streamflow/backend/utils/inputValidator.js

/**
 * Comprehensive Input Validation Utility
 * Implements whitelist-based validation for all user inputs
 */

const validator = require('validator');

/**
 * Validation Rules Configuration
 */
const VALIDATION_RULES = {
  // User-related
  username: {
    minLength: 3,
    maxLength: 50,
    pattern: /^[a-zA-Z0-9_-]+$/,
    sanitize: true
  },
  email: {
    maxLength: 255,
    sanitize: true
  },
  password: {
    minLength: 8,
    maxLength: 128
  },
  // Content-related
  playlistName: {
    minLength: 1,
    maxLength: 200,
    pattern: /^[a-zA-Z0-9\s\-_.,()!]+$/,
    sanitize: true
  },
  channelName: {
    minLength: 1,
    maxLength: 200,
    sanitize: true
  },
  url: {
    maxLength: 2048,
    protocols: ['http', 'https', 'rtmp', 'rtsp', 'udp', 'rtp']
  },
  // Generic text fields
  description: {
    maxLength: 1000,
    sanitize: true
  },
  // File names
  filename: {
    maxLength: 255,
    pattern: /^[a-zA-Z0-9\s\-_.,()]+$/,
    sanitize: true
  },
  // Settings keys
  settingKey: {
    maxLength: 100,
    pattern: /^[a-zA-Z0-9_.-]+$/
  }
};

/**
 * Sanitize string input to prevent XSS
 */
function sanitizeString(str) {
  if (typeof str !== 'string') return str;
  
  // Remove HTML tags
  str = str.replace(/<[^>]*>/g, '');
  
  // Remove script-related content
  str = str.replace(/javascript:/gi, '');
  str = str.replace(/on\w+\s*=/gi, '');
  
  // Escape special characters
  return validator.escape(str);
}

// Export sanitizeString
module.exports.sanitizeString = sanitizeString;

/**
 * Validate username
 */
function validateUsername(username) {
  const errors = [];
  const rules = VALIDATION_RULES.username;
  
  if (!username || typeof username !== 'string') {
    errors.push('Username is required');
    return { valid: false, errors, sanitized: null };
  }
  
  const trimmed = username.trim();
  
  if (trimmed.length < rules.minLength) {
    errors.push(`Username must be at least ${rules.minLength} characters`);
  }
  
  if (trimmed.length > rules.maxLength) {
    errors.push(`Username must not exceed ${rules.maxLength} characters`);
  }
  
  if (!rules.pattern.test(trimmed)) {
    errors.push('Username can only contain letters, numbers, hyphens, and underscores');
  }
  
  const sanitized = rules.sanitize ? sanitizeString(trimmed) : trimmed;
  
  return {
    valid: errors.length === 0,
    errors,
    sanitized
  };
}

/**
 * Validate email
 */
function validateEmail(email) {
  const errors = [];
  const rules = VALIDATION_RULES.email;
  
  if (!email || typeof email !== 'string') {
    errors.push('Email is required');
    return { valid: false, errors, sanitized: null };
  }
  
  const trimmed = email.trim().toLowerCase();
  
  if (!validator.isEmail(trimmed)) {
    errors.push('Invalid email format');
  }
  
  if (trimmed.length > rules.maxLength) {
    errors.push(`Email must not exceed ${rules.maxLength} characters`);
  }
  
  const sanitized = rules.sanitize ? sanitizeString(trimmed) : trimmed;
  
  return {
    valid: errors.length === 0,
    errors,
    sanitized
  };
}

/**
 * Validate URL
 */
function validateUrl(url, allowLocalhost = false) {
  const errors = [];
  const rules = VALIDATION_RULES.url;
  
  if (!url || typeof url !== 'string') {
    errors.push('URL is required');
    return { valid: false, errors, sanitized: null };
  }
  
  const trimmed = url.trim();
  
  if (trimmed.length > rules.maxLength) {
    errors.push(`URL must not exceed ${rules.maxLength} characters`);
  }
  
