Improved link validation and sanatization, in order to mitigate CVE-2025-56200 from validator.js NPM package.

2025-10-18 07:21:17 -04:00 · 2025-10-18 07:21:17 -04:00 · 06f552a9ec
commit 06f552a9ec
parent 6bab5b4723
9 changed files with 38 additions and 19 deletions
--- a/src/app/channel/media/playlistHandler.js
+++ b/src/app/channel/media/playlistHandler.js
@ -120,12 +120,12 @@ class playlistHandler{
     */
    async addToPlaylistValidator(socket, url){
        //If we where given a bad URL
-        if(typeof url != 'string' || !validator.isURL(url)){
+        if(typeof url != 'string' || !validator.isURL(url,{require_valid_protocol: true})){
            //Attempt to fix the situation by encoding it
            url = encodeURI(url);

            //If it's still bad
-            if(typeof url != 'string' || !validator.isURL(url)){
+            if(typeof url != 'string' || !validator.isURL(url,{require_valid_protocol: true})){
                //Bitch, moan, complain...
                loggerUtils.socketErrorHandler(socket, "Bad URL!", "validation");
                //and ignore it!
--- a/src/app/channel/media/queue.js
+++ b/src/app/channel/media/queue.js
@ -132,12 +132,12 @@ class queue{
                let url = data.url;

                //If we where given a bad URL
-                if(!validator.isURL(url)){
+                if(!validator.isURL(url,{require_valid_protocol: true})){
                    //Attempt to fix the situation by encoding it
                    url = encodeURI(url);

                    //If it's still bad
-                    if(!validator.isURL(url)){
+                    if(!validator.isURL(url,{require_valid_protocol: true})){
                        //Bitch, moan, complain...
                        loggerUtils.socketErrorHandler(socket, "Bad URL!", "validation");
                        //and ignore it!