Hardened websocket entrypoints to not cause exceptions on badly formatted requests

jsvennevid-ea · jsvennevid · commit c13ba548088b · 2015-09-10T12:16:04.000+02:00
diff --git a/lib/streaming.io.js b/lib/streaming.io.js
@@ -1,7 +1,9 @@
 var client = require('streaming.io-client'),
     Registry = require('./registry'),
     compress = require('./compress').compress,
-    debug = require('debug')('streaming.io:server');
+    debug = require('debug')('streaming.io:server'),
+    assert = require('assert'),
+    _ = require('underscore');
 
 exports = module.exports = Streaming;
 
@@ -16,6 +18,16 @@ var registry;
 function setupIo(io, service) {
     io.on('connection', function (socket) {
         socket.on('stream', function (message, callback) {
+            try {
+                assert(_.isObject(message), "message is not an object");
+                assert(_.isString(message.url), "url not a string");
+                assert(_.isFunction(callback), "no callback provided");
+            } catch (e) {
+                debug("socket(%s) - invalid stream message: %s", socket.id, e.message);
+                _.isFunction(callback) && callback("Invalid request");
+                return;
+            }
+
             debug("socket(%s) - streaming '%s'", socket.id, message.url);
 
             var readMessage = {
@@ -38,11 +50,30 @@ function setupIo(io, service) {
         });
 
         socket.on('unstream', function (message, callback) {
+            try {
+                assert(_.isObject(message), "message is not an object");
+                assert(_.isString(message.url), "url not a string");
+                assert(_.isFunction(callback), "no callback provided");
+            } catch (e) {
+                debug("socket(%s) - invalid unstream message: %s", socket.id, e.message);
+                _.isFunction(callback) && callback("Invalid request");
+                return;
+            }
+
             registry.removeSubscription(socket, message.url);
             callback(null);
         });
 
         socket.on('sync', function (message, callback) {
+            try {
+                assert(_.isObject(message), "message is not an object");
+                assert(_.isFunction(callback), "no callback provided");
+            } catch (e) {
+                debug("socket(%s) - invalid sync message: %s", socket.id, e.message);
+                _.isFunction(callback) && callback("Invalid request");
+                return;
+            }
+
             debug("socket(%s) - op '%s' : %s", socket.id, message.method, message.url);
             service.sync(socket, message, function (err, response) {
                 if (err) {
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "streaming.io",
-	"version": "0.3.8",
+	"version": "0.3.9",
 
 	"repository": {
 		"type": "git",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "streaming.io",`
`3`		`- "version": "0.3.8",`
	`3`	`+ "version": "0.3.9",`
`4`	`4`
`5`	`5`	`"repository": {`
`6`	`6`	`"type": "git",`