[mirotalksfu] - prevent xss injection
هذا الالتزام موجود في:
Miroslav Pejic
@@ -24,6 +24,7 @@ dependencies: {
|
|||||||
socket.io : https://www.npmjs.com/package/socket.io
|
socket.io : https://www.npmjs.com/package/socket.io
|
||||||
swagger-ui-express : https://www.npmjs.com/package/swagger-ui-express
|
swagger-ui-express : https://www.npmjs.com/package/swagger-ui-express
|
||||||
uuid : https://www.npmjs.com/package/uuid
|
uuid : https://www.npmjs.com/package/uuid
|
||||||
|
xss : https://www.npmjs.com/package/xss
|
||||||
yamljs : https://www.npmjs.com/package/yamljs
|
yamljs : https://www.npmjs.com/package/yamljs
|
||||||
}
|
}
|
||||||
*/
|
*/
|
||||||
@@ -37,7 +38,7 @@ dependencies: {
|
|||||||
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
|
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
|
||||||
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
|
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
|
||||||
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
|
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
|
||||||
* @version 1.0.2
|
* @version 1.0.3
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
@@ -52,6 +53,7 @@ const config = require('./config');
|
|||||||
const path = require('path');
|
const path = require('path');
|
||||||
const ngrok = require('ngrok');
|
const ngrok = require('ngrok');
|
||||||
const fs = require('fs');
|
const fs = require('fs');
|
||||||
|
const checkXSS = require('./XSS.js');
|
||||||
const Host = require('./Host');
|
const Host = require('./Host');
|
||||||
const Room = require('./Room');
|
const Room = require('./Room');
|
||||||
const Peer = require('./Peer');
|
const Peer = require('./Peer');
|
||||||
@@ -505,9 +507,11 @@ function startServer() {
|
|||||||
callback({ peerCounts: peerCounts });
|
callback({ peerCounts: peerCounts });
|
||||||
});
|
});
|
||||||
|
|
||||||
socket.on('cmd', (data) => {
|
socket.on('cmd', (dataObject) => {
|
||||||
if (!roomList.has(socket.room_id)) return;
|
if (!roomList.has(socket.room_id)) return;
|
||||||
|
|
||||||
|
const data = checkXSS(dataObject);
|
||||||
|
|
||||||
log.debug('Cmd', data);
|
log.debug('Cmd', data);
|
||||||
|
|
||||||
// cmd|foo|bar|....
|
// cmd|foo|bar|....
|
||||||
@@ -527,9 +531,11 @@ function startServer() {
|
|||||||
roomList.get(socket.room_id).broadCast(socket.id, 'cmd', data);
|
roomList.get(socket.room_id).broadCast(socket.id, 'cmd', data);
|
||||||
});
|
});
|
||||||
|
|
||||||
socket.on('roomAction', (data) => {
|
socket.on('roomAction', (dataObject) => {
|
||||||
if (!roomList.has(socket.room_id)) return;
|
if (!roomList.has(socket.room_id)) return;
|
||||||
|
|
||||||
|
const data = checkXSS(dataObject);
|
||||||
|
|
||||||
log.debug('Room action:', data);
|
log.debug('Room action:', data);
|
||||||
switch (data.action) {
|
switch (data.action) {
|
||||||
case 'lock':
|
case 'lock':
|
||||||
@@ -568,9 +574,11 @@ function startServer() {
|
|||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
socket.on('roomLobby', (data) => {
|
socket.on('roomLobby', (dataObject) => {
|
||||||
if (!roomList.has(socket.room_id)) return;
|
if (!roomList.has(socket.room_id)) return;
|
||||||
|
|
||||||
|
const data = checkXSS(dataObject);
|
||||||
|
|
||||||
data.room = roomList.get(socket.room_id).toJson();
|
data.room = roomList.get(socket.room_id).toJson();
|
||||||
|
|
||||||
log.debug('Room lobby', {
|
log.debug('Room lobby', {
|
||||||
@@ -590,9 +598,11 @@ function startServer() {
|
|||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
socket.on('peerAction', (data) => {
|
socket.on('peerAction', (dataObject) => {
|
||||||
if (!roomList.has(socket.room_id)) return;
|
if (!roomList.has(socket.room_id)) return;
|
||||||
|
|
||||||
|
const data = checkXSS(dataObject);
|
||||||
|
|
||||||
log.debug('Peer action', data);
|
log.debug('Peer action', data);
|
||||||
|
|
||||||
if (data.broadcast) {
|
if (data.broadcast) {
|
||||||
@@ -602,17 +612,21 @@ function startServer() {
|
|||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
