add x-robots-tag validation

Author: itslenny

src/internal/errors/codes.ts

@@ -235,6 +235,14 @@ export const ERRORS = {
       message: `mime type ${mimeType} is not supported`,
     }),
 
+  InvalidXRobotsTag: (message: string) =>
+    new StorageBackendError({
+      error: 'invalid_x_robots_tag',
+      code: ErrorCode.InvalidRequest,
+      httpStatusCode: 400,
+      message: `Invalid X-Robots-Tag header: ${message}`,
+    }),
+
   InvalidRange: () =>
     new StorageBackendError({
       error: 'invalid_range',

src/storage/renderer/renderer.ts

@@ -3,6 +3,7 @@ import { ObjectMetadata } from '../backend'
 import { Readable } from 'stream'
 import { getConfig } from '../../config'
 import { Obj } from '../schemas'
+import { validateXRobotsTag } from '@storage/validators/x-robots-tag'
 
 export interface RenderOptions {
   bucket: string
@@ -74,14 +75,23 @@ export abstract class Renderer {
     data: AssetResponse,
     options: RenderOptions
   ) {
+    let xRobotsTag = 'none'
+    if (options.xRobotsTag) {
+      try {
+        // allow overriding x-robots-tag header only with valid values
+        validateXRobotsTag(options.xRobotsTag)
+        xRobotsTag = options.xRobotsTag
+      } catch {}
+    }
+
     response
       .status(data.metadata.httpStatusCode ?? 200)
       .header('Accept-Ranges', 'bytes')
       .header('Content-Type', normalizeContentType(data.metadata.mimetype))
       .header('ETag', data.metadata.eTag)
       .header('Content-Length', data.metadata.contentLength)
       .header('Last-Modified', data.metadata.lastModified?.toUTCString())
-      .header('X-Robots-Tag', options.xRobotsTag || 'none')
+      .header('X-Robots-Tag', xRobotsTag)
 
     if (options.expires) {
       response.header('Expires', options.expires)

src/storage/uploader.ts

@@ -12,6 +12,7 @@ import { getConfig } from '../config'
 import { logger, logSchema } from '@internal/monitoring'
 import { Readable } from 'stream'
 import { StorageObjectLocator } from '@storage/locator'
+import { validateXRobotsTag } from './validators/x-robots-tag'
 
 const { storageS3Bucket, uploadFileSizeLimitStandard } = getConfig()
 
@@ -308,6 +309,10 @@ export async function fileUploadFromRequest(
   const contentType = request.headers['content-type']
   const xRobotsTag = request.headers['x-robots-tag'] as string | undefined
 
+  if (xRobotsTag) {
+    validateXRobotsTag(xRobotsTag)
+  }
+
   let body: Readable
   let userMetadata: Record<string, unknown> | undefined
   let mimeType: string

