@ -103,6 +103,7 @@ ALLOWED_HEADERS = {
" x-forwarded-path " ,
" x-forwarded-path " ,
" x-forwarded-prefix " ,
" x-forwarded-prefix " ,
" cookie " ,
" cookie " ,
" x-kong-request-id "
} }
MAX_QUERY_PARAMS = 50 MAX_QUERY_PARAMS = 50
@ -193,33 +194,38 @@ def inspect_value(value: str, source: str):
if XSS_PATTERN . search ( value ) :
if XSS_PATTERN . search ( value ) :
log . warning ( f " Security violation: Potential XSS payload detected in { source } , value: { value } " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Potential XSS payload detected in { source } " ,
detail = " Invalid request parameters " ,
)
)
if SQLI_PATTERN . search ( value ) :
if SQLI_PATTERN . search ( value ) :
log . warning ( f " Security violation: Potential SQL injection payload detected in { source } , value: { value } " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Potential SQL injection payload detected in { source } " ,
detail = " Invalid request parameters " ,
)
)
if RCE_PATTERN . search ( value ) :
if RCE_PATTERN . search ( value ) :
log . warning ( f " Security violation: Potential RCE payload detected in { source } , value: { value } " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Potential RCE payload detected in { source } " ,
detail = " Invalid request parameters " ,
)
)
if TRAVERSAL_PATTERN . search ( value ) :
if TRAVERSAL_PATTERN . search ( value ) :
log . warning ( f " Security violation: Potential Path Traversal payload detected in { source } , value: { value } " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Potential Path Traversal payload detected in { source } " ,
detail = " Invalid request parameters " ,
)
)
if has_control_chars ( value ) :
if has_control_chars ( value ) :
log . warning ( f " Security violation: Invalid control characters detected in { source } " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Invalid control characters detected in { source } " ,
detail = " Invalid request parameters " ,
)
)
@ -227,15 +233,17 @@ def inspect_json(obj, path="body", check_whitelist=True):
if isinstance ( obj , dict ) :
if isinstance ( obj , dict ) :
for key , value in obj . items ( ) :
for key , value in obj . items ( ) :
if key in FORBIDDEN_JSON_KEYS :
if key in FORBIDDEN_JSON_KEYS :
log . warning ( f " Security violation: Forbidden JSON key detected: { path } . { key } " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Forbidden JSON key detected: { path } . { key } " ,
detail = " Invalid request parameters " ,
)
)
if check_whitelist and key not in ALLOWED_DATA_PARAMS :
if check_whitelist and key not in ALLOWED_DATA_PARAMS :
log . warning ( f " Security violation: Unknown JSON key detected: { path } . { key } " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Unknown JSON key detected: { path } . { key } " ,
detail = " Invalid request parameters " ,
)
)
# Recurse. If the key is a dynamic container, we stop whitelist checking for children.
# Recurse. If the key is a dynamic container, we stop whitelist checking for children.
@ -266,9 +274,10 @@ class RequestValidationMiddleware(BaseHTTPMiddleware):
ALLOW_DUPLICATE_HEADERS = { ' accept ' , ' accept-encoding ' , ' accept-language ' , ' accept-charset ' , ' cookie ' }
ALLOW_DUPLICATE_HEADERS = { ' accept ' , ' accept-encoding ' , ' accept-language ' , ' accept-charset ' , ' cookie ' }
real_duplicates = [ h for h in duplicate_headers if h not in ALLOW_DUPLICATE_HEADERS ]
real_duplicates = [ h for h in duplicate_headers if h not in ALLOW_DUPLICATE_HEADERS ]
if real_duplicates :
if real_duplicates :
log . warning ( f " Security violation: Duplicate headers detected: { real_duplicates } " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Duplicate headers are not allowed: { real_duplicates } " ,
detail = " Invalid request parameters " ,
)
)
# Whitelist headers
# Whitelist headers
@ -276,9 +285,10 @@ class RequestValidationMiddleware(BaseHTTPMiddleware):
if unknown_headers :
if unknown_headers :
filtered_unknown = [ h for h in unknown_headers if not h . startswith ( ' sec- ' ) ]
filtered_unknown = [ h for h in unknown_headers if not h . startswith ( ' sec- ' ) ]
if filtered_unknown :
if filtered_unknown :
log . warning ( f " Security violation: Unknown headers detected: { filtered_unknown } " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Unknown headers detected: { filtered_unknown } " ,
detail = " Invalid request parameters " ,
)
)
# Inspect header values
# Inspect header values
@ -290,25 +300,28 @@ class RequestValidationMiddleware(BaseHTTPMiddleware):
