Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: guard against prototype pollution
  • Loading branch information
barisusakli committed Oct 25, 2021
1 parent c8b2fc4 commit 1783f91
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/socket.io/uploads.js
Expand Up @@ -15,11 +15,12 @@ uploads.upload = async function (socket, data) {
'user.updateCover': socketUser.updateCover,
'groups.cover.update': socketGroup.cover.update,
};
if (!socket.uid || !data || !data.chunk || !data.params || !data.params.method || !methodToFunc[data.params.method]) {
if (!socket.uid || !data || !data.chunk ||
!data.params || !data.params.method || !methodToFunc.hasOwnProperty(data.params.method)) {
throw new Error('[[error:invalid-data]]');
}

inProgress[socket.id] = inProgress[socket.id] || {};
inProgress[socket.id] = inProgress[socket.id] || Object.create(null);
const socketUploads = inProgress[socket.id];
const { method } = data.params;

Expand Down

0 comments on commit 1783f91

Please sign in to comment.