src/storage/validators/x-robots-tag.ts

@@ -0,0 +1,188 @@
+import { ERRORS } from '@internal/errors'
+
+const SIMPLE_RULES = [
+  'all',
+  'noindex',
+  'nofollow',
+  'none',
+  'nosnippet',
+  'indexifembedded',
+  'notranslate',
+  'noimageindex',
+] as const
+
+const PARAMETRIC_RULES = [
+  'max-snippet',
+  'max-image-preview',
+  'max-video-preview',
+  'unavailable_after',
+] as const
+
+const simpleRulesPattern = SIMPLE_RULES.join('|')
+const parametricRulesPattern = PARAMETRIC_RULES.join('|')
+const SIMPLE_RULE_REGEX = new RegExp(`^(${simpleRulesPattern})$`)
+const PARAMETRIC_RULE_REGEX = new RegExp(`^(${parametricRulesPattern}):\\s*(.*)$`)
+const PARAMETRIC_RULE_START_REGEX = new RegExp(`^(${parametricRulesPattern}):`)
+const VALID_IMAGE_PREVIEW_VALUES = new Set(['none', 'standard', 'large'])
+
+/**
+ * Validates the X-Robots-Tag header value according to MDN specification
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Robots-Tag
+ *
+ * @param value - The X-Robots-Tag header value to validate
+ * @throws {Error} If the header value is invalid
+ */
+export function validateXRobotsTag(value: string): void {
+  if (!value || typeof value !== 'string') {
+    throw ERRORS.InvalidXRobotsTag('X-Robots-Tag header value must be a non-empty string')
+  }
+
+  const trimmedValue = value.trim()
+  if (!trimmedValue) {
+    throw ERRORS.InvalidXRobotsTag('X-Robots-Tag header value must be a non-empty string')
+  }
+
+  const parts = splitRules(trimmedValue)
+
+  for (const part of parts) {
+    if (!part) {
+      throw ERRORS.InvalidXRobotsTag('X-Robots-Tag header contains empty rule')
+    }
+
+    // Check if this is a parametric rule
+    const parametricMatch = part.match(PARAMETRIC_RULE_REGEX)
+    if (parametricMatch) {
+      const [, ruleName, ruleValue] = parametricMatch
+      validateParametricRule(ruleName, ruleValue.trim(), VALID_IMAGE_PREVIEW_VALUES)
+      continue
+    }
+
+    // Check if this is a simple rule
+    if (SIMPLE_RULE_REGEX.test(part)) {
+      continue
+    }
+
+    // Check if this has a colon (could be user agent prefix)
+    const colonIndex = part.indexOf(':')
+    if (colonIndex !== -1) {
+      const beforeColon = part.substring(0, colonIndex).trim()
+      const afterColon = part.substring(colonIndex + 1).trim()
+
+      if (!afterColon) {
+        throw ERRORS.InvalidXRobotsTag(
+          `X-Robots-Tag user agent "${beforeColon}" has no rules specified`
+        )
+      }
+
+      // Recursively validate user agent rules
+      validateXRobotsTag(afterColon)
+      continue
+    }
+
+    throw ERRORS.InvalidXRobotsTag(`Invalid X-Robots-Tag rule: "${part}"`)
+  }
+}
+
+/**
+ * Splits rules by comma, handling parametric rules with dates that contain commas
+ */
+function splitRules(value: string): string[] {
+  const parts: string[] = []
+  let remaining = value
+
+  while (remaining) {
+    remaining = remaining.trim()
+    if (!remaining) break
+
+    const match = remaining.match(PARAMETRIC_RULE_START_REGEX)
+    if (match) {
+      const ruleName = match[1]
+
+      // For unavailable_after, extract date value (may contain commas)
+      if (ruleName === 'unavailable_after') {
+        // Build regex to find end of date by looking for comma + known rule or user agent
+        const endPattern = new RegExp(
+          `unavailable_after:\\s*(.+?)(?:,\\s*(?:${simpleRulesPattern}|${parametricRulesPattern}|[a-zA-Z0-9_-]+:)|$)`
+        )
+        const dateEndMatch = remaining.match(endPattern)
+
+        if (dateEndMatch) {
+          const fullRule = `unavailable_after: ${dateEndMatch[1].trim()}`
+          parts.push(fullRule)
+          remaining = remaining.substring(fullRule.length).replace(/^,\s*/, '').trim()
+        } else {
+          parts.push(remaining)
+          remaining = ''
+        }
+        continue
+      }
+    }
+
+    // Default: split by comma (for other parametric rules and simple rules)
+    const nextComma = remaining.indexOf(',')
+    if (nextComma === -1) {
+      parts.push(remaining)
+      remaining = ''
+    } else {
+      parts.push(remaining.substring(0, nextComma).trim())
+      remaining = remaining.substring(nextComma + 1).trim()
+    }
+  }
+
+  return parts
+}
+
+/**
+ * Validates a parametric rule value
+ */
+function validateParametricRule(
+  ruleName: string,
+  ruleValue: string,
+  validImagePreviewValues: Set<string>
+): void {
+  if (!ruleValue) {
+    throw ERRORS.InvalidXRobotsTag(`X-Robots-Tag rule "${ruleName}" requires a value`)
+  }
+
+  switch (ruleName) {
+    case 'max-snippet': {
+      const num = parseInt(ruleValue, 10)
+      if (isNaN(num) || num < 0) {
+        throw ERRORS.InvalidXRobotsTag(
+          `X-Robots-Tag "max-snippet" value must be a non-negative number, got: "${ruleValue}"`
+        )
+      }
+      break
+    }
+
+    case 'max-image-preview': {
+      if (!validImagePreviewValues.has(ruleValue)) {
+        throw ERRORS.InvalidXRobotsTag(
+          `X-Robots-Tag "max-image-preview" value must be one of: none, standard, large, got: "${ruleValue}"`
+        )
+      }
+      break
+    }
+
+    case 'max-video-preview': {
+      const num = parseInt(ruleValue, 10)
+      if (isNaN(num) || num < -1) {
+        throw ERRORS.InvalidXRobotsTag(
+          `X-Robots-Tag "max-video-preview" value must be a number >= -1, got: "${ruleValue}"`
+        )
+      }
+      break
+    }
+
+    case 'unavailable_after': {
+      // Check if it's a valid date string (try parsing it)
+      const date = new Date(ruleValue)
+      if (isNaN(date.getTime())) {
+        throw ERRORS.InvalidXRobotsTag(
+          `X-Robots-Tag "unavailable_after" value must be a valid date, got: "${ruleValue}"`
+        )
+      }
+      break
+    }
+  }
+}

src/test/object.test.ts

@@ -2563,14 +2563,15 @@ describe('x-robots-tag header', () => {
   test('defaults x-robots-tag header to none if not specified', async () => {
     const objPath = `${X_ROBOTS_TEST_BUCKET}/test-file-1.txt`
 
