fix: close stored XSS, anon RPC, and rate limiting gaps in marketplace (#32)

* security: close stored XSS, anon RPC, and rate limiting gaps in marketplace

- Replace raw innerHTML rendering with sanitize-html (allowlist-based) in
  plugin detail page — blocks stored XSS via community plugin markdown
- Add marketplace/lib/rate-limit.ts: in-memory sliding-window limiter
- Rate limit /api/install (5/slug/IP/hr), /api/search (60/IP/min),
  /api/register (10/IP/hr) with 429 + Retry-After responses
- Add migration 00003: REVOKE EXECUTE on increment_install_count from
  anon + authenticated roles (migration applied to production)
- Add *.tsbuildinfo to .gitignore

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(marketplace): move rate limit before auth check in /api/register

Rate limiting must run before authentication so that failed auth
attempts increment the counter — otherwise an attacker can brute-force
the API key without ever hitting the rate limit.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: siracusa5

.gitignore

@@ -23,6 +23,7 @@ website/.source/
 # Marketplace
 marketplace/.next/
 marketplace/out/
+*.tsbuildinfo
 
 # Supabase local
 marketplace/supabase/.temp/

marketplace/app/api/install/route.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { createClient } from "@supabase/supabase-js";
+import { checkRateLimit, getClientIp } from "@/lib/rate-limit";
 
 function getServiceSupabase() {
   const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
@@ -33,6 +34,19 @@ export async function POST(request: NextRequest) {
     );
   }
 
+  // 5 installs per slug per IP per hour
+  const ip = getClientIp(request);
+  const { allowed, retryAfter } = checkRateLimit(`install:${ip}:${slug}`, {
+    maxRequests: 5,
+    windowMs: 60 * 60 * 1000,
+  });
+  if (!allowed) {
+    return NextResponse.json(
+      { error: "Too many requests" },
+      { status: 429, headers: { "Retry-After": String(retryAfter) } },
+    );
+  }
+
   // Atomically increment install_count to avoid race conditions
   const { data: updated, error: updateError } = await supabase
     .rpc("increment_install_count", { component_slug: slug });

marketplace/app/api/register/route.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { createClient } from "@supabase/supabase-js";
+import { checkRateLimit, getClientIp } from "@/lib/rate-limit";
 
 function getServiceSupabase() {
   const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
@@ -49,6 +50,20 @@ async function fetchGitHubFile(
 }
 
 export async function POST(request: NextRequest) {
+  // Rate limit before auth so brute-force attempts are counted regardless of
+  // whether the key is correct. 10 requests per hour per IP.
+  const ip = getClientIp(request);
+  const { allowed, retryAfter } = checkRateLimit(`register:${ip}`, {
+    maxRequests: 10,
+    windowMs: 60 * 60 * 1000,
+  });
+  if (!allowed) {
+    return NextResponse.json(
+      { error: "Too many requests" },
+      { status: 429, headers: { "Retry-After": String(retryAfter) } },
+    );
+  }
+
   // Require API key for registration to prevent spam
   const apiKey = process.env.REGISTER_API_KEY;
   if (!apiKey) {

marketplace/app/api/search/route.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { supabase } from "@/lib/supabase";
+import { checkRateLimit, getClientIp } from "@/lib/rate-limit";
 
 type SearchType = "component" | "profile";
 
@@ -15,6 +16,19 @@ export async function GET(request: NextRequest) {
     );
   }
 
+  // 60 searches per minute per IP
+  const ip = getClientIp(request);
+  const { allowed, retryAfter } = checkRateLimit(`search:${ip}`, {
+    maxRequests: 60,
+    windowMs: 60 * 1000,
+  });
+  if (!allowed) {
+    return NextResponse.json(
+      { error: "Too many requests" },
+      { status: 429, headers: { "Retry-After": String(retryAfter) } },
+    );
+  }
+
   // Sanitize and convert query to tsquery format for full-text search
   const sanitizedTokens = query
     .trim()

marketplace/app/plugins/[slug]/page.tsx

@@ -1,5 +1,6 @@
 import Link from "next/link";
 import { notFound } from "next/navigation";
+import sanitizeHtml from "sanitize-html";
 import { supabase } from "@/lib/supabase";
 import type { Component, Profile, TrustTier } from "@/lib/types";
 
@@ -18,9 +19,24 @@ function TrustBadge({ tier }: { tier: TrustTier }) {
   );
 }
 
+/**
+ * Allowed tags and attributes for sanitizeHtml.
+ * Permits the Tailwind classes emitted by renderMarkdown while blocking all
+ * event handlers and javascript: URLs.
+ */
+const SANITIZE_OPTIONS: sanitizeHtml.IOptions = {
+  allowedTags: ["h1", "h2", "h3", "h4", "p", "pre", "code", "strong", "a", "li", "ul"],
+  allowedAttributes: {
+    "*": ["class"],
+    a: ["href", "target", "rel"],
+  },
+  allowedSchemes: ["http", "https", "mailto"],
+};
+
 /**
  * Minimal server-side markdown-to-HTML renderer.
- * Content is trusted (from our own Supabase database, not user input).
+ * Output is sanitized via sanitizeHtml before rendering — community plugins
+ * store arbitrary markdown from GitHub repos which is untrusted content.
  */
 function renderMarkdown(md: string): string {
   const html = md
@@ -138,12 +154,11 @@ export default async function PluginDetailPage({
     notFound();
   }
 
