ghaymah_dev/codepill-sfu
2
0
نسخ 0
الشفرة المشكلات طلبات السحب Actions Packages المشاريع الإصدارات الويكي النشاط

[mirotalksfu] - prevent xss injection

تصفح المصدر
هذا الالتزام موجود في:
Miroslav Pejic
2023-02-18 20:09:10 +01:00
الأصل 95a4bae0ce
التزام 509f83fe0b
5 ملفات معدلة مع 59 إضافات و17 حذوفات
تنزيل ملف التصحيح تنزيل ملف الاختلاف توسيع جميع الملفات طي جميع الملفات

56
app/src/Server.js
عرض الملف

@@ -24,6 +24,7 @@ dependencies: {
socket.io : https://www.npmjs.com/package/socket.io
swagger-ui-express : https://www.npmjs.com/package/swagger-ui-express
uuid : https://www.npmjs.com/package/uuid
xss : https://www.npmjs.com/package/xss
yamljs : https://www.npmjs.com/package/yamljs
}
*/
@@ -37,7 +38,7 @@ dependencies: {
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
* @version 1.0.2
* @version 1.0.3
*
*/
@@ -52,6 +53,7 @@ const config = require('./config');
const path = require('path');
const ngrok = require('ngrok');
const fs = require('fs');
const checkXSS = require('./XSS.js');
const Host = require('./Host');
const Room = require('./Room');
const Peer = require('./Peer');
@@ -505,9 +507,11 @@ function startServer() {
callback({ peerCounts: peerCounts });
});
socket.on('cmd', (data) => {
socket.on('cmd', (dataObject) => {
if (!roomList.has(socket.room_id)) return;
const data = checkXSS(dataObject);
log.debug('Cmd', data);
// cmd|foo|bar|....
@@ -527,9 +531,11 @@ function startServer() {
roomList.get(socket.room_id).broadCast(socket.id, 'cmd', data);
});
socket.on('roomAction', (data) => {
socket.on('roomAction', (dataObject) => {
if (!roomList.has(socket.room_id)) return;
const data = checkXSS(dataObject);
log.debug('Room action:', data);
switch (data.action) {
case 'lock':
@@ -568,9 +574,11 @@ function startServer() {
});
});
socket.on('roomLobby', (data) => {
socket.on('roomLobby', (dataObject) => {
if (!roomList.has(socket.room_id)) return;
const data = checkXSS(dataObject);
data.room = roomList.get(socket.room_id).toJson();
log.debug('Room lobby', {
@@ -590,9 +598,11 @@ function startServer() {
}
});
socket.on('peerAction', (data) => {
socket.on('peerAction', (dataObject) => {
if (!roomList.has(socket.room_id)) return;
const data = checkXSS(dataObject);
log.debug('Peer action', data);
if (data.broadcast) {
@@ -602,17 +612,21 @@ function startServer() {
}
});
socket.on('updatePeerInfo', (data) => {
socket.on('updatePeerInfo', (dataObject) => {
if (!roomList.has(socket.room_id)) return;
const data = checkXSS(dataObject);
// update my peer_info status to all in the room
roomList.get(socket.room_id).getPeers().get(socket.id).updatePeerInfo(data);
roomList.get(socket.room_id).broadCast(socket.id, 'updatePeerInfo', data);
});
socket.on('fileInfo', (data) => {
socket.on('fileInfo', (dataObject) => {
if (!roomList.has(socket.room_id)) return;
const data = checkXSS(dataObject);
log.debug('Send File Info', data);
if (data.broadcast) {
roomList.get(socket.room_id).broadCast(socket.id, 'fileInfo', data);
@@ -631,15 +645,19 @@ function startServer() {
}
});
socket.on('fileAbort', (data) => {
socket.on('fileAbort', (dataObject) => {
if (!roomList.has(socket.room_id)) return;
const data = checkXSS(dataObject);
roomList.get(socket.room_id).broadCast(socket.id, 'fileAbort', data);
});
socket.on('shareVideoAction', (data) => {
socket.on('shareVideoAction', (dataObject) => {
if (!roomList.has(socket.room_id)) return;
const data = checkXSS(dataObject);
log.debug('Share video: ', data);
if (data.peer_id == 'all') {
roomList.get(socket.room_id).broadCast(socket.id, 'shareVideoAction', data);
@@ -648,35 +666,43 @@ function startServer() {
}
});
socket.on('wbCanvasToJson', (data) => {
socket.on('wbCanvasToJson', (dataObject) => {
if (!roomList.has(socket.room_id)) return;
const data = checkXSS(dataObject);
// let objLength = bytesToSize(Object.keys(data).length);
// log.debug('Send Whiteboard canvas JSON', { length: objLength });
roomList.get(socket.room_id).broadCast(socket.id, 'wbCanvasToJson', data);
});
socket.on('whiteboardAction', (data) => {
socket.on('whiteboardAction', (dataObject) => {
if (!roomList.has(socket.room_id)) return;
const data = checkXSS(dataObject);
log.debug('Whiteboard', data);
roomList.get(socket.room_id).broadCast(socket.id, 'whiteboardAction', data);
});
socket.on('setVideoOff', (data) => {
socket.on('setVideoOff', (dataObject) => {
if (!roomList.has(socket.room_id)) return;
const data = checkXSS(dataObject);
log.debug('Video off', getPeerName());
roomList.get(socket.room_id).broadCast(socket.id, 'setVideoOff', data);
});
socket.on('join', (data, cb) => {
socket.on('join', (dataObject, cb) => {
if (!roomList.has(socket.room_id)) {
return cb({
error: 'Room does not exist',
});
}
const data = checkXSS(dataObject);
log.debug('User joined', data);
roomList.get(socket.room_id).addPeer(new Peer(socket.id, data));
@@ -843,9 +869,11 @@ function startServer() {
roomList.get(socket.room_id).broadCast(socket.id, 'refreshParticipantsCount', data);
});
socket.on('message', (data) => {
socket.on('message', (dataObject) => {
if (!roomList.has(socket.room_id)) return;
const data = checkXSS(dataObject);
log.debug('message', data);
if (data.to_peer_id == 'all') {
roomList.get(socket.room_id).broadCast(socket.id, 'message', data);

13
app/src/XSS.js Normal file
عرض الملف

@@ -0,0 +1,13 @@
'use strict';
const xss = require('xss');
const Logger = require('./Logger');
const log = new Logger('Xss');
const checkXSS = (dataObject) => {
const data = xss(JSON.stringify(dataObject));
log.debug('Sanitization done');
return JSON.parse(data);
};
module.exports = checkXSS;

3
package.json
عرض الملف

@@ -1,6 +1,6 @@
{
"name": "mirotalksfu",
"version": "1.0.2",
"version": "1.0.3",
"description": "WebRTC SFU browser-based video calls",
"main": "Server.js",
"scripts": {
@@ -39,6 +39,7 @@
"socket.io": "4.6.0",
"swagger-ui-express": "4.6.0",
"uuid": "9.0.0",
"xss": "^1.0.14",
"yamljs": "0.3.0"
},
"devDependencies": {

2
public/js/Room.js
عرض الملف

@@ -11,7 +11,7 @@ if (location.href.substr(0, 5) !== 'https') location.href = 'https' + location.h
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
* @version 1.0.2
* @version 1.0.3
*
*/

2
public/js/RoomClient.js
عرض الملف

@@ -9,7 +9,7 @@
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
* @version 1.0.2
* @version 1.0.3
*
*/