mitchlabeetch · google-labs-jules · Dec 31, 2025
diff --git a/.Jules/sentinel.md b/.Jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-23 - API Security Hardening
+**Vulnerability:** DoS risk via unlimited string input in `plan` API route, and potential rate limit bypass due to naive IP extraction.
+**Learning:** Even with Zod, explicit `.max()` limits must be applied to all string inputs. IP extraction logic must handle `X-Forwarded-For` chains correctly (taking the first IP) to be robust against spoofing or proxy chains.
+**Prevention:** Use a standardized `getIP` helper across all routes. Ensure every `z.string()` in API schemas has a reasonable `.max()` limit.
diff --git a/src/app/api/architect/chat/route.ts b/src/app/api/architect/chat/route.ts
@@ -2,6 +2,7 @@ import { NextResponse } from "next/server";
 import { z } from "zod";
 import { callOpenRouter, parseJSONResponse } from "@/lib/api/openrouter";
 import { rateLimiter } from "@/lib/rate-limit";
+import { getIP } from "@/lib/utils/ip";
 
 // Schema for input validation
 const ChatRequestSchema = z.object({
@@ -65,7 +66,7 @@ IMPORTANT:
 
 export async function POST(req: Request) {
   try {
-    const ip = req.headers.get("x-forwarded-for") || "unknown";
+    const ip = getIP(req);
 
     if (!rateLimiter.check(ip)) {
       return NextResponse.json(

diff --git a/src/app/api/architect/plan/route.ts b/src/app/api/architect/plan/route.ts
@@ -2,13 +2,14 @@ import { NextResponse } from "next/server";
 import { z } from "zod";
 import { callOpenRouter, parseJSONResponse } from "@/lib/api/openrouter";
 import { rateLimiter } from "@/lib/rate-limit";
+import { getIP } from "@/lib/utils/ip";
 import toolsDB from "@/data/tools_database.json";
 import bestPractices from "@/data/best_practices.json";
 
 // Input: The User Request + The Tool ID they selected
 const PlanRequestSchema = z.object({
-  userRequest: z.string(),
-  selectedToolId: z.string()
+  userRequest: z.string().max(5000), // Limit input length to prevent DoS
+  selectedToolId: z.string().max(100)
 });
 
 // Output: The Launch Plan
@@ -35,7 +36,7 @@ const PlanResponseSchema = z.object({
 
 export async function POST(req: Request) {
   try {
-    const ip = req.headers.get("x-forwarded-for") || "unknown";
+    const ip = getIP(req);
 
     if (!rateLimiter.check(ip)) {
       return NextResponse.json(

diff --git a/src/app/api/architect/select/route.ts b/src/app/api/architect/select/route.ts
@@ -1,14 +1,15 @@
 import { NextResponse } from "next/server";
 import { callOpenRouter, parseJSONResponse } from "@/lib/api/openrouter";
 import { rateLimiter } from "@/lib/rate-limit";
+import { getIP } from "@/lib/utils/ip";
 import { SelectionRequestSchema } from "@/types/selection";
 import { filterCandidates } from "@/lib/selection/hard-filter";
 
 const InputSchema = SelectionRequestSchema;
 
 export async function POST(req: Request) {
   try {
-    const ip = req.headers.get("x-forwarded-for") || "unknown";
+    const ip = getIP(req);
 
     if (!rateLimiter.check(ip)) {
       return NextResponse.json(

diff --git a/src/lib/utils/ip.ts b/src/lib/utils/ip.ts
@@ -0,0 +1,11 @@
+/**
+ * Extracts the client IP from the request headers.
+ * Handles x-forwarded-for headers with multiple proxies by taking the first IP.
+ */
+export function getIP(req: Request): string {
+  const forwardedFor = req.headers.get("x-forwarded-for");
+  if (forwardedFor) {
+    return forwardedFor.split(",")[0].trim();
+  }
+  return "unknown";
+}