fix(messages): xss security

polonel · May 28, 2022 · b7c1518 · b7c1518
1 parent 7099d08
commit b7c1518
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 10 deletions.
diff --git a/src/helpers/utils/index.js b/src/helpers/utils/index.js
@@ -19,6 +19,7 @@ const piexifjs = require('piexifjs')
 
 const MAX_FIELD_TEXT_LENGTH = 255
 const MAX_SHORT_FIELD_TEXT_LENGTH = 25
+const MAX_EXTREME_TEXT_LENGTH = 2000
 
 module.exports.applyMaxTextLength = function (text) {
   return text.toString().substring(0, MAX_FIELD_TEXT_LENGTH)
@@ -28,6 +29,10 @@ module.exports.applyMaxShortTextLength = function (text) {
   return text.toString().substring(0, MAX_SHORT_FIELD_TEXT_LENGTH)
 }
 
+module.exports.applyExtremeTextLength = function (text) {
+  return text.toString().substring(0, MAX_EXTREME_TEXT_LENGTH)
+}
+
 module.exports.sanitizeFieldPlainText = function (text) {
   return xss(text, {
     whileList: {},

diff --git a/src/models/chat/message.js b/src/models/chat/message.js
@@ -12,12 +12,13 @@
  *  Copyright (c) 2014-2019. All rights reserved.
  */
 
-var mongoose = require('mongoose')
-var _ = require('lodash')
+const mongoose = require('mongoose')
+const _ = require('lodash')
+const utils = require('../../helpers/utils')
 
-var COLLECTION = 'messages'
+const COLLECTION = 'messages'
 
-var messageSchema = mongoose.Schema(
+const messageSchema = mongoose.Schema(
   {
     conversation: {
       type: mongoose.Schema.Types.ObjectId,
@@ -35,6 +36,12 @@ var messageSchema = mongoose.Schema(
   { timestamps: true }
 )
 
+messageSchema.pre('save', function (next) {
+  this.body = utils.sanitizeFieldPlainText(utils.applyExtremeTextLength(this.body))
+
+  next()
+})
+
 messageSchema.statics.getFullConversation = function (convoId, callback) {
   return this.model(COLLECTION)
     .find({ conversation: convoId })
@@ -65,22 +72,22 @@ messageSchema.statics.getConversationWithObject = function (object, callback) {
     return callback('Invalid Object (Must by of type Object) - MessageSchema.GetUserWithObject()', null)
   }
 
-  var self = this
-  var deletedAt = null
+  const self = this
+  let deletedAt = null
 
-  var limit = object.limit === null ? 25 : object.limit
-  var page = object.page === null ? 0 : object.page
+  const limit = object.limit === null ? 25 : object.limit
+  const page = object.page === null ? 0 : object.page
 
   if (object.requestingUser) {
-    var userMetaIdx = _.findIndex(object.userMeta, function (item) {
+    const userMetaIdx = _.findIndex(object.userMeta, function (item) {
       return item.userId.toString() === object.requestingUser._id.toString()
     })
     if (userMetaIdx !== -1 && object.userMeta[userMetaIdx].deletedAt) {
       deletedAt = new Date(object.userMeta[userMetaIdx].deletedAt)
     }
   }
 
-  var q = self
+  const q = self
     .model(COLLECTION)
     .find({})
     .sort('-createdAt')