  // Check if URL is valid and uses allowed protocols
  const options = {
    protocols: rules.protocols,
    require_protocol: true,
    allow_underscores: true
  };
  
  if (!allowLocalhost) {
    options.disallow_auth = false;
  }
  
  if (!validator.isURL(trimmed, options)) {
    errors.push('Invalid URL format');
  }
  
  // Additional security checks
  if (trimmed.includes('javascript:')) {
    errors.push('URL contains invalid content');
  }
  
  return {
    valid: errors.length === 0,
    errors,
    sanitized: trimmed
  };
}

/**
 * Validate playlist name
 */
function validatePlaylistName(name) {
  const errors = [];
  const rules = VALIDATION_RULES.playlistName;
  
  if (!name || typeof name !== 'string') {
    errors.push('Playlist name is required');
    return { valid: false, errors, sanitized: null };
  }
  
  const trimmed = name.trim();
  
  if (trimmed.length < rules.minLength) {
    errors.push(`Playlist name must be at least ${rules.minLength} character`);
  }
  
  if (trimmed.length > rules.maxLength) {
    errors.push(`Playlist name must not exceed ${rules.maxLength} characters`);
  }
  
  if (!rules.pattern.test(trimmed)) {
    errors.push('Playlist name contains invalid characters');
  }
  
  const sanitized = rules.sanitize ? sanitizeString(trimmed) : trimmed;
  
  return {
    valid: errors.length === 0,
    errors,
    sanitized
  };
}

/**
 * Validate channel name
 */
function validateChannelName(name) {
  const errors = [];
  const rules = VALIDATION_RULES.channelName;
  
  if (!name || typeof name !== 'string') {
    errors.push('Channel name is required');
    return { valid: false, errors, sanitized: null };
  }
  
  const trimmed = name.trim();
  
  if (trimmed.length < rules.minLength) {
    errors.push(`Channel name must be at least ${rules.minLength} character`);
  }
  
  if (trimmed.length > rules.maxLength) {
    errors.push(`Channel name must not exceed ${rules.maxLength} characters`);
  }
  
  const sanitized = rules.sanitize ? sanitizeString(trimmed) : trimmed;
  
  return {
    valid: errors.length === 0,
    errors,
    sanitized
  };
}

/**
 * Validate description/text field
 */
function validateDescription(description) {
  const errors = [];
  const rules = VALIDATION_RULES.description;
  
  if (!description) {
    return { valid: true, errors: [], sanitized: '' };
  }
  
  if (typeof description !== 'string') {
    errors.push('Description must be a string');
    return { valid: false, errors, sanitized: null };
  }
  
  const trimmed = description.trim();
  
  if (trimmed.length > rules.maxLength) {
    errors.push(`Description must not exceed ${rules.maxLength} characters`);
  }
  
  const sanitized = rules.sanitize ? sanitizeString(trimmed) : trimmed;
  
  return {
    valid: errors.length === 0,
    errors,
    sanitized
  };
}

/**
 * Validate filename
 */
function validateFilename(filename) {
  const errors = [];
  const rules = VALIDATION_RULES.filename;
  
  if (!filename || typeof filename !== 'string') {
    errors.push('Filename is required');
    return { valid: false, errors, sanitized: null };
  }
  
  const trimmed = filename.trim();
  
  if (trimmed.length > rules.maxLength) {
    errors.push(`Filename must not exceed ${rules.maxLength} characters`);
  }
  
  if (!rules.pattern.test(trimmed)) {
    errors.push('Filename contains invalid characters');
  }
  
  // Check for path traversal attempts
  if (trimmed.includes('..') || trimmed.includes('/') || trimmed.includes('\\')) {
    errors.push('Filename contains invalid path characters');
  }
  
  const sanitized = rules.sanitize ? sanitizeString(trimmed) : trimmed;
  
  return {
    valid: errors.length === 0,
    errors,
    sanitized
  };
}

/**
 * Validate setting key
 */
function validateSettingKey(key) {
  const errors = [];
  const rules = VALIDATION_RULES.settingKey;
  
  if (!key || typeof key !== 'string') {
    errors.push('Setting key is required');
    return { valid: false, errors, sanitized: null };
  }
  
  const trimmed = key.trim();
  
  if (trimmed.length > rules.maxLength) {
    errors.push(`Setting key must not exceed ${rules.maxLength} characters`);
  }
  
  if (!rules.pattern.test(trimmed)) {
    errors.push('Setting key contains invalid characters');
  }
  
  return {
    valid: errors.length === 0,
    errors,
    sanitized: trimmed
  };
}

