fix some DoS vulns and other stuff
This commit is contained in:
hippoz
parent
03d89bca7f
commit
2c41359b9d
1 changed files with 4 additions and 3 deletions
|
|
@ -39,6 +39,7 @@ GatewayServer.prototype.eventSetup = function() {
|
||||||
const token = socket.handshake.query.token;
|
const token = socket.handshake.query.token;
|
||||||
|
|
||||||
if (!token) return this.authDisconnect(socket, callback);
|
if (!token) return this.authDisconnect(socket, callback);
|
||||||
|
if (!(typeof token === 'string')) return this.authDisconnect(socket, callback);
|
||||||
|
|
||||||
jwt.verify(token, secret.jwtPrivateKey, {}, async (err, data) => {
|
jwt.verify(token, secret.jwtPrivateKey, {}, async (err, data) => {
|
||||||
if (err) return this.authDisconnect(socket, callback);
|
if (err) return this.authDisconnect(socket, callback);
|
||||||
|
|
@ -81,13 +82,13 @@ GatewayServer.prototype.eventSetup = function() {
|
||||||
socket.isConnected = true;
|
socket.isConnected = true;
|
||||||
|
|
||||||
socket.on('message', ({ category, content }) => {
|
socket.on('message', ({ category, content }) => {
|
||||||
if (!category || !content || !socket.joinedCategories || !socket.isConnected || !socket.user) return;
|
if (!category || !content || !socket.joinedCategories || !socket.isConnected || !socket.user || !(typeof content === 'string') || !(typeof category._id === 'string')) return;
|
||||||
content = content.trim();
|
content = content.trim();
|
||||||
if (!content || content === '' || content === ' ' || content.length >= 2000) return;
|
if (!content || content === '' || content === ' ' || content.length >= 2000) return;
|
||||||
|
|
||||||
// TODO: When/if category permissions are added, check if the user has permissions for that category
|
// TODO: When/if category permissions are added, check if the user has permissions for that category
|
||||||
const categoryTitle = socket.joinedCategories[category._id];
|
const categoryTitle = socket.joinedCategories[category._id];
|
||||||
if (!categoryTitle) return;
|
if (!categoryTitle || !(typeof categoryTitle === 'string')) return;
|
||||||
|
|
||||||
const messageObject = {
|
const messageObject = {
|
||||||
author: {
|
author: {
|
||||||
|
|
@ -108,7 +109,7 @@ GatewayServer.prototype.eventSetup = function() {
|
||||||
socket.on('subscribe', async (categories) => {
|
socket.on('subscribe', async (categories) => {
|
||||||
if ( !socket.isConnected || !socket.user || !categories || !Array.isArray(categories) || categories === []) return;
|
if ( !socket.isConnected || !socket.user || !categories || !Array.isArray(categories) || categories === []) return;
|
||||||
for (const v of categories) {
|
for (const v of categories) {
|
||||||
if (!v) continue;
|
if (!v && !(typeof v === 'string')) continue;
|
||||||
// TODO: When/if category permissions are added, check if the user has permissions for that category
|
// TODO: When/if category permissions are added, check if the user has permissions for that category
|
||||||
const category = await Category.findById(v);
|
const category = await Category.findById(v);
|
||||||
if (category && category.title && category._id) {
|
if (category && category.title && category._id) {
|
||||||
|
|
|
||||||
Reference in a new issue