From b7c15180b6d4e556ad05d0881eb72d8b2f1637a0 Mon Sep 17 00:00:00 2001 From: Chris Brame Date: Sat, 28 May 2022 03:01:44 -0400 Subject: [PATCH] fix(messages): xss security --- src/helpers/utils/index.js | 5 +++++ src/models/chat/message.js | 27 +++++++++++++++++---------- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/src/helpers/utils/index.js b/src/helpers/utils/index.js index adaab761f..577fb2f16 100644 --- a/src/helpers/utils/index.js +++ b/src/helpers/utils/index.js @@ -19,6 +19,7 @@ const piexifjs = require('piexifjs') const MAX_FIELD_TEXT_LENGTH = 255 const MAX_SHORT_FIELD_TEXT_LENGTH = 25 +const MAX_EXTREME_TEXT_LENGTH = 2000 module.exports.applyMaxTextLength = function (text) { return text.toString().substring(0, MAX_FIELD_TEXT_LENGTH) @@ -28,6 +29,10 @@ module.exports.applyMaxShortTextLength = function (text) { return text.toString().substring(0, MAX_SHORT_FIELD_TEXT_LENGTH) } +module.exports.applyExtremeTextLength = function (text) { + return text.toString().substring(0, MAX_EXTREME_TEXT_LENGTH) +} + module.exports.sanitizeFieldPlainText = function (text) { return xss(text, { whileList: {}, diff --git a/src/models/chat/message.js b/src/models/chat/message.js index f0953d78a..e788bc8d7 100644 --- a/src/models/chat/message.js +++ b/src/models/chat/message.js @@ -12,12 +12,13 @@ * Copyright (c) 2014-2019. All rights reserved. */ -var mongoose = require('mongoose') -var _ = require('lodash') +const mongoose = require('mongoose') +const _ = require('lodash') +const utils = require('../../helpers/utils') -var COLLECTION = 'messages' +const COLLECTION = 'messages' -var messageSchema = mongoose.Schema( +const messageSchema = mongoose.Schema( { conversation: { type: mongoose.Schema.Types.ObjectId, @@ -35,6 +36,12 @@ var messageSchema = mongoose.Schema( { timestamps: true } ) +messageSchema.pre('save', function (next) { + this.body = utils.sanitizeFieldPlainText(utils.applyExtremeTextLength(this.body)) + + next() +}) + messageSchema.statics.getFullConversation = function (convoId, callback) { return this.model(COLLECTION) .find({ conversation: convoId }) @@ -65,14 +72,14 @@ messageSchema.statics.getConversationWithObject = function (object, callback) { return callback('Invalid Object (Must by of type Object) - MessageSchema.GetUserWithObject()', null) } - var self = this - var deletedAt = null + const self = this + let deletedAt = null - var limit = object.limit === null ? 25 : object.limit - var page = object.page === null ? 0 : object.page + const limit = object.limit === null ? 25 : object.limit + const page = object.page === null ? 0 : object.page if (object.requestingUser) { - var userMetaIdx = _.findIndex(object.userMeta, function (item) { + const userMetaIdx = _.findIndex(object.userMeta, function (item) { return item.userId.toString() === object.requestingUser._id.toString() }) if (userMetaIdx !== -1 && object.userMeta[userMetaIdx].deletedAt) { @@ -80,7 +87,7 @@ messageSchema.statics.getConversationWithObject = function (object, callback) { } } - var q = self + const q = self .model(COLLECTION) .find({}) .sort('-createdAt')