/**
 * Validate integer
 */
function validateInteger(value, min = Number.MIN_SAFE_INTEGER, max = Number.MAX_SAFE_INTEGER) {
  const errors = [];
  
  const num = parseInt(value, 10);
  
  if (isNaN(num)) {
    errors.push('Must be a valid integer');
    return { valid: false, errors, sanitized: null };
  }
  
  if (num < min) {
    errors.push(`Must be at least ${min}`);
  }
  
  if (num > max) {
    errors.push(`Must not exceed ${max}`);
  }
  
  return {
    valid: errors.length === 0,
    errors,
    sanitized: num
  };
}

/**
 * Validate boolean
 */
function validateBoolean(value) {
  if (typeof value === 'boolean') {
    return { valid: true, errors: [], sanitized: value };
  }
  
  if (value === 'true' || value === '1' || value === 1) {
    return { valid: true, errors: [], sanitized: true };
  }
  
  if (value === 'false' || value === '0' || value === 0) {
    return { valid: true, errors: [], sanitized: false };
  }
  
  return {
    valid: false,
    errors: ['Must be a valid boolean'],
    sanitized: null
  };
}

/**
 * Validate JSON
 */
function validateJSON(value, maxSize = 10000) {
  const errors = [];
  
  if (typeof value === 'object') {
    const jsonString = JSON.stringify(value);
    if (jsonString.length > maxSize) {
      errors.push(`JSON data exceeds maximum size of ${maxSize} characters`);
    }
    return {
      valid: errors.length === 0,
      errors,
      sanitized: value
    };
  }
  
  if (typeof value !== 'string') {
    errors.push('Must be valid JSON');
    return { valid: false, errors, sanitized: null };
  }
  
  try {
    const parsed = JSON.parse(value);
    if (value.length > maxSize) {
      errors.push(`JSON data exceeds maximum size of ${maxSize} characters`);
    }
    return {
      valid: errors.length === 0,
      errors,
      sanitized: parsed
    };
  } catch (e) {
    errors.push('Invalid JSON format');
    return { valid: false, errors, sanitized: null };
  }
}

/**
 * Sanitize object with multiple fields
 */
function sanitizeObject(obj, schema) {
  const sanitized = {};
  const errors = {};
  let hasErrors = false;
  
  for (const [key, validator] of Object.entries(schema)) {
    const value = obj[key];
    const result = validator(value);
    
    if (!result.valid) {
      errors[key] = result.errors;
      hasErrors = true;
    } else {
      sanitized[key] = result.sanitized;
    }
  }
  
  return {
    valid: !hasErrors,
    errors,
    sanitized
  };
}

module.exports = {
  validateUsername,
  validateEmail,
  validateUrl,
  validatePlaylistName,
  validateChannelName,
  validateDescription,
  validateFilename,
  validateSettingKey,
  validateInteger,
  validateBoolean,
  validateJSON,
  sanitizeString,
  sanitizeObject,
  VALIDATION_RULES
};
Initial commit: StreamFlow IPTV platform 2025-12-17 00:42:43 +00:00			`/**`
			`* Comprehensive Input Validation Utility`
			`* Implements whitelist-based validation for all user inputs`
			`*/`

