fix: relay URL validation and custom filter field allowlist

Validate relay URLs via Validation.isValidRelayUrl() before connection.
Restrict custom filter fields to ALLOWED_FILTER_FIELDS allowlist to prevent
injection of arbitrary keys into Nostr subscription filters.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: vveerrgg

src/nodes/nostr-filter/nostr-filter.ts

@@ -28,6 +28,19 @@ interface NostrFilterNode extends Node {
     hexPubkey?: string;
 }
 
+// Allowed fields in a Nostr subscription filter (NIP-01 + NIP-12 tag filters)
+const ALLOWED_FILTER_FIELDS = new Set(['ids', 'authors', 'kinds', 'since', 'until', 'limit', 'search']);
+
+function sanitizeFilterObject(parsed: Record<string, any>): Record<string, any> {
+    const validated: Record<string, any> = {};
+    for (const [key, value] of Object.entries(parsed)) {
+        if (ALLOWED_FILTER_FIELDS.has(key) || key.startsWith('#')) {
+            validated[key] = value;
+        }
+    }
+    return validated;
+}
+
 export default function(RED: NodeAPI) {
     // Create a function to initialize the node
     async function initializeNode(this: NostrFilterNode, config: NostrFilterDef) {
@@ -108,7 +121,8 @@ export default function(RED: NodeAPI) {
                         case 'custom':
                             if (this.customFilter) {
                                 try {
-                                    const filter = JSON.parse(this.customFilter);
+                                    const parsed = JSON.parse(this.customFilter);
+                                    const filter = sanitizeFilterObject(parsed);
                                     shouldForward = Object.entries(filter).every(([key, value]) => {
                                         if (Array.isArray(value)) {
                                             return value.includes(event[key as keyof NostrEvent]);
@@ -158,7 +172,9 @@ export default function(RED: NodeAPI) {
                 case 'custom':
                     if (this.customFilter) {
                         try {
-                            Object.assign(filter, JSON.parse(this.customFilter));
+                            const parsed = JSON.parse(this.customFilter);
+                            const validated = sanitizeFilterObject(parsed);
+                            Object.assign(filter, validated);
                         } catch (err: any) {
                             this.error("Invalid custom filter: " + err.message);
                         }

src/nodes/nostr-relay-config/nostr-relay-config.ts

@@ -1,5 +1,6 @@
 import { Node, NodeAPI, NodeDef } from 'node-red';
 import { getDefaultReaderKeys, getPublicKey } from '../../crypto/keys.js';
+import { Validation } from '../../utils/validation.js';
 
 // Types only - these won't be in the JS output
 import type { NostrWSClient, NostrWSMessage } from 'nostr-websocket-utils';
@@ -24,8 +25,19 @@ export default function(RED: NodeAPI) {
     // Create a function to initialize the node
     async function initializeNode(this: NostrRelayConfig, config: NostrRelayConfigDef) {
         RED.nodes.createNode(this, config);
-        
-        this.relay = config.relay;
+
+        // Validate relay URL before accepting
+        if (config.relay) {
+            if (!Validation.isValidRelayUrl(config.relay)) {
+                this.error('Invalid relay URL: must use ws:// or wss:// protocol and be a valid URL');
+                return;
+            }
+            this.relay = config.relay;
+        } else {
+            this.error('Relay URL is required');
+            return;
+        }
+
         this.publicKey = config.publicKey;
         this.privateKey = this.credentials?.privateKey;