diff --git a/app/src/Server.js b/app/src/Server.js
index 4eddbec9..6293a36d 100644
--- a/app/src/Server.js
+++ b/app/src/Server.js
@@ -44,7 +44,7 @@ dependencies: {
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
- * @version 1.5.41
+ * @version 1.5.42
*
*/
@@ -470,8 +470,7 @@ function startServer() {
if (!Validator.isValidRoomName(room)) {
return res.status(400).json({
- message:
- 'Invalid Room name! Must be a UUID4 or an ALPHANUMERIC string without special characters or spaces.',
+ message: 'Invalid Room name! Invalid Room name!\nPath traversal pattern detected!',
});
}
diff --git a/app/src/Validator.js b/app/src/Validator.js
index 1d7c89a3..8e78f851 100644
--- a/app/src/Validator.js
+++ b/app/src/Validator.js
@@ -4,21 +4,26 @@ function isValidRoomName(input) {
if (typeof input !== 'string') {
return false;
}
- const pattern =
- /^(?:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}|[A-Za-z0-9-_]+)$/;
- return pattern.test(input);
+ return !hasPathTraversal(input);
}
function isValidRecFileNameFormat(input) {
if (typeof input !== 'string') {
return false;
}
- const pattern =
- /^Rec_(?:[A-Za-z0-9-_]+|[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12})_\d{4}_\d{2}_\d{2}_\d{2}_\d{2}_\d{2}\.(webm)$/;
- return pattern.test(input);
+ if (!input.startsWith('Rec_') || !input.endsWith('.webm')) {
+ return false;
+ }
+ return !hasPathTraversal(input);
+}
+
+function hasPathTraversal(input) {
+ const pathTraversalPattern = /(\.\.(\/|\\))+/;
+ return pathTraversalPattern.test(input);
}
module.exports = {
isValidRoomName,
isValidRecFileNameFormat,
+ hasPathTraversal,
};
diff --git a/cloud/server.js b/cloud/server.js
index 60640f72..e269f26f 100644
--- a/cloud/server.js
+++ b/cloud/server.js
@@ -92,7 +92,13 @@ function isValidRecFileNameFormat(input) {
if (typeof input !== 'string') {
return false;
}
- const pattern =
- /^Rec_(?:[A-Za-z0-9-_]+|[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12})_\d{4}_\d{2}_\d{2}_\d{2}_\d{2}_\d{2}\.(webm)$/;
- return pattern.test(input);
+ if (!input.startsWith('Rec_') || !input.endsWith('.webm')) {
+ return false;
+ }
+ return !hasPathTraversal(input);
+}
+
+function hasPathTraversal(input) {
+ const pathTraversalPattern = /(\.\.(\/|\\))+/;
+ return pathTraversalPattern.test(input);
}
diff --git a/package.json b/package.json
index d5d6b04e..0d478efd 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "mirotalksfu",
- "version": "1.5.41",
+ "version": "1.5.42",
"description": "WebRTC SFU browser-based video calls",
"main": "Server.js",
"scripts": {
diff --git a/public/js/Common.js b/public/js/Common.js
index 400a711d..383a2a7a 100644
--- a/public/js/Common.js
+++ b/public/js/Common.js
@@ -222,9 +222,10 @@ function joinRoom() {
return;
}
if (!roomValid) {
- alert('Invalid Room name!\nMust be a UUID4 or an ALPHANUMERIC string without special characters.');
+ alert('Invalid Room name!\nPath traversal pattern detected!');
return;
}
+
window.location.href = '/join/' + roomName;
window.localStorage.lastRoom = roomName;
}
@@ -233,9 +234,8 @@ function isValidRoomName(input) {
if (typeof input !== 'string') {
return false;
}
- const pattern =
- /^(?:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}|[A-Za-z0-9-_]+)$/;
- return pattern.test(input);
+ const pathTraversalPattern = /(\.\.(\/|\\))+/;
+ return !pathTraversalPattern.test(input);
}
function adultContent() {
diff --git a/public/js/Room.js b/public/js/Room.js
index 987cdf34..3239f996 100644
--- a/public/js/Room.js
+++ b/public/js/Room.js
@@ -11,7 +11,7 @@ if (location.href.substr(0, 5) !== 'https') location.href = 'https' + location.h
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
- * @version 1.5.41
+ * @version 1.5.42
*
*/
@@ -4335,7 +4335,7 @@ function showAbout() {
imageUrl: image.about,
customClass: { image: 'img-about' },
position: 'center',
- title: 'WebRTC SFU v1.5.41',
+ title: 'WebRTC SFU v1.5.42',
html: `
diff --git a/public/js/RoomClient.js b/public/js/RoomClient.js
index 055449f4..815b054e 100644
--- a/public/js/RoomClient.js
+++ b/public/js/RoomClient.js
@@ -9,7 +9,7 @@
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
- * @version 1.5.41
+ * @version 1.5.42
*
*/
@@ -400,9 +400,7 @@ class RoomClient {
.then(async (room) => {
console.log('##### JOIN ROOM #####', room);
if (room === 'invalid') {
- console.log(
- '00-WARNING ----> Room is Invalid! Must be a UUID4 or an ALPHANUMERIC string without special characters or spaces',
- );
+ console.log('00-WARNING ----> Invalid Room name! Path traversal pattern detected!');
return this.roomInvalid();
}
if (room === 'notAllowed') {
@@ -6178,7 +6176,7 @@ class RoomClient {
background: swalBackground,
imageUrl: image.forbidden,
title: 'Oops, Room not valid',
- text: 'Invalid room name! Must be a UUID4 or an ALPHANUMERIC string without special characters or spaces',
+ text: 'Invalid Room name! Path traversal pattern detected!',
confirmButtonText: `OK`,
showClass: { popup: 'animate__animated animate__fadeInDown' },
hideClass: { popup: 'animate__animated animate__fadeOutUp' },