Comprehensive Input Validation and Sanitization

[manny-uncharted]

Summary

closes: #11

This PR implements comprehensive input validation and sanitization for the AkaveLink API to protect against common security vulnerabilities, including path traversal attacks, malicious file uploads, and injection attacks.

Changes Made

1. New Validation Package (internal/validation/)

Created a comprehensive validation package with the following features:

Bucket Name Validation:

• Length: 1-63 characters
• Allowed characters: alphanumeric, hyphens, underscores
• Must start and end with alphanumeric character
• Blocks path traversal patterns

File Name Validation:

• Maximum length: 255 characters
• Allowed characters: alphanumeric, dots, hyphens, underscores
• Must start and end with alphanumeric character
• Prevents path traversal, null bytes, and invalid filename characters

File Upload Validation:

• Maximum file size: 100 MB
• Minimum file size: > 0 bytes (no empty files)
• MIME type whitelist (PDF, JSON, images, video, audio, text, binary)
• Content-Length validation before parsing

Sanitization Functions:

• SanitizeBucketName() - Removes invalid characters, converts to lowercase, truncates
• SanitizeFileName() - Removes path components, null bytes, and traversal patterns

2. Validation Middleware (internal/middleware/)

Created HTTP middleware for request validation:

• ValidateBucketName() - Validates bucket name URL parameters
• ValidateFileName() - Validates file name URL parameters
• ValidateBucketAndFileName() - Validates both bucket and file names
• ValidateContentLength() - Validates Content-Length header
• SecurityHeaders() - Adds security HTTP headers to all responses
• LogRequest() - Logs all incoming requests for audit trails

Security Headers Added:

• X-Content-Type-Options: nosniff - Prevents MIME sniffing
• X-Frame-Options: DENY - Prevents clickjacking
• X-XSS-Protection: 1; mode=block - Enables XSS protection
• Content-Security-Policy: default-src 'self' - Restricts resource loading

3. Updated Handlers

Bucket Handlers (internal/handlers/buckets.go):

• Added validation and sanitization to createBucketHandler
• Added validation and sanitization to deleteBucketHandler

File Handlers (internal/handlers/files.go):

• Added validation to all file operations:
  • fileInfoHandler - Validates bucket and file names
  • listFilesHandler - Validates bucket name
  • uploadHandler - Validates bucket name, file upload, and content length
  • downloadHandler - Validates bucket and file names
  • fileDeleteHandler - Validates bucket and file names

Router (internal/handlers/router.go):

• Applied global middleware (SecurityHeaders, LogRequest) to all routes
• Organized routes with clear comments

4. Comprehensive Test Suite

Unit Tests (test/validation_test.go):

• 93 test cases covering all validation functions
• Tests for valid inputs, invalid inputs, edge cases, and security attacks
• Tests for sanitization behavior

Middleware Tests (test/middleware_test.go):

• Tests for all middleware functions
• Validates proper error responses
• Verifies security headers are applied

Integration Tests (test/validation_integration_test.go):

• End-to-end tests for all API endpoints
• Test validation in the actual HTTP request flow
• Uses mock client to isolate validation logic

Attack Prevention

✅ Path Traversal - Blocked patterns: .., /, \, URL-encoded variants
✅ Malicious File Uploads - Size limits, MIME type validation, filename sanitization
✅ Injection Attacks - Input sanitization removes dangerous characters
✅ XSS Attacks - Security headers prevent script injection
✅ Clickjacking - X-Frame-Options header blocks iframe embedding
✅ MIME Sniffing - X-Content-Type-Options prevents browser MIME sniffing

Validation Error Responses

Standardized error responses with proper HTTP status codes:

{
  "error": "Validation Error",
  "field": "bucketName",
  "message": "bucket name must contain only alphanumeric characters, hyphens, and underscores"
}

[manny-uncharted]

@Abhay-2811 should we add ratelimiting to the endpoints

[Abhay-2811]

@manny-uncharted Yes we can add a configurable rate limiting, I'll think it over and create new issue if needed. For now I'll review this PR and get back to you.

[Abhay-2811]

Hey @manny-uncharted I do not understand why there is a replica dir here?

[manny-uncharted]

I'd be resolving this now it's an error on my part