socket.on('updatePeerInfo', (data) => {
|
socket.on('updatePeerInfo', (dataObject) => {
|
||||||
if (!roomList.has(socket.room_id)) return;
|
if (!roomList.has(socket.room_id)) return;
|
||||||
|
|
||||||
|
const data = checkXSS(dataObject);
|
||||||
|
|
||||||
// update my peer_info status to all in the room
|
// update my peer_info status to all in the room
|
||||||
roomList.get(socket.room_id).getPeers().get(socket.id).updatePeerInfo(data);
|
roomList.get(socket.room_id).getPeers().get(socket.id).updatePeerInfo(data);
|
||||||
roomList.get(socket.room_id).broadCast(socket.id, 'updatePeerInfo', data);
|
roomList.get(socket.room_id).broadCast(socket.id, 'updatePeerInfo', data);
|
||||||
});
|
});
|
||||||
|
|
||||||
socket.on('fileInfo', (data) => {
|
socket.on('fileInfo', (dataObject) => {
|
||||||
if (!roomList.has(socket.room_id)) return;
|
if (!roomList.has(socket.room_id)) return;
|
||||||
|
|
||||||
|
const data = checkXSS(dataObject);
|
||||||
|
|
||||||
log.debug('Send File Info', data);
|
log.debug('Send File Info', data);
|
||||||
if (data.broadcast) {
|
if (data.broadcast) {
|
||||||
roomList.get(socket.room_id).broadCast(socket.id, 'fileInfo', data);
|
roomList.get(socket.room_id).broadCast(socket.id, 'fileInfo', data);
|
||||||
@@ -631,15 +645,19 @@ function startServer() {
|
|||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
socket.on('fileAbort', (data) => {
|
socket.on('fileAbort', (dataObject) => {
|
||||||
if (!roomList.has(socket.room_id)) return;
|
if (!roomList.has(socket.room_id)) return;
|
||||||
|
|
||||||
|
const data = checkXSS(dataObject);
|
||||||
|
|
||||||
roomList.get(socket.room_id).broadCast(socket.id, 'fileAbort', data);
|
roomList.get(socket.room_id).broadCast(socket.id, 'fileAbort', data);
|
||||||
});
|
});
|
||||||
|
|
||||||
socket.on('shareVideoAction', (data) => {
|
socket.on('shareVideoAction', (dataObject) => {
|
||||||
if (!roomList.has(socket.room_id)) return;
|
if (!roomList.has(socket.room_id)) return;
|
||||||
|
|
||||||
|
const data = checkXSS(dataObject);
|
||||||
|
|
||||||
log.debug('Share video: ', data);
|
log.debug('Share video: ', data);
|
||||||
if (data.peer_id == 'all') {
|
if (data.peer_id == 'all') {
|
||||||
roomList.get(socket.room_id).broadCast(socket.id, 'shareVideoAction', data);
|
roomList.get(socket.room_id).broadCast(socket.id, 'shareVideoAction', data);
|
||||||
@@ -648,35 +666,43 @@ function startServer() {
|
|||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
socket.on('wbCanvasToJson', (data) => {
|
socket.on('wbCanvasToJson', (dataObject) => {
|
||||||
if (!roomList.has(socket.room_id)) return;
|
if (!roomList.has(socket.room_id)) return;
|
||||||
|
|
||||||
|
const data = checkXSS(dataObject);
|
||||||
|
|
||||||
// let objLength = bytesToSize(Object.keys(data).length);
|
// let objLength = bytesToSize(Object.keys(data).length);
|
||||||
// log.debug('Send Whiteboard canvas JSON', { length: objLength });
|
// log.debug('Send Whiteboard canvas JSON', { length: objLength });
|
||||||
roomList.get(socket.room_id).broadCast(socket.id, 'wbCanvasToJson', data);
|
roomList.get(socket.room_id).broadCast(socket.id, 'wbCanvasToJson', data);
|
||||||
});
|
});
|
||||||
|
|
||||||
socket.on('whiteboardAction', (data) => {
|
socket.on('whiteboardAction', (dataObject) => {
|
||||||
if (!roomList.has(socket.room_id)) return;
|
if (!roomList.has(socket.room_id)) return;
|
||||||
|
|
||||||
|
const data = checkXSS(dataObject);
|
||||||
|
|
||||||
log.debug('Whiteboard', data);
|
log.debug('Whiteboard', data);
|
||||||
roomList.get(socket.room_id).broadCast(socket.id, 'whiteboardAction', data);
|
roomList.get(socket.room_id).broadCast(socket.id, 'whiteboardAction', data);
|
||||||
});
|
});
|
||||||
|
|
||||||
socket.on('setVideoOff', (data) => {
|
socket.on('setVideoOff', (dataObject) => {
|
||||||
if (!roomList.has(socket.room_id)) return;
|
if (!roomList.has(socket.room_id)) return;
|
||||||
|
|
||||||
|
const data = checkXSS(dataObject);
|
||||||
