Summary
The `PATCH /session/:sessionId` route handler declares `Body: SdpAnswer` in its TypeScript generic, but the Fastify schema object omits the `body:` key. This means AJV/Fastify does not validate the request body at all — any payload is accepted and passed to the SDP handler.
Affected File
- `src/api_productions.ts` (~line 748–764)
Vulnerable Code
fastify.patch<{
Params: { sessionId: string };
Body: SdpAnswer;
}>(
'/session/:sessionId',
{
schema: {
// ❌ body: SdpAnswer is NOT here — AJV skips body validation entirely
params: SessionIdParams,
response: { ... }
}
},
async (request, reply) => { ... }
);
Risk
- A malformed SDP answer string passes unvalidated to the SDP processing logic
- An oversized payload (up to Fastify's 1 MiB default limit) is accepted with no `maxLength` guard on `sdpAnswer`
Recommendation
Add `body: SdpAnswer` to the schema object:
schema: {
params: SessionIdParams,
body: SdpAnswer, // ✅ add this
response: { ... }
}
Also add `maxLength` to `SdpAnswer.sdpAnswer` in `models.ts` (see also #239):
export const SdpAnswer = Type.Object({
sdpAnswer: Type.String({ maxLength: 65536 })
});
Severity
Medium — Body is processed unsanitised; defence-in-depth requires schema enforcement.
Found by automated security audit.
Summary
The `PATCH /session/:sessionId` route handler declares `Body: SdpAnswer` in its TypeScript generic, but the Fastify schema object omits the `body:` key. This means AJV/Fastify does not validate the request body at all — any payload is accepted and passed to the SDP handler.
Affected File
Vulnerable Code
Risk
Recommendation
Add `body: SdpAnswer` to the schema object:
Also add `maxLength` to `SdpAnswer.sdpAnswer` in `models.ts` (see also #239):
Severity
Medium — Body is processed unsanitised; defence-in-depth requires schema enforcement.
Found by automated security audit.