CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/input-sanitization

Sanitize and validate user input at system boundaries — prevent XSS, SQL

94

1.20x
Quality

89%

Does it follow best practices?

Impact

100%

1.20x

Average score across 6 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

task.mdevals/scenario-4/

User Profile and External Link Preview Service

Problem/Feature Description

A developer tools platform lets users maintain a profile page that includes a list of external links — blog posts, portfolio sites, GitHub repos, etc. The platform shows a preview snippet for each link (title and description) by fetching the URL server-side and extracting the relevant metadata. The profile itself is stored in a database, and users can update their display name, bio, and website URL through a settings API.

The platform has grown quickly and the security team has two open issues. First, the link preview feature originally had no restrictions on which URLs it would fetch, which led to abuse where users pointed it at internal services on the company network. Second, a recent audit found that the profile update endpoint was accepting arbitrary fields from the request body, meaning a crafted request could potentially set fields like role or isAdmin that are stored in the same users table.

Both issues need to be fixed in the same service. The allowed external domains for link previews are: github.com, dev.to, and medium.com. The user profile fields that should be updatable are: display_name, bio, and website_url only.

Output Specification

Build a Node.js or Python service with:

  • PUT /api/profile — updates the current user's profile (use a hardcoded user ID of 1 for simplicity)
    • Accepts display_name (max 50 chars), bio (max 500 chars), website_url (optional string)
  • POST /api/preview — fetches the title and description from a user-supplied URL and returns them as JSON
    • The URL must come from one of the approved domains listed above

Use an in-memory store or SQLite for the profile data. The preview endpoint should make a real HTTP GET request to the URL and extract the <title> tag content (a simple string extraction is fine — no need for a full HTML parser).

Produce:

  • All source files needed to run the service
  • A README.md with startup instructions and example requests for both endpoints

Start with npm install && node server.js or the Python equivalent.

evals

scenario-4

criteria.json

task.md

tile.json