Skip to content

Commit 89e85b7

Browse files
deepak0xdeepak0x
authored
fix(api): escape json body in api calls to prevent injection (#1072)
* fix(api): escape json body in api calls to prevent injection * fix(api): replace manual JSON string construction with JSON.stringify to prevent injection - Replaced template literal JSON construction with JSON.stringify() in all API methods - Fixes vulnerability where user input containing quotes would break JSON structure - Affected methods: updateMessage, deleteMessage, updateUserUsername, reactToMessage, reportMessage, starMessage, unstarMessage, pinMessage, unpinMessage, updateUserNameThroughSuggestion
1 parent c706b67 commit 89e85b7

1 file changed

Lines changed: 20 additions & 10 deletions

File tree

packages/api/src/EmbeddedChatApi.ts

Lines changed: 20 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -414,7 +414,10 @@ export default class EmbeddedChatApi {
414414

415415
if (suggestedUsername.success) {
416416
const response2 = await fetch(`${this.host}/api/v1/users.update`, {
417-
body: `{"userId": "${userid}", "data": { "username": "${suggestedUsername.result}" }}`,
417+
body: JSON.stringify({
418+
userId: userid,
419+
data: { username: suggestedUsername.result },
420+
}),
418421
headers: {
419422
"Content-Type": "application/json",
420423
"X-Auth-Token": authToken,
@@ -439,7 +442,10 @@ export default class EmbeddedChatApi {
439442
try {
440443
const { userId, authToken } = (await this.auth.getCurrentUser()) || {};
441444
const response = await fetch(`${this.host}/api/v1/users.update`, {
442-
body: `{"userId": "${userid}", "data": { "username": "${newUserName}" }}`,
445+
body: JSON.stringify({
446+
userId: userid,
447+
data: { username: newUserName },
448+
}),
443449
headers: {
444450
"Content-Type": "application/json",
445451
"X-Auth-Token": authToken,
@@ -776,7 +782,7 @@ export default class EmbeddedChatApi {
776782
try {
777783
const { userId, authToken } = (await this.auth.getCurrentUser()) || {};
778784
const response = await fetch(`${this.host}/api/v1/chat.delete`, {
779-
body: `{"roomId": "${this.rid}", "msgId": "${msgId}"}`,
785+
body: JSON.stringify({ roomId: this.rid, msgId }),
780786
headers: {
781787
"Content-Type": "application/json",
782788
"X-Auth-Token": authToken,
@@ -794,7 +800,7 @@ export default class EmbeddedChatApi {
794800
try {
795801
const { userId, authToken } = (await this.auth.getCurrentUser()) || {};
796802
const response = await fetch(`${this.host}/api/v1/chat.update`, {
797-
body: `{"roomId": "${this.rid}", "msgId": "${msgId}","text" : "${text}" }`,
803+
body: JSON.stringify({ roomId: this.rid, msgId, text }),
798804
headers: {
799805
"Content-Type": "application/json",
800806
"X-Auth-Token": authToken,
@@ -854,7 +860,7 @@ export default class EmbeddedChatApi {
854860
try {
855861
const { userId, authToken } = (await this.auth.getCurrentUser()) || {};
856862
const response = await fetch(`${this.host}/api/v1/chat.starMessage`, {
857-
body: `{"messageId": "${mid}"}`,
863+
body: JSON.stringify({ messageId: mid }),
858864
headers: {
859865
"Content-Type": "application/json",
860866
"X-Auth-Token": authToken,
@@ -872,7 +878,7 @@ export default class EmbeddedChatApi {
872878
try {
873879
const { userId, authToken } = (await this.auth.getCurrentUser()) || {};
874880
const response = await fetch(`${this.host}/api/v1/chat.unStarMessage`, {
875-
body: `{"messageId": "${mid}"}`,
881+
body: JSON.stringify({ messageId: mid }),
876882
headers: {
877883
"Content-Type": "application/json",
878884
"X-Auth-Token": authToken,
@@ -950,7 +956,7 @@ export default class EmbeddedChatApi {
950956
try {
951957
const { userId, authToken } = (await this.auth.getCurrentUser()) || {};
952958
const response = await fetch(`${this.host}/api/v1/chat.pinMessage`, {
953-
body: `{"messageId": "${mid}"}`,
959+
body: JSON.stringify({ messageId: mid }),
954960
headers: {
955961
"Content-Type": "application/json",
956962
"X-Auth-Token": authToken,
@@ -970,7 +976,7 @@ export default class EmbeddedChatApi {
970976
try {
971977
const { userId, authToken } = (await this.auth.getCurrentUser()) || {};
972978
const response = await fetch(`${this.host}/api/v1/chat.unPinMessage`, {
973-
body: `{"messageId": "${mid}"}`,
979+
body: JSON.stringify({ messageId: mid }),
974980
headers: {
975981
"Content-Type": "application/json",
976982
"X-Auth-Token": authToken,
@@ -988,7 +994,11 @@ export default class EmbeddedChatApi {
988994
try {
989995
const { userId, authToken } = (await this.auth.getCurrentUser()) || {};
990996
const response = await fetch(`${this.host}/api/v1/chat.react`, {
991-
body: `{"messageId": "${messageId}", "emoji": "${emoji}", "shouldReact": ${shouldReact}}`,
997+
body: JSON.stringify({
998+
messageId,
999+
emoji,
1000+
shouldReact,
1001+
}),
9921002
headers: {
9931003
"Content-Type": "application/json",
9941004
"X-Auth-Token": authToken,
@@ -1006,7 +1016,7 @@ export default class EmbeddedChatApi {
10061016
try {
10071017
const { userId, authToken } = (await this.auth.getCurrentUser()) || {};
10081018
const response = await fetch(`${this.host}/api/v1/chat.reportMessage`, {
1009-
body: `{"messageId": "${messageId}", "description": "${description}"}`,
1019+
body: JSON.stringify({ messageId, description }),
10101020
headers: {
10111021
"Content-Type": "application/json",
10121022
"X-Auth-Token": authToken,

0 commit comments

Comments
 (0)