diff --git a/app/src/Server.js b/app/src/Server.js index eb5f9e80..d658eacf 100644 --- a/app/src/Server.js +++ b/app/src/Server.js @@ -24,6 +24,7 @@ dependencies: { socket.io : https://www.npmjs.com/package/socket.io swagger-ui-express : https://www.npmjs.com/package/swagger-ui-express uuid : https://www.npmjs.com/package/uuid + xss : https://www.npmjs.com/package/xss yamljs : https://www.npmjs.com/package/yamljs } */ @@ -37,7 +38,7 @@ dependencies: { * @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon * @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970 * @author Miroslav Pejic - miroslav.pejic.85@gmail.com - * @version 1.0.2 + * @version 1.0.3 * */ @@ -52,6 +53,7 @@ const config = require('./config'); const path = require('path'); const ngrok = require('ngrok'); const fs = require('fs'); +const checkXSS = require('./XSS.js'); const Host = require('./Host'); const Room = require('./Room'); const Peer = require('./Peer'); @@ -505,9 +507,11 @@ function startServer() { callback({ peerCounts: peerCounts }); }); - socket.on('cmd', (data) => { + socket.on('cmd', (dataObject) => { if (!roomList.has(socket.room_id)) return; + const data = checkXSS(dataObject); + log.debug('Cmd', data); // cmd|foo|bar|.... @@ -527,9 +531,11 @@ function startServer() { roomList.get(socket.room_id).broadCast(socket.id, 'cmd', data); }); - socket.on('roomAction', (data) => { + socket.on('roomAction', (dataObject) => { if (!roomList.has(socket.room_id)) return; + const data = checkXSS(dataObject); + log.debug('Room action:', data); switch (data.action) { case 'lock': @@ -568,9 +574,11 @@ function startServer() { }); }); - socket.on('roomLobby', (data) => { + socket.on('roomLobby', (dataObject) => { if (!roomList.has(socket.room_id)) return; + const data = checkXSS(dataObject); + data.room = roomList.get(socket.room_id).toJson(); log.debug('Room lobby', { @@ -590,9 +598,11 @@ function startServer() { } }); - socket.on('peerAction', (data) => { + socket.on('peerAction', (dataObject) => { if (!roomList.has(socket.room_id)) return; + const data = checkXSS(dataObject); + log.debug('Peer action', data); if (data.broadcast) { @@ -602,17 +612,21 @@ function startServer() { } }); - socket.on('updatePeerInfo', (data) => { + socket.on('updatePeerInfo', (dataObject) => { if (!roomList.has(socket.room_id)) return; + const data = checkXSS(dataObject); + // update my peer_info status to all in the room roomList.get(socket.room_id).getPeers().get(socket.id).updatePeerInfo(data); roomList.get(socket.room_id).broadCast(socket.id, 'updatePeerInfo', data); }); - socket.on('fileInfo', (data) => { + socket.on('fileInfo', (dataObject) => { if (!roomList.has(socket.room_id)) return; + const data = checkXSS(dataObject); + log.debug('Send File Info', data); if (data.broadcast) { roomList.get(socket.room_id).broadCast(socket.id, 'fileInfo', data); @@ -631,15 +645,19 @@ function startServer() { } }); - socket.on('fileAbort', (data) => { + socket.on('fileAbort', (dataObject) => { if (!roomList.has(socket.room_id)) return; + const data = checkXSS(dataObject); + roomList.get(socket.room_id).broadCast(socket.id, 'fileAbort', data); }); - socket.on('shareVideoAction', (data) => { + socket.on('shareVideoAction', (dataObject) => { if (!roomList.has(socket.room_id)) return; + const data = checkXSS(dataObject); + log.debug('Share video: ', data); if (data.peer_id == 'all') { roomList.get(socket.room_id).broadCast(socket.id, 'shareVideoAction', data); @@ -648,35 +666,43 @@ function startServer() { } }); - socket.on('wbCanvasToJson', (data) => { + socket.on('wbCanvasToJson', (dataObject) => { if (!roomList.has(socket.room_id)) return; + const data = checkXSS(dataObject); + // let objLength = bytesToSize(Object.keys(data).length); // log.debug('Send Whiteboard canvas JSON', { length: objLength }); roomList.get(socket.room_id).broadCast(socket.id, 'wbCanvasToJson', data); }); - socket.on('whiteboardAction', (data) => { + socket.on('whiteboardAction', (dataObject) => { if (!roomList.has(socket.room_id)) return; + const data = checkXSS(dataObject); + log.debug('Whiteboard', data); roomList.get(socket.room_id).broadCast(socket.id, 'whiteboardAction', data); }); - socket.on('setVideoOff', (data) => { + socket.on('setVideoOff', (dataObject) => { if (!roomList.has(socket.room_id)) return; + const data = checkXSS(dataObject); + log.debug('Video off', getPeerName()); roomList.get(socket.room_id).broadCast(socket.id, 'setVideoOff', data); }); - socket.on('join', (data, cb) => { + socket.on('join', (dataObject, cb) => { if (!roomList.has(socket.room_id)) { return cb({ error: 'Room does not exist', }); } + const data = checkXSS(dataObject); + log.debug('User joined', data); roomList.get(socket.room_id).addPeer(new Peer(socket.id, data)); @@ -843,9 +869,11 @@ function startServer() { roomList.get(socket.room_id).broadCast(socket.id, 'refreshParticipantsCount', data); }); - socket.on('message', (data) => { + socket.on('message', (dataObject) => { if (!roomList.has(socket.room_id)) return; + const data = checkXSS(dataObject); + log.debug('message', data); if (data.to_peer_id == 'all') { roomList.get(socket.room_id).broadCast(socket.id, 'message', data); diff --git a/app/src/XSS.js b/app/src/XSS.js new file mode 100644 index 00000000..05be2f7b --- /dev/null +++ b/app/src/XSS.js @@ -0,0 +1,13 @@ +'use strict'; + +const xss = require('xss'); +const Logger = require('./Logger'); +const log = new Logger('Xss'); + +const checkXSS = (dataObject) => { + const data = xss(JSON.stringify(dataObject)); + log.debug('Sanitization done'); + return JSON.parse(data); +}; + +module.exports = checkXSS; diff --git a/package.json b/package.json index c5938fc5..d976acbc 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "mirotalksfu", - "version": "1.0.2", + "version": "1.0.3", "description": "WebRTC SFU browser-based video calls", "main": "Server.js", "scripts": { @@ -39,6 +39,7 @@ "socket.io": "4.6.0", "swagger-ui-express": "4.6.0", "uuid": "9.0.0", + "xss": "^1.0.14", "yamljs": "0.3.0" }, "devDependencies": { diff --git a/public/js/Room.js b/public/js/Room.js index 85a74dc3..aacc200e 100644 --- a/public/js/Room.js +++ b/public/js/Room.js @@ -11,7 +11,7 @@ if (location.href.substr(0, 5) !== 'https') location.href = 'https' + location.h * @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon * @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970 * @author Miroslav Pejic - miroslav.pejic.85@gmail.com - * @version 1.0.2 + * @version 1.0.3 * */ diff --git a/public/js/RoomClient.js b/public/js/RoomClient.js index 84997843..bf793833 100644 --- a/public/js/RoomClient.js +++ b/public/js/RoomClient.js @@ -9,7 +9,7 @@ * @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon * @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970 * @author Miroslav Pejic - miroslav.pejic.85@gmail.com - * @version 1.0.2 + * @version 1.0.3 * */