			`const validator = require('validator');`

			`/**`
			`* Validation Rules Configuration`
			`*/`
			`const VALIDATION_RULES = {`
			`// User-related`
			`username: {`
			`minLength: 3,`
			`maxLength: 50,`
			`pattern: /^[a-zA-Z0-9_-]+$/,`
			`sanitize: true`
			`},`
			`email: {`
			`maxLength: 255,`
			`sanitize: true`
			`},`
			`password: {`
			`minLength: 8,`
			`maxLength: 128`
			`},`
			`// Content-related`
			`playlistName: {`
			`minLength: 1,`
			`maxLength: 200,`
			`pattern: /^[a-zA-Z0-9\s\-_.,()!]+$/,`
			`sanitize: true`
			`},`
			`channelName: {`
			`minLength: 1,`
			`maxLength: 200,`
			`sanitize: true`
			`},`
			`url: {`
			`maxLength: 2048,`
			`protocols: ['http', 'https', 'rtmp', 'rtsp', 'udp', 'rtp']`
			`},`
			`// Generic text fields`
			`description: {`
			`maxLength: 1000,`
			`sanitize: true`
			`},`
			`// File names`
			`filename: {`
			`maxLength: 255,`
			`pattern: /^[a-zA-Z0-9\s\-_.,()]+$/,`
			`sanitize: true`
			`},`
			`// Settings keys`
			`settingKey: {`
			`maxLength: 100,`
			`pattern: /^[a-zA-Z0-9_.-]+$/`
			`}`
			`};`

			`/**`
			`* Sanitize string input to prevent XSS`
			`*/`
			`function sanitizeString(str) {`
			`if (typeof str !== 'string') return str;`

			`// Remove HTML tags`
			`str = str.replace(/<[^>]*>/g, '');`

			`// Remove script-related content`
			`str = str.replace(/javascript:/gi, '');`
			`str = str.replace(/on\w+\s*=/gi, '');`

			`// Escape special characters`
			`return validator.escape(str);`
			`}`

			`// Export sanitizeString`
			`module.exports.sanitizeString = sanitizeString;`

			`/**`
			`* Validate username`
			`*/`
			`function validateUsername(username) {`
			`const errors = [];`
			`const rules = VALIDATION_RULES.username;`

			`if (!username \|\| typeof username !== 'string') {`
			`errors.push('Username is required');`
			`return { valid: false, errors, sanitized: null };`
			`}`

			`const trimmed = username.trim();`

			`if (trimmed.length < rules.minLength) {`
			errors.push(`Username must be at least ${rules.minLength} characters`);
			`}`

			`if (trimmed.length > rules.maxLength) {`
			errors.push(`Username must not exceed ${rules.maxLength} characters`);
			`}`

			`if (!rules.pattern.test(trimmed)) {`
			`errors.push('Username can only contain letters, numbers, hyphens, and underscores');`
			`}`

			`const sanitized = rules.sanitize ? sanitizeString(trimmed) : trimmed;`

			`return {`
			`valid: errors.length === 0,`
			`errors,`
			`sanitized`
			`};`
			`}`

			`/**`
			`* Validate email`
			`*/`
			`function validateEmail(email) {`
			`const errors = [];`
			`const rules = VALIDATION_RULES.email;`

			`if (!email \|\| typeof email !== 'string') {`
			`errors.push('Email is required');`
			`return { valid: false, errors, sanitized: null };`
			`}`

			`const trimmed = email.trim().toLowerCase();`

			`if (!validator.isEmail(trimmed)) {`
			`errors.push('Invalid email format');`
			`}`

			`if (trimmed.length > rules.maxLength) {`
			errors.push(`Email must not exceed ${rules.maxLength} characters`);
			`}`

			`const sanitized = rules.sanitize ? sanitizeString(trimmed) : trimmed;`

			`return {`
			`valid: errors.length === 0,`
			`errors,`
			`sanitized`
			`};`
			`}`

			`/**`
			`* Validate URL`
			`*/`
			`function validateUrl(url, allowLocalhost = false) {`
			`const errors = [];`
			`const rules = VALIDATION_RULES.url;`

			`if (!url \|\| typeof url !== 'string') {`
			`errors.push('URL is required');`
			`return { valid: false, errors, sanitized: null };`
			`}`

			`const trimmed = url.trim();`

			`if (trimmed.length > rules.maxLength) {`
			errors.push(`URL must not exceed ${rules.maxLength} characters`);
			`}`

			`// Check if URL is valid and uses allowed protocols`
			`const options = {`
			`protocols: rules.protocols,`
			`require_protocol: true,`
			`allow_underscores: true`
			`};`

			`if (!allowLocalhost) {`
			`options.disallow_auth = false;`
			`}`

			`if (!validator.isURL(trimmed, options)) {`
			`errors.push('Invalid URL format');`
			`}`

