Headline
CVE-2023-30591: fix: don't crash on objects with toString property · NodeBB/NodeBB@4d2d768
Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking eventName.startsWith() or eventName.toString(), while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively.
Expand Up @@ -112,48 +112,49 @@ async function onMessage(socket, payload) { return winston.warn('[socket.io] Empty payload’); }
const eventName = payload.data[0]; let eventName = payload.data[0]; const params = typeof payload.data[1] === ‘function’ ? {} : payload.data[1]; const callback = typeof payload.data[payload.data.length - 1] === ‘function’ ? payload.data[payload.data.length - 1] : function () {};
if (!eventName) { return winston.warn('[socket.io] Empty method name’); }
if (typeof eventName !== ‘string’) { const escapedName = validator.escape(String(eventName)); return callback({ message: `[[error:invalid-event, ${escapedName}]]` }); } try { if (!eventName) { return winston.warn('[socket.io] Empty method name’); }
const parts = eventName.split(‘.’); const namespace = parts[0]; const methodToCall = parts.reduce((prev, cur) => { if (prev !== null && prev[cur] && (!prev.hasOwnProperty || prev.hasOwnProperty(cur))) { return prev[cur]; if (typeof eventName !== ‘string’) { eventName = typeof eventName; const escapedName = validator.escape(eventName); return callback({ message: `[[error:invalid-event, ${escapedName}]]` }); } return null; }, Namespaces);
if (!methodToCall || typeof methodToCall !== ‘function’) { if (process.env.NODE_ENV === ‘development’) { winston.warn(`[socket.io] Unrecognized message: ${eventName}`); const parts = eventName.split(‘.’); const namespace = parts[0]; const methodToCall = parts.reduce((prev, cur) => { if (prev !== null && prev[cur] && (!prev.hasOwnProperty || prev.hasOwnProperty(cur))) { return prev[cur]; } return null; }, Namespaces);
if (!methodToCall || typeof methodToCall !== ‘function’) { if (process.env.NODE_ENV === ‘development’) { winston.warn(`[socket.io] Unrecognized message: ${eventName}`); } const escapedName = validator.escape(String(eventName)); return callback({ message: `[[error:invalid-event, ${escapedName}]]` }); } const escapedName = validator.escape(String(eventName)); return callback({ message: `[[error:invalid-event, ${escapedName}]]` }); }
socket.previousEvents = socket.previousEvents || []; socket.previousEvents.push(eventName); if (socket.previousEvents.length > 20) { socket.previousEvents.shift(); } socket.previousEvents = socket.previousEvents || []; socket.previousEvents.push(eventName); if (socket.previousEvents.length > 20) { socket.previousEvents.shift(); }
if (!eventName.startsWith(‘admin.’) && ratelimit.isFlooding(socket)) { winston.warn(`[socket.io] Too many emits! Disconnecting uid : ${socket.uid}. Events : ${socket.previousEvents}`); return socket.disconnect(); } if (!eventName.startsWith(‘admin.’) && ratelimit.isFlooding(socket)) { winston.warn(`[socket.io] Too many emits! Disconnecting uid : ${socket.uid}. Events : ${socket.previousEvents}`); return socket.disconnect(); }
try { await checkMaintenance(socket); await validateSession(socket, '[[error:revalidate-failure]]');
Expand Down