-  // Trusted content from our own database -- see renderMarkdown comment above
   const skillHtml = component.skill_md
-    ? renderMarkdown(component.skill_md)
+    ? sanitizeHtml(renderMarkdown(component.skill_md), SANITIZE_OPTIONS)
     : null;
   const readmeHtml = component.readme_md
-    ? renderMarkdown(component.readme_md)
+    ? sanitizeHtml(renderMarkdown(component.readme_md), SANITIZE_OPTIONS)
     : null;
 
   const updatedDate = component.updated_at
@@ -220,7 +235,7 @@ export default async function PluginDetailPage({
             </div>
           )}
 
-          {/* SKILL.md content -- trusted content from our own Supabase database */}
+          {/* SKILL.md content */}
           {skillHtml && (
             <section className="mb-10">
               <h2 className="mb-4 text-xl font-bold">Skill Definition</h2>
@@ -231,7 +246,7 @@ export default async function PluginDetailPage({
             </section>
           )}
 
-          {/* README.md content -- trusted content from our own Supabase database */}
+          {/* README.md content */}
           {readmeHtml && (
             <section className="mb-10">
               <h2 className="mb-4 text-xl font-bold">Documentation</h2>

marketplace/lib/rate-limit.ts

@@ -0,0 +1,62 @@
+interface RateLimitEntry {
+  count: number;
+  resetAt: number;
+}
+
+const store = new Map<string, RateLimitEntry>();
+
+export interface RateLimitConfig {
+  /** Maximum number of requests allowed within the window. */
+  maxRequests: number;
+  /** Window duration in milliseconds. */
+  windowMs: number;
+}
+
+/**
+ * In-memory sliding-window rate limiter.
+ *
+ * Keyed by an arbitrary string (e.g. "install:<ip>:<slug>"). Expired entries
+ * are pruned on each call so the Map doesn't grow unbounded.
+ *
+ * NOTE: This is per-process. In a multi-instance deployment use an external
+ * store (Redis / Cloudflare KV). Sufficient for a single-instance launch.
+ */
+export function checkRateLimit(
+  key: string,
+  config: RateLimitConfig,
+): { allowed: boolean; retryAfter?: number } {
+  const now = Date.now();
+
+  // Prune expired entries to prevent memory growth.
+  for (const [k, entry] of store.entries()) {
+    if (entry.resetAt <= now) store.delete(k);
+  }
+
+  const entry = store.get(key);
+
+  if (!entry || entry.resetAt <= now) {
+    store.set(key, { count: 1, resetAt: now + config.windowMs });
+    return { allowed: true };
+  }
+
+  if (entry.count >= config.maxRequests) {
+    return {
+      allowed: false,
+      retryAfter: Math.ceil((entry.resetAt - now) / 1000),
+    };
+  }
+
+  entry.count++;
+  return { allowed: true };
+}
+
+/**
+ * Extract the client IP from a request, preferring Cloudflare headers.
+ */
+export function getClientIp(request: Request): string {
+  return (
+    request.headers.get("cf-connecting-ip") ??
+    request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ??
+    "unknown"
+  );
+}

marketplace/package.json

@@ -8,19 +8,21 @@
     "start": "next start"
   },
   "dependencies": {
+    "@harness-kit/shared": "workspace:*",
+    "@supabase/supabase-js": "^2.0.0",
     "next": "^15.0.0",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
-    "@supabase/supabase-js": "^2.0.0",
-    "@harness-kit/shared": "workspace:*"
+    "sanitize-html": "^2.17.1"
   },
   "devDependencies": {
+    "@tailwindcss/postcss": "^4.0.0",
     "@types/node": "^22.0.0",
     "@types/react": "^19.0.0",
     "@types/react-dom": "^19.0.0",
-    "typescript": "^5.0.0",
+    "@types/sanitize-html": "^2.16.1",
+    "postcss": "^8.0.0",
     "tailwindcss": "^4.0.0",
-    "@tailwindcss/postcss": "^4.0.0",
-    "postcss": "^8.0.0"
+    "typescript": "^5.0.0"
   }
 }

marketplace/supabase/migrations/00003_revoke_anon_rpc.sql

@@ -0,0 +1,6 @@
+-- Revoke direct RPC access to increment_install_count from unprivileged roles.
+-- The /api/install route uses service_role which bypasses grants and continues
+-- to work. Direct calls via the anon or authenticated key (e.g., from the
+-- Supabase client SDK) are now blocked, preventing install-count manipulation.
+REVOKE EXECUTE ON FUNCTION increment_install_count(text) FROM anon;
+REVOKE EXECUTE ON FUNCTION increment_install_count(text) FROM authenticated;