			`// Additional security checks`
			`if (trimmed.includes('javascript:')) {`
			`errors.push('URL contains invalid content');`
			`}`

			`return {`
			`valid: errors.length === 0,`
			`errors,`
			`sanitized: trimmed`
			`};`
			`}`

			`/**`
			`* Validate playlist name`
			`*/`
			`function validatePlaylistName(name) {`
			`const errors = [];`
			`const rules = VALIDATION_RULES.playlistName;`

			`if (!name \|\| typeof name !== 'string') {`
			`errors.push('Playlist name is required');`
			`return { valid: false, errors, sanitized: null };`
			`}`

			`const trimmed = name.trim();`

			`if (trimmed.length < rules.minLength) {`
			errors.push(`Playlist name must be at least ${rules.minLength} character`);
			`}`

			`if (trimmed.length > rules.maxLength) {`
			errors.push(`Playlist name must not exceed ${rules.maxLength} characters`);
			`}`

			`if (!rules.pattern.test(trimmed)) {`
			`errors.push('Playlist name contains invalid characters');`
			`}`

			`const sanitized = rules.sanitize ? sanitizeString(trimmed) : trimmed;`

			`return {`
			`valid: errors.length === 0,`
			`errors,`
			`sanitized`
			`};`
			`}`

			`/**`
			`* Validate channel name`
			`*/`
			`function validateChannelName(name) {`
			`const errors = [];`
			`const rules = VALIDATION_RULES.channelName;`

			`if (!name \|\| typeof name !== 'string') {`
			`errors.push('Channel name is required');`
			`return { valid: false, errors, sanitized: null };`
			`}`

			`const trimmed = name.trim();`

			`if (trimmed.length < rules.minLength) {`
			errors.push(`Channel name must be at least ${rules.minLength} character`);
			`}`

			`if (trimmed.length > rules.maxLength) {`
			errors.push(`Channel name must not exceed ${rules.maxLength} characters`);
			`}`

			`const sanitized = rules.sanitize ? sanitizeString(trimmed) : trimmed;`

			`return {`
			`valid: errors.length === 0,`
			`errors,`
			`sanitized`
			`};`
			`}`

			`/**`
			`* Validate description/text field`
			`*/`
			`function validateDescription(description) {`
			`const errors = [];`
			`const rules = VALIDATION_RULES.description;`

			`if (!description) {`
			`return { valid: true, errors: [], sanitized: '' };`
			`}`

			`if (typeof description !== 'string') {`
			`errors.push('Description must be a string');`
			`return { valid: false, errors, sanitized: null };`
			`}`

			`const trimmed = description.trim();`

			`if (trimmed.length > rules.maxLength) {`
			errors.push(`Description must not exceed ${rules.maxLength} characters`);
			`}`

			`const sanitized = rules.sanitize ? sanitizeString(trimmed) : trimmed;`

			`return {`
			`valid: errors.length === 0,`
			`errors,`
			`sanitized`
			`};`
			`}`

			`/**`
			`* Validate filename`
			`*/`
			`function validateFilename(filename) {`
			`const errors = [];`
			`const rules = VALIDATION_RULES.filename;`

			`if (!filename \|\| typeof filename !== 'string') {`
			`errors.push('Filename is required');`
			`return { valid: false, errors, sanitized: null };`
			`}`

			`const trimmed = filename.trim();`

			`if (trimmed.length > rules.maxLength) {`
			errors.push(`Filename must not exceed ${rules.maxLength} characters`);
			`}`

			`if (!rules.pattern.test(trimmed)) {`
			`errors.push('Filename contains invalid characters');`
			`}`

			`// Check for path traversal attempts`
			`if (trimmed.includes('..') \|\| trimmed.includes('/') \|\| trimmed.includes('\\')) {`
			`errors.push('Filename contains invalid path characters');`
			`}`

			`const sanitized = rules.sanitize ? sanitizeString(trimmed) : trimmed;`

			`return {`
			`valid: errors.length === 0,`
			`errors,`
			`sanitized`
			`};`
			`}`

			`/**`
			`* Validate setting key`
			`*/`
			`function validateSettingKey(key) {`
			`const errors = [];`
			`const rules = VALIDATION_RULES.settingKey;`

