.
+            status = 400;
+            clientMessage = "Validation failed";
+            details = err.issues;
+        } else if (err instanceof AppError) {
+            status = err.status;
+            clientMessage = err.message;
+        }
+
+        // Log the full internals server-side. `err instanceof Error` also
+        // catches AppError (extends Error), so we get stacks and messages
+        // for every branch in the logs.
+        if (err instanceof Error) {
+            log.error("request failed", {
+                error: {
+                    message: err.message,
+                    name: err.name,
+                    stack: err.stack,
+                },
+                method: req.method,
+                path: req.path,
+                requestId,
+                status,
+            });
+        } else {
+            log.error("request failed", {
+                error: String(err),
+                method: req.method,
+                path: req.path,
+                requestId,
+                status,
+            });
+        }
+
+        // ALWAYS JSON — prevents the exception-text-as-HTML XSS vector.
+        res.status(status)
+            .type("application/json")
+            .json({
+                error: {
+                    message: clientMessage,
+                    requestId,
+                    ...(details !== undefined ? { details } : {}),
+                },
+            });
+    };

package/src/server/file.ts

@@ -0,0 +1,172 @@
+import type { Database } from "../Database.ts";
+import type { FileSQL } from "@vex-chat/types";
+import type winston from "winston";
+
+import * as fs from "node:fs";
+import * as fsp from "node:fs/promises";
+import * as path from "node:path";
+
+import express from "express";
+
+import { XUtils } from "@vex-chat/crypto";
+import { FilePayloadSchema } from "@vex-chat/types";
+
+import multer from "multer";
+import { z } from "zod/v4";
+
+import { msgpack } from "../utils/msgpack.ts";
+
+import { uploadLimiter } from "./rateLimit.ts";
+import { getParam } from "./utils.ts";
+
+import { protect } from "./index.ts";
+
+const safePathParam = z.string().regex(/^[a-zA-Z0-9._-]+$/);
+
+export const getFileRouter = (db: Database, log: winston.Logger) => {
+    const router = express.Router();
+
+    router.get("/:id", protect, async (req, res) => {
+        const safeId = safePathParam.safeParse(getParam(req, "id"));
+        if (!safeId.success) {
+            res.sendStatus(400);
+            return;
+        }
+        const entry = await db.retrieveFile(safeId.data);
+        if (!entry) {
+            res.sendStatus(404);
+        } else {
+            const stream = fs.createReadStream("./files/" + entry.fileID);
+            stream.on("error", (err) => {
+                log.error(err.toString());
+                res.sendStatus(500);
+            });
+            stream.pipe(res);
+        }
+    });
+
+    router.get("/:id/details", protect, async (req, res) => {
+        const safeId = safePathParam.safeParse(getParam(req, "id"));
+        if (!safeId.success) {
+            res.sendStatus(400);
+            return;
+        }
+        const entry = await db.retrieveFile(safeId.data);
+        if (!entry) {
+            res.sendStatus(404);
+        } else {
+            fs.stat(path.resolve("./files/" + entry.fileID), (err, stat) => {
+                if (err) {
+                    res.sendStatus(500);
+                    return;
+                }
+                res.set("Cache-control", "public, max-age=31536000");
+                res.send(
+                    msgpack.encode({
+                        ...entry,
+                        birthtime: stat.birthtime,
+                        size: stat.size,
+                    }),
+                );
+            });
+        }
+    });
+
+    router.post("/json", protect, async (req, res) => {
+        const deviceDetails = req.device;
+
+        if (!deviceDetails) {
+            res.sendStatus(401);
+            return;
+        }
+
+        const parsed = FilePayloadSchema.safeParse(req.body);
+        if (!parsed.success) {
+            res.status(400).json({
+                error: "Invalid file payload",
+                issues: parsed.error.issues,
+            });
+            return;
+        }
+        const payload = parsed.data;
+
+        if (payload.nonce === "") {
+            res.sendStatus(400);
+            return;
+        }
+
+        if (!payload.file) {
+            res.sendStatus(400);
+            return;
+        }
+
+        const buf = Buffer.from(XUtils.decodeBase64(payload.file));
+
+        const newFile: FileSQL = {
+            fileID: crypto.randomUUID(),
+            nonce: payload.nonce,
+            owner: payload.owner,
+        };
+
+        await fsp.writeFile("files/" + newFile.fileID, buf);
+        log.info("Wrote new file " + newFile.fileID);
+
+        await db.createFile(newFile);
+        res.send(msgpack.encode(newFile));
+    });
+
+    // Multipart file upload — form fields are strings from multer, not full FilePayload
+    const multipartFields = z.object({
+        nonce: z.string().min(1),
+        owner: z.string().min(1),
+    });
+
+    router.post(
+        "/",
+        uploadLimiter,
+        protect,
+        multer().single("file"),
+        async (req, res) => {
+            const deviceDetails = req.device;
+
+            if (!deviceDetails) {
+                res.sendStatus(400);
+                return;
+            }
+
+            const parsed = multipartFields.safeParse(req.body);
+            if (!parsed.success) {
+                res.status(400).json({
+                    error: "Invalid file payload",
+                    issues: parsed.error.issues,
+                });
+                return;
+            }
+            const payload = parsed.data;
+
+            if (req.file === undefined) {
+                res.sendStatus(400);
+                return;
+            }
+
+            if (payload.nonce === "") {
+                res.sendStatus(400);
+                return;
+            }
+
+            const newFile: FileSQL = {
+                fileID: crypto.randomUUID(),
+                nonce: payload.nonce,
+                owner: payload.owner,
+            };
+
+            await fsp.writeFile("files/" + newFile.fileID, req.file.buffer);
+            log.info("Wrote new file " + newFile.fileID);
+
+            await db.createFile(newFile);
+            res.send(msgpack.encode(newFile));
+        },
+    );
+
+    return router;
+};