From 53b64634a6b975230a1389e1cd09c7df5f68608e Mon Sep 17 00:00:00 2001
From: Jesus Galaz <jesusgalazr@icloud.com>
Date: Wed, 16 Oct 2024 06:24:29 +0200
Subject: [PATCH] Trying to fix vulnerability issues

---
 server.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/server.js b/server.js
index 8dc73f1..436e21d 100644
--- a/server.js
+++ b/server.js
@@ -2,6 +2,7 @@ const express = require('express');
 const path = require('path');
 const connectDB = require('./mongodb');
 const session = require('express-session');
+const url = require('url');
 
 const app = express();
 
@@ -9,6 +10,20 @@ const app = express();
 app.use(express.json());
 app.use(express.static(path.join(__dirname, 'public')));
 
+// Allow only localhost for SSRF protection
+function validateLocalhost(req, res, next) {
+  const remoteAddress = req.connection.remoteAddress;
+
+  // Allow requests only from localhost (IPv4 and IPv6)
+  if (remoteAddress !== '127.0.0.1' && remoteAddress !== '::1') {
+    return res.status(403).send('External requests are forbidden');
+  }
+
+  next();
+}
+
+app.use(validateLocalhost);  // Add the middleware
+
 // Session configuration
 app.use(
   session({
-- 
GitLab