damanukyan/cryptowallet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: round 3 hardening (CSRF double-submit, TRX MITM, container hardening)

Browse Source
This commit is contained in:
ZOMBIIIIIII
2026-05-12 01:47:58 +03:00
parent c8bc40af97
commit 8dc0855827
37 changed files with 1852 additions and 318 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
apps/api/src/routes/btc-proxy.routes.ts
View File

@@ -111,7 +111,8 @@ async function getFeeEstimates(_req: Request, res: Response) {
async function broadcastTx(req: Request, res: Response) {
const { hex } = req.body;
if (!hex || typeof hex !== 'string' || !/^[0-9a-fA-F]+$/.test(hex)) {
// BTC max tx serialized ~100KB = 200_000 hex chars. Cap чтобы не abuse'или bandwidth.
if (!hex || typeof hex !== 'string' || !/^[0-9a-fA-F]+$/.test(hex) || hex.length > 200_000) {
res.status(400).json({ success: false, error: 'Invalid transaction hex' });
return;
}
@@ -130,7 +131,8 @@ async function broadcastTx(req: Request, res: Response) {
const text = await response.text();
if (!response.ok) {
res.status(response.status).json({ success: false, error: text || 'Broadcast failed' });
// Don't leak Blockstream error body (could contain UTXO state oracle).
res.status(502).json({ success: false, error: 'BTC broadcast failed' });
return;
}