|
|
||||||
log.debug('Video off', getPeerName());
|
log.debug('Video off', getPeerName());
|
||||||
roomList.get(socket.room_id).broadCast(socket.id, 'setVideoOff', data);
|
roomList.get(socket.room_id).broadCast(socket.id, 'setVideoOff', data);
|
||||||
});
|
});
|
||||||
|
|
||||||
socket.on('join', (data, cb) => {
|
socket.on('join', (dataObject, cb) => {
|
||||||
if (!roomList.has(socket.room_id)) {
|
if (!roomList.has(socket.room_id)) {
|
||||||
return cb({
|
return cb({
|
||||||
error: 'Room does not exist',
|
error: 'Room does not exist',
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const data = checkXSS(dataObject);
|
||||||
|
|
||||||
log.debug('User joined', data);
|
log.debug('User joined', data);
|
||||||
roomList.get(socket.room_id).addPeer(new Peer(socket.id, data));
|
roomList.get(socket.room_id).addPeer(new Peer(socket.id, data));
|
||||||
|
|
||||||
@@ -843,9 +869,11 @@ function startServer() {
|
|||||||
roomList.get(socket.room_id).broadCast(socket.id, 'refreshParticipantsCount', data);
|
roomList.get(socket.room_id).broadCast(socket.id, 'refreshParticipantsCount', data);
|
||||||
});
|
});
|
||||||
|
|
||||||
socket.on('message', (data) => {
|
socket.on('message', (dataObject) => {
|
||||||
if (!roomList.has(socket.room_id)) return;
|
if (!roomList.has(socket.room_id)) return;
|
||||||
|
|
||||||
|
const data = checkXSS(dataObject);
|
||||||
|
|
||||||
log.debug('message', data);
|
log.debug('message', data);
|
||||||
if (data.to_peer_id == 'all') {
|
if (data.to_peer_id == 'all') {
|
||||||
roomList.get(socket.room_id).broadCast(socket.id, 'message', data);
|
roomList.get(socket.room_id).broadCast(socket.id, 'message', data);
|
||||||
|
|||||||
13
app/src/XSS.js
Normal file
13
app/src/XSS.js
Normal file
@@ -0,0 +1,13 @@
|
|||||||
|
'use strict';
|
||||||
|
|
||||||
|
const xss = require('xss');
|
||||||
|
const Logger = require('./Logger');
|
||||||
|
const log = new Logger('Xss');
|
||||||
|
|
||||||
|
const checkXSS = (dataObject) => {
|
||||||
|
const data = xss(JSON.stringify(dataObject));
|
||||||
|
log.debug('Sanitization done');
|
||||||
|
return JSON.parse(data);
|
||||||
|
};
|
||||||
|
|
||||||
|
module.exports = checkXSS;
|
||||||
@@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
"name": "mirotalksfu",
|
"name": "mirotalksfu",
|
||||||
"version": "1.0.2",
|
"version": "1.0.3",
|
||||||
"description": "WebRTC SFU browser-based video calls",
|
"description": "WebRTC SFU browser-based video calls",
|
||||||
"main": "Server.js",
|
"main": "Server.js",
|
||||||
"scripts": {
|
"scripts": {
|
||||||
@@ -39,6 +39,7 @@
|
|||||||
"socket.io": "4.6.0",
|
"socket.io": "4.6.0",
|
||||||
"swagger-ui-express": "4.6.0",
|
"swagger-ui-express": "4.6.0",
|
||||||
"uuid": "9.0.0",
|
"uuid": "9.0.0",
|
||||||
|
"xss": "^1.0.14",
|
||||||
"yamljs": "0.3.0"
|
"yamljs": "0.3.0"
|
||||||
},
|
},
|
||||||
"devDependencies": {
|
"devDependencies": {
|
||||||
|
|||||||
@@ -11,7 +11,7 @@ if (location.href.substr(0, 5) !== 'https') location.href = 'https' + location.h
|
|||||||
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
|
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
|
||||||
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
|
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
|
||||||
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
|
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
|
||||||
* @version 1.0.2
|
* @version 1.0.3
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|||||||
@@ -9,7 +9,7 @@
|
|||||||
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
|
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
|
||||||
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
|
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
|
||||||
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
|
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
|
||||||
* @version 1.0.2
|
* @version 1.0.3
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|||||||
المرجع في مشكلة جديدة
حظر مستخدم