alteropen/streamyfin
1
0
Fork 0
mirror of https://github.com/streamyfin/streamyfin.git synced 2026-01-15 15:48:05 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

fix(security): prevent log injection in WebSocket message logging

Browse Source 
Sanitize WebSocket messages before logging to prevent log injection attacks.
User-controlled data from WebSocket messages could contain newline characters
that allow forging fake log entries.

Changes:
- Convert message object to JSON string and remove newlines/carriage returns
- Use format specifier (%s) for safe string interpolation
- Applied fix to providers/WebSocketProvider.tsx and hooks/useWebsockets.ts

Resolves CodeQL security alert js/log-injection

Co-authored-by: GitHub Copilot Autofix <noreply@github.com>
This commit is contained in:
Uruk
2025-11-07 22:35:53 +01:00
parent 118c24ee05
commit 2c0ed076d5
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
hooks/useWebsockets.ts
View File

@@ -96,7 +96,9 @@ export const useWebSocket = ({
| Record<string, string>
| undefined; // Arguments are Dictionary<string, string>
console.log("[WS] ~ ", lastMessage);
// Sanitize output to avoid log injection
const msgStr = JSON.stringify(lastMessage).replaceAll(/[\n\r]/g, " ");
console.log("[WS] ~ %s", msgStr);
if (command === "PlayPause") {
console.log("Command ~ PlayPause");

4
providers/WebSocketProvider.tsx
View File

@@ -96,7 +96,9 @@ export const WebSocketProvider = ({ children }: WebSocketProviderProps) => {
newWebSocket.onmessage = (e) => {
try {
const message = JSON.parse(e.data);
console.log("[WS] Received message:", message);
// Sanitize output to avoid log injection
const msgStr = JSON.stringify(message).replaceAll(/[\n\r]/g, " ");
console.log("[WS] Received message: %s", msgStr);
setLastMessage(message); // Store the last message in context
} catch (error) {
console.error("Error parsing WebSocket message:", error);