[mirotalksfu] - add some validations

2023-04-26 11:20:50 +02:00
--- a/app/src/Server.js
+++ b/app/src/Server.js
@@ -671,6 +671,11 @@ function startServer() {

            const data = checkXSS(dataObject);

+            if (!isValidFileName(data.fileName)) {
+                log.debug('File name not valid', data);
+                return;
+            }
+
            log.debug('Send File Info', data);
            if (data.broadcast) {
                roomList.get(socket.room_id).broadCast(socket.id, 'fileInfo', data);
@@ -702,6 +707,11 @@ function startServer() {

            const data = checkXSS(dataObject);

+            if (data.action == 'open' && !isValidHttpURL(data.video_url)) {
+                log.debug('Video src not valid', data);
+                return;
+            }
+
            log.debug('Share video: ', data);
            if (data.peer_id == 'all') {
                roomList.get(socket.room_id).broadCast(socket.id, 'shareVideoAction', data);
@@ -1078,6 +1088,24 @@ function startServer() {
            return false;
        }

+        function isValidFileName(fileName) {
+            const invalidChars = /[\\\/\?\*\|:"<>]/;
+            return !invalidChars.test(fileName);
+        }
+
+        function isValidHttpURL(input) {
+            const pattern = new RegExp(
+                '^(https?:\\/\\/)?' + // protocol
+                    '((([a-z\\d]([a-z\\d-]*[a-z\\d])*)\\.)+[a-z]{2,}|' + // domain name
+                    '((\\d{1,3}\\.){3}\\d{1,3}))' + // OR ip (v4) address
+                    '(\\:\\d+)?(\\/[-a-z\\d%_.~+]*)*' + // port and path
+                    '(\\?[;&a-z\\d%_.~+=-]*)?' + // query string
+                    '(\\#[-a-z\\d_]*)?$',
+                'i',
+            ); // fragment locator
+            return pattern.test(input);
+        }
+
        function removeMeData() {
            return {
                room_id: roomList.get(socket.room_id) && socket.room_id,
--- a/public/js/RoomClient.js
+++ b/public/js/RoomClient.js
@@ -3351,7 +3351,8 @@ class RoomClient {
                return userLog('info', 'No participants detected', 'top-end');
            }
            // prevent XSS injection
-            if (this.isHtml(this.fileToSend.name)) return userLog('warning', 'Invalid file name!', 'top-end', 5000);
+            if (this.isHtml(this.fileToSend.name) || !this.isValidFileName(this.fileToSend.name))
+                return userLog('warning', 'Invalid file name!', 'top-end', 5000);

            const fileInfo = {
                peer_id: peer_id,
@@ -3612,6 +3613,11 @@ class RoomClient {
        return '<pre>' + JSON.stringify(obj, null, 4) + '</pre>';
    }

+    isValidFileName(fileName) {
+        const invalidChars = /[\\\/\?\*\|:"<>]/;
+        return !invalidChars.test(fileName);
+    }
+
    // ####################################################
    // SHARE VIDEO YOUTUBE - MP4 - WEBM - OGG or AUDIO mp3
    // ####################################################