rainbownapkin/canopy
1
0
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity Actions

Improved link validation and sanatization, in order to mitigate CVE-2025-56200 from validator.js NPM package.

Browse source
This commit is contained in:
rainbow napkin 2025-10-18 07:21:17 -04:00
parent 6bab5b4723
commit 06f552a9ec
9 changed files with 38 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/validators/accountValidator.js
View file

@ -16,6 +16,7 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.*/
//NPM Imports
const { checkSchema } = require('express-validator');
const {sanitizeUrl} = require("@braintree/sanitize-url");
//local imports
const {isRank} = require('./permissionsValidator');
@ -99,11 +100,15 @@ module.exports.img = function(field = 'img'){
isURL: {
options: {
require_tld: false,
require_host: false
require_host: false,
require_valid_protocol: true
},
errorMessage: "Invalid URL."
},
trim: true
trim: true,
customSanitizer: {
options: sanitizeUrl
}
}
});
}

6
src/validators/channelValidator.js
View file

@ -83,7 +83,11 @@ module.exports.settingsMap = function(){
},
'settingsMap.streamURL': {
optional: true,
isURL: true,
isURL: {
options:{
require_valid_protocol: true
}
},
errorMessage: "Invalid Stream URL"
}
})

5
src/validators/emoteValidator.js
View file

@ -48,7 +48,8 @@ module.exports.link = function(field = 'link'){
isURL: {
options: {
require_tld: false,
require_host: false
require_host: false,
require_valid_protocol: true
},
errorMessage: "Invalid URL."
},
@ -76,7 +77,7 @@ module.exports.manualLink = function(input){
const clean = validator.trim(input)
//If we have a URL return the trimmed input
if(validator.isURL(clean)){
if(validator.isURL(clean,{require_valid_protocol: true})){
return clean;
}