-    await appInstance.inject({
+    const createResponse = await appInstance.inject({
       method: 'POST',
       url: `/object/${objPath}`,
       payload: new File(['test'], 'file.txt'),
       headers: {
         authorization: `Bearer ${await serviceKeyAsync}`,
       },
     })
+    expect(createResponse.statusCode).toBe(200)
 
     const response = await appInstance.inject({
       method: 'GET',
@@ -2579,13 +2580,14 @@ describe('x-robots-tag header', () => {
         authorization: `Bearer ${await serviceKeyAsync}`,
       },
     })
+    expect(response.statusCode).toBe(200)
     expect(response.headers['x-robots-tag']).toBe('none')
   })
 
   test('uses provided x-robots-tag header if set', async () => {
     const objPath = `${X_ROBOTS_TEST_BUCKET}/test-file-2.txt`
 
-    await appInstance.inject({
+    const createResponse = await appInstance.inject({
       method: 'POST',
       url: `/object/${objPath}`,
       payload: new File(['test'], 'file.txt'),
@@ -2594,6 +2596,7 @@ describe('x-robots-tag header', () => {
         'x-robots-tag': 'all',
       },
     })
+    expect(createResponse.statusCode).toBe(200)
 
     const response = await appInstance.inject({
       method: 'GET',
@@ -2602,13 +2605,14 @@ describe('x-robots-tag header', () => {
         authorization: `Bearer ${await serviceKeyAsync}`,
       },
     })
+    expect(response.statusCode).toBe(200)
     expect(response.headers['x-robots-tag']).toBe('all')
   })
 
   test('updates x-robots-tag header on upsert', async () => {
     const objPath = `${X_ROBOTS_TEST_BUCKET}/test-file-3.txt`
 
-    await appInstance.inject({
+    const createResponse = await appInstance.inject({
       method: 'POST',
       url: `/object/${objPath}`,
       payload: new File(['test'], 'file.txt'),
@@ -2617,6 +2621,7 @@ describe('x-robots-tag header', () => {
         'x-robots-tag': 'max-snippet: 10, notranslate',
       },
     })
+    expect(createResponse.statusCode).toBe(200)
 
     const response = await appInstance.inject({
       method: 'GET',
@@ -2625,9 +2630,10 @@ describe('x-robots-tag header', () => {
         authorization: `Bearer ${await serviceKeyAsync}`,
       },
     })
+    expect(response.statusCode).toBe(200)
     expect(response.headers['x-robots-tag']).toBe('max-snippet: 10, notranslate')
 
-    await appInstance.inject({
+    const createResponse2 = await appInstance.inject({
       method: 'POST',
       url: `/object/${objPath}`,
       payload: new File(['test'], 'file.txt'),
@@ -2637,6 +2643,7 @@ describe('x-robots-tag header', () => {
         'x-robots-tag': 'nofollow',
       },
     })
+    expect(createResponse2.statusCode).toBe(200)
 
     const response2 = await appInstance.inject({
       method: 'GET',
@@ -2645,6 +2652,28 @@ describe('x-robots-tag header', () => {
         authorization: `Bearer ${await serviceKeyAsync}`,
       },
     })
+    expect(response2.statusCode).toBe(200)
     expect(response2.headers['x-robots-tag']).toBe('nofollow')
   })
+
+  test('rejects invalid x-robots-tag header with proper error', async () => {
+    const objPath = `${X_ROBOTS_TEST_BUCKET}/test-file-invalid.txt`
+
+    const createResponse = await appInstance.inject({
+      method: 'POST',
+      url: `/object/${objPath}`,
+      payload: new File(['test'], 'file.txt'),
+      headers: {
+        authorization: `Bearer ${await serviceKeyAsync}`,
+        'x-robots-tag': 'invalidrule',
+      },
+    })
+
+    expect(createResponse.statusCode).toBe(400)
+    expect(createResponse.json()).toMatchObject({
+      statusCode: '400',
+      error: 'invalid_x_robots_tag',
+      message: 'Invalid X-Robots-Tag header: Invalid X-Robots-Tag rule: "invalidrule"',
+    })
+  })
 })