aheh/mirotalk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[mirotalk] - improve security

Browse Source
This commit is contained in:
Miroslav Pejic
2025-02-01 18:43:02 +01:00
parent 1b97dafe49
commit 60ee73580b
2 changed files with 66 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/src/validate.js
+28 -3
View File
@@ -1,9 +1,11 @@
'use strict';
const checkXSS = require('./xss.js');
const path = require('path');
const checkXSS = require('./XSS.js');
function isValidRoomName(input) {
if (typeof input !== 'string') {
if (!input || typeof input !== 'string') {
return false;
}
const room = checkXSS(input);
@@ -11,8 +13,31 @@ function isValidRoomName(input) {
}
function hasPathTraversal(input) {
if (!input || typeof input !== 'string') {
return false;
}
let decodedInput = input;
try {
decodedInput = decodeURIComponent(input);
decodedInput = decodeURIComponent(decodedInput);
} catch (err) {}
const pathTraversalPattern = /(\.\.(\/|\\))+/;
return pathTraversalPattern.test(input);
const excessiveDotsPattern = /(\.{4,}\/+|\.{4,}\\+)/;
const complexTraversalPattern = /(\.{2,}(\/+|\\+))/;
if (complexTraversalPattern.test(decodedInput)) {
return true;
}
const normalizedPath = path.normalize(decodedInput);
if (pathTraversalPattern.test(normalizedPath) || excessiveDotsPattern.test(normalizedPath)) {
return true;
}
return false;
}
module.exports = {
tests/test-validate.js
+38 -4
View File
@@ -1,12 +1,12 @@
'use strict';
// npx mocha test-validator.js
// npx mocha test-Validator.js
require('should');
const checkValidator = require('../app/src/validate');
describe('test-validate', () => {
describe('test-Validator', () => {
describe('1. Handling invalid room name', () => {
it('should return false for non-string inputs', () => {
checkValidator.isValidRoomName(123).should.be.false();
@@ -42,7 +42,7 @@ describe('test-validate', () => {
});
});
describe('3. Handle path traversal', () => {
describe('2. Handle path traversal', () => {
it('should return false for strings without path traversal', () => {
checkValidator.hasPathTraversal('Room1').should.be.false();
checkValidator.hasPathTraversal('Rec_Test.webm').should.be.false();
@@ -63,9 +63,43 @@ describe('test-validate', () => {
});
it('should return true for complex path traversal patterns', () => {
checkValidator.hasPathTraversal('....//').should.be.true();
checkValidator.hasPathTraversal('..//').should.be.true();
checkValidator.hasPathTraversal('..\\..\\').should.be.true();
checkValidator.hasPathTraversal('../../').should.be.true();
checkValidator.hasPathTraversal('.../../').should.be.true();
checkValidator.hasPathTraversal('....//').should.be.true();
checkValidator.hasPathTraversal('..//..//..//').should.be.true();
});
it('should return true for URL-encoded path traversal', () => {
checkValidator.hasPathTraversal('%2e%2e%2fRoom').should.be.true();
checkValidator.hasPathTraversal('%2e%2e%2f%2e%2e%2fRoom').should.be.true();
checkValidator.hasPathTraversal('%252e%252e%252f').should.be.true();
});
it('should return false for valid absolute paths', () => {
checkValidator.hasPathTraversal('/etc/passwd').should.be.false();
checkValidator.hasPathTraversal('C:\\Windows\\System32').should.be.false();
});
it('should return false for non-traversal relative paths', () => {
checkValidator.hasPathTraversal('Room/Room2').should.be.false();
checkValidator.hasPathTraversal('C:\\SomeDir\\OtherDir').should.be.false();
});
it('should return false for excessively long path inputs', () => {
const longPath = 'Room/'.repeat(1000);
checkValidator.hasPathTraversal(longPath).should.be.false();
});
it('should return false for paths with Windows reserved filenames', () => {
checkValidator.hasPathTraversal('C:\\CON\\myfile.txt').should.be.false();
checkValidator.hasPathTraversal('C:\\NUL\\myfile.txt').should.be.false();
});
it('should return false for valid Windows paths with backslashes', () => {
checkValidator.hasPathTraversal('C:\\Program Files\\MyApp').should.be.false();
checkValidator.hasPathTraversal('C:\\SomeDir\\OtherDir\\File.txt').should.be.false();
});
});
});