feat(security): enhance input validation and security measures across various routes

2026-03-04 08:39:29 +01:00
parent ba096a31a2
commit e22a895672
13 changed files with 222 additions and 29 deletions
--- a/server/routes/federation.js
+++ b/server/routes/federation.js
@@ -161,6 +161,16 @@ router.post('/receive', federationReceiveLimiter, async (req, res) => {
            return res.status(400).json({ error: 'Incomplete invitation payload' });
        }

+        // Validate join_url scheme to prevent javascript: or other malicious URIs
+        try {
+            const parsedUrl = new URL(join_url);
+            if (parsedUrl.protocol !== 'https:' && parsedUrl.protocol !== 'http:') {
+                return res.status(400).json({ error: 'join_url must use https:// or http://' });
+            }
+        } catch {
+            return res.status(400).json({ error: 'Invalid join_url format' });
+        }
+
        // S4: validate field lengths from remote to prevent oversized DB entries
        if (invite_id.length > 100 || from_user.length > 200 || to_user.length > 200 ||
            room_name.length > 200 || join_url.length > 2000 || (message && message.length > 5000)) {