			`if (!key \|\| typeof key !== 'string') {`
			`errors.push('Setting key is required');`
			`return { valid: false, errors, sanitized: null };`
			`}`

			`const trimmed = key.trim();`

			`if (trimmed.length > rules.maxLength) {`
			errors.push(`Setting key must not exceed ${rules.maxLength} characters`);
			`}`

			`if (!rules.pattern.test(trimmed)) {`
			`errors.push('Setting key contains invalid characters');`
			`}`

			`return {`
			`valid: errors.length === 0,`
			`errors,`
			`sanitized: trimmed`
			`};`
			`}`

			`/**`
			`* Validate integer`
			`*/`
			`function validateInteger(value, min = Number.MIN_SAFE_INTEGER, max = Number.MAX_SAFE_INTEGER) {`
			`const errors = [];`

			`const num = parseInt(value, 10);`

			`if (isNaN(num)) {`
			`errors.push('Must be a valid integer');`
			`return { valid: false, errors, sanitized: null };`
			`}`

			`if (num < min) {`
			errors.push(`Must be at least ${min}`);
			`}`

			`if (num > max) {`
			errors.push(`Must not exceed ${max}`);
			`}`

			`return {`
			`valid: errors.length === 0,`
			`errors,`
			`sanitized: num`
			`};`
			`}`

			`/**`
			`* Validate boolean`
			`*/`
			`function validateBoolean(value) {`
			`if (typeof value === 'boolean') {`
			`return { valid: true, errors: [], sanitized: value };`
			`}`

			`if (value === 'true' \|\| value === '1' \|\| value === 1) {`
			`return { valid: true, errors: [], sanitized: true };`
			`}`

			`if (value === 'false' \|\| value === '0' \|\| value === 0) {`
			`return { valid: true, errors: [], sanitized: false };`
			`}`

			`return {`
			`valid: false,`
			`errors: ['Must be a valid boolean'],`
			`sanitized: null`
			`};`
			`}`

			`/**`
			`* Validate JSON`
			`*/`
			`function validateJSON(value, maxSize = 10000) {`
			`const errors = [];`

			`if (typeof value === 'object') {`
			`const jsonString = JSON.stringify(value);`
			`if (jsonString.length > maxSize) {`
			errors.push(`JSON data exceeds maximum size of ${maxSize} characters`);
			`}`
			`return {`
			`valid: errors.length === 0,`
			`errors,`
			`sanitized: value`
			`};`
			`}`

			`if (typeof value !== 'string') {`
			`errors.push('Must be valid JSON');`
			`return { valid: false, errors, sanitized: null };`
			`}`

			`try {`
			`const parsed = JSON.parse(value);`
			`if (value.length > maxSize) {`
			errors.push(`JSON data exceeds maximum size of ${maxSize} characters`);
			`}`
			`return {`
			`valid: errors.length === 0,`
			`errors,`
			`sanitized: parsed`
			`};`
			`} catch (e) {`
			`errors.push('Invalid JSON format');`
			`return { valid: false, errors, sanitized: null };`
			`}`
			`}`

			`/**`
			`* Sanitize object with multiple fields`
			`*/`
			`function sanitizeObject(obj, schema) {`
			`const sanitized = {};`
			`const errors = {};`
			`let hasErrors = false;`

			`for (const [key, validator] of Object.entries(schema)) {`
			`const value = obj[key];`
			`const result = validator(value);`

			`if (!result.valid) {`
			`errors[key] = result.errors;`
			`hasErrors = true;`
			`} else {`
			`sanitized[key] = result.sanitized;`
			`}`
			`}`

			`return {`
			`valid: !hasErrors,`
			`errors,`
			`sanitized`
			`};`
			`}`

			`module.exports = {`
			`validateUsername,`
			`validateEmail,`
			`validateUrl,`
			`validatePlaylistName,`
			`validateChannelName,`
			`validateDescription,`
			`validateFilename,`
			`validateSettingKey,`
			`validateInteger,`
			`validateBoolean,`
			`validateJSON,`
			`sanitizeString,`
			`sanitizeObject,`
			`VALIDATION_RULES`
			`};`