# 1. Query string limits
# 1. Query string limits
# -------------------------
# -------------------------
if len ( request . url . query ) > MAX_QUERY_LENGTH :
if len ( request . url . query ) > MAX_QUERY_LENGTH :
log . warning ( f " Security violation: Query string too long " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = " Query string too long " ,
detail = " Invalid request parameters " ,
)
)
params = request . query_params . multi_items ( )
params = request . query_params . multi_items ( )
if len ( params ) > MAX_QUERY_PARAMS :
if len ( params ) > MAX_QUERY_PARAMS :
log . warning ( f " Security violation: Too many query parameters " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = " Too many query parameters" ,
detail = " Invalid request parameters" ,
)
)
# Check for unknown query parameters
# Check for unknown query parameters
unknown_params = [ key for key , _ in params if key not in ALLOWED_DATA_PARAMS ]
unknown_params = [ key for key , _ in params if key not in ALLOWED_DATA_PARAMS ]
if unknown_params :
if unknown_params :
log . warning ( f " Security violation: Unknown query parameters detected: { unknown_params } " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Unknown query parameters detected: { unknown_params } " ,
detail = " Invalid request parameters " ,
)
)
# -------------------------
# -------------------------
@ -321,9 +334,10 @@ class RequestValidationMiddleware(BaseHTTPMiddleware):
]
]
if duplicates :
if duplicates :
log . warning ( f " Security violation: Duplicate query parameters detected: { duplicates } " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Duplicate query parameters are not allowed: { duplicates } " ,
detail = " Invalid request parameters " ,
)
)
# -------------------------
# -------------------------
@ -338,19 +352,22 @@ class RequestValidationMiddleware(BaseHTTPMiddleware):
try :
try :
size_val = int ( value )
size_val = int ( value )
if size_val > 50 :
if size_val > 50 :
log . warning ( f " Security violation: Pagination size too large ( { size_val } ) " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Pagination size ' { key } ' cannot exceed 50 " ,
detail = " Invalid request parameters " ,
)
)
if size_val % 5 != 0 :
if size_val % 5 != 0 :
log . warning ( f " Security violation: Pagination size not multiple of 5 ( { size_val } ) " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Pagination size ' { key } ' must be a multiple of 5 " ,
detail = " Invalid request parameters " ,
)
)
except ValueError :
except ValueError :
log . warning ( f " Security violation: Pagination size invalid value " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = f" Pagination size ' { key } ' must be an integer " ,
detail = " Invalid request parameters " ,
)
)
# -------------------------
# -------------------------
@ -361,7 +378,8 @@ class RequestValidationMiddleware(BaseHTTPMiddleware):
content_type . startswith ( t )
content_type . startswith ( t )
for t in ( " application/json " , " multipart/form-data " , " application/x-www-form-urlencoded " )
for t in ( " application/json " , " multipart/form-data " , " application/x-www-form-urlencoded " )
) :
) :
raise HTTPException ( status_code = 422 , detail = " Unsupported Content-Type " )
log . warning ( f " Security violation: Unsupported Content-Type: { content_type } " )
raise HTTPException ( status_code = 422 , detail = " Invalid request parameters " )
# -------------------------
# -------------------------
# 5. Single source check (Query vs JSON Body)
# 5. Single source check (Query vs JSON Body)
@ -377,9 +395,10 @@ class RequestValidationMiddleware(BaseHTTPMiddleware):
has_body = True
has_body = True
if has_query and has_body :
if has_query and has_body :
log . warning ( f " Security violation: Mixed parameters (query + JSON body) " )
raise HTTPException (
raise HTTPException (
status_code = 422 ,
status_code = 422 ,
detail = " Parameters must be from a single source (query string or JSON body), mixed sources are not allowed " ,
detail = " Invalid request parameters " ,
)
)
# -------------------------
# -------------------------
@ -394,7 +413,8 @@ class RequestValidationMiddleware(BaseHTTPMiddleware):
try :
try :
payload = json . loads ( body )
payload = json . loads ( body )
except json . JSONDecodeError :
except json . JSONDecodeError :
raise HTTPException ( status_code = 422 , detail = " Invalid JSON body " )
log . warning ( f " Security violation: Invalid JSON body " )
raise HTTPException ( status_code = 422 , detail = " Invalid request parameters " )
inspect_json ( payload )
inspect_json ( payload )
