Skip to content

Fix critical socket authorization issues#170

Merged
coder13 merged 2 commits into
devfrom
codex/fix-critical-high-audit
Jul 9, 2026
Merged

Fix critical socket authorization issues#170
coder13 merged 2 commits into
devfrom
codex/fix-critical-high-audit

Conversation

@coder13

@coder13 coder13 commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Summary

  • prevent the Express session signing secret from being sent as the Engine.IO cookie name
  • authorize room deletion against the persisted target room owner or admin
  • replace the removed Socket.IO 3 remoteLeave calls with Socket.IO 4 socketsLeave
  • persist kick and ban state before ejecting sockets, then reject every later room event when inRoom is false or the user is banned
  • contain synchronous throws and rejected promises from all room event handlers, with safe optional acknowledgements for join/create/delete events
  • reject anonymous joins to identity-required rooms without dereferencing a missing user

Root Cause

The Socket.IO configuration reused AUTH_SECRET as an Engine.IO cookie name. Room deletion checked authority on the caller's current room while deleting an arbitrary client-supplied room ID. The Socket.IO 4 adapter no longer implements remoteLeave.

Replacing remoteLeave alone was insufficient: it removed adapter room membership but left socket.roomId intact, so a hostile client could ignore the kick/ban notification and keep sending mutations. Async Socket.IO listeners were also registered directly, allowing malformed payloads or missing acknowledgement callbacks to escape as unhandled rejections under Node 22.

Security Behavior

Room event middleware now reloads persisted room state and requires authenticated users to remain present and unbanned. Kick and ban operations save that state before notifying and removing sockets from adapter rooms. A shared handler wrapper catches synchronous and asynchronous failures and returns a generic error without exposing internal details.

Validation

  • yarn workspace letscube-server lint
  • yarn workspace letscube-server test --runInBand — 4 suites, 10 tests
  • repository pre-commit gate: yarn lint && yarn test — client and server checks passed

coder13 added 2 commits July 9, 2026 11:01
Prevent the session secret from becoming an Engine.IO cookie name, authorize deletion against the target room, and use the Socket.IO 4 eviction API for kicks and bans.
Reject events from kicked or banned room members and safely contain malformed socket handlers so hostile payloads cannot terminate the process.
@coder13 coder13 changed the base branch from master to dev July 9, 2026 19:43
@coder13 coder13 marked this pull request as ready for review July 9, 2026 19:43
@coder13 coder13 merged commit cffc2ea into dev Jul 9, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant