feat(handler): sanitize sensitive fields in form data

- Removes `username` and `apiKey` from form data to prevent errors from the LanguageTool server when these fields are present - Updates test cases to reflect the new handling of form data bodies
2025-05-11 10:59:49 +02:00
parent 4326a2d92c
commit b6763f7483
2 changed files with 37 additions and 6 deletions
--- a/src/tests/ltProxyHandler.test.ts
+++ b/src/tests/ltProxyHandler.test.ts
@@ -16,12 +16,16 @@ Deno.test('ltProxyHandler: proxies request and returns response', async () => {
    const originalFetch = globalThis.fetch;
    globalThis.fetch = async () => expectedResponse;

+    // Form body wie bei echtem Request
+    const formData = new URLSearchParams({ text: 'Hallo Welt' });
+    const bodyBytes = new TextEncoder().encode(formData.toString());
+
    const req = new Request('http://localhost/v2/check?language=de-DE', {
        method: 'POST',
-        body: new TextEncoder().encode('text=Hallo+Welt'),
        headers: {
            'content-type': 'application/x-www-form-urlencoded',
        },
+        body: bodyBytes,
    });

    const ctx: IContext = {
@@ -30,7 +34,9 @@ Deno.test('ltProxyHandler: proxies request and returns response', async () => {
        query: {
            language: 'de-DE',
        },
-        state: {},
+        state: {
+            body: bodyBytes,
+        },
    };

    const response = await ltProxyHandler(ctx);
--- a/src/ltProxyHandler.ts
+++ b/src/ltProxyHandler.ts
@@ -4,6 +4,7 @@ import { Env } from './env.ts';
 /**
 * Forwards the incoming request to the actual LanguageTool server.
 * Dynamically passes through path and query string.
+ * Removes `username` and `apiKey` from the FormData body if present.
 */
 export const handler: Handler = async (ctx) => {
    const originalUrl = new URL(ctx.req.url);
@@ -12,16 +13,40 @@ export const handler: Handler = async (ctx) => {
        `http://${Env.ltServerHost}:${Env.ltServerPort}`,
    );

+    const contentType = ctx.req.headers.get('content-type') ?? '';
+    let body: BodyInit | null = null;
+
+    if (
+        contentType.includes('application/x-www-form-urlencoded') &&
+        ctx.state.body
+    ) {
+        const text = new TextDecoder().decode(ctx.state.body as Uint8Array);
+        const params = new URLSearchParams(text);
+
+        // Remove `apiKey` and `username` from the params
+        // LanguageTool will react with a error if they are present
+        params.delete('apiKey');
+        params.delete('username');
+
+        body = params.toString();
+    } else {
+        console.debug('Unsupported content type:', contentType);
+        body = ctx.state.body as BodyInit | null;
+    }
+
+    const headers = new Headers(ctx.req.headers);
+    headers.delete('content-length');
+
    const forwarded = await fetch(proxyUrl.toString(), {
        method: ctx.req.method,
-        headers: ctx.req.headers,
-        body: ctx.req.body,
+        headers,
+        body,
    });

-    const headers = new Headers(forwarded.headers);
+    const respHeaders = new Headers(forwarded.headers);
    return new Response(forwarded.body, {
        status: forwarded.status,
-        headers,
+        headers: respHeaders,
    });
 };