chore: add date validation (#427)

mojaloop · Jan 20, 2025 · 96b3e34 · 96b3e34
1 parent f36957f
commit 96b3e34
Show file tree

Hide file tree

Showing 4 changed files with 107 additions and 57 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -60,6 +60,9 @@
   "dependencies": {
     "@hapi/catbox": "12.1.1",
     "@hapi/catbox-memory": "5.0.1",
+    "@hapi/hapi": "21.3.12",
+    "@hapi/joi": "17.1.1",
+    "@hapi/joi-date": "2.0.1",
     "@mojaloop/inter-scheme-proxy-cache-lib": "2.3.1",
     "axios": "1.7.9",
     "clone": "2.1.2",
@@ -81,12 +84,11 @@
     "yaml": "2.7.0"
   },
   "devDependencies": {
-    "@hapi/hapi": "21.3.12",
-    "@hapi/joi": "17.1.1",
+    "@types/hapi__joi": "^17.1.15",
     "audit-ci": "^7.1.0",
     "base64url": "3.0.1",
     "chance": "1.1.12",
-    "npm-check-updates": "17.1.13",
+    "npm-check-updates": "17.1.14",
     "nyc": "17.1.0",
     "portfinder": "1.0.32",
     "pre-commit": "1.2.2",

diff --git a/src/util/hapi/plugins/headerValidation.js b/src/util/hapi/plugins/headerValidation.js
@@ -6,7 +6,10 @@
 // accuracy of this statement has not been thoroughly tested.
 
 const { Factory: { createFSPIOPError }, Enums } = require('@mojaloop/central-services-error-handling')
-const { API_TYPES } = require('../../../constants')
+const RootJoi = require('@hapi/joi')
+const DateExtension = require('@hapi/joi-date')
+const Joi = RootJoi.extend(DateExtension)
+const { API_TYPES, MAX_CONTENT_LENGTH } = require('../../../constants')
 const {
   checkApiType,
   parseAcceptHeader,
@@ -100,10 +103,25 @@ const plugin = {
         }
       }
 
+      const dateSchema = Joi.date().format('ddd, DD MMM YYYY HH:mm:ss [GMT]').required()
+      const dateHeader = request.headers.date
+      const { error } = dateSchema.validate(dateHeader)
+
+      if (error) {
+        throw createFSPIOPError(Enums.FSPIOPErrorCodes.MALFORMED_SYNTAX, 'Invalid date header')
+      }
+
+      if (request.headers['content-length'] > MAX_CONTENT_LENGTH) {
+        throw createFSPIOPError(
+          Enums.FSPIOPErrorCodes.TOO_LARGE_PAYLOAD, 'Payload size is too large.'
+        )
+      }
+
       // Always validate the content-type header
       if (request.headers['content-type'] === undefined) {
         throw createFSPIOPError(Enums.FSPIOPErrorCodes.MISSING_ELEMENT, errorMessages.REQUIRE_CONTENT_TYPE_HEADER)
       }
+
       const contentType = parseContentTypeHeader(resource, request.headers['content-type'], apiType)
       if (!contentType.valid) {
         throw createFSPIOPError(