Description
The proxy module in src/proxy/ acts as a gateway between the Hub and downstream services (Campus-Marketplace, CCPS-Portal, etc.) but performs no input validation, sanitization, or rate limiting on forwarded requests.
If any downstream service has a vulnerability, the proxy provides no protective layer. Conversely, the proxy could be used to:
- Forward overly large payloads causing memory exhaustion on backend services
- Bypass rate limits on individual services (proxy has its own identity, so per-user rate limits don't apply)
- Amplify attacks by fanning out a single request to multiple downstream services
Expected Behavior
- Request payload size limits
- Input validation on proxied requests
- Per-user rate limiting at the proxy level
Suggested Fix
- Add request body size limits (
bodyLimit in Fastify)
- Implement a validation middleware that checks Content-Type and approximate payload size
- Add per-user rate limiting using the user identity extracted from auth
Affected Files
src/proxy/proxy.service.tssrc/proxy/proxy.module.ts
Description
The proxy module in
src/proxy/acts as a gateway between the Hub and downstream services (Campus-Marketplace, CCPS-Portal, etc.) but performs no input validation, sanitization, or rate limiting on forwarded requests.If any downstream service has a vulnerability, the proxy provides no protective layer. Conversely, the proxy could be used to:
Expected Behavior
Suggested Fix
bodyLimitin Fastify)Affected Files
src/proxy/proxy.service.tssrc/proxy/proxy.module.ts