Skip to content

Security: PATCH /session/:sessionId missing TypeBox body schema — AJV does not validate request body #248

Description

@LucasMaupin

Summary

The `PATCH /session/:sessionId` route handler declares `Body: SdpAnswer` in its TypeScript generic, but the Fastify schema object omits the `body:` key. This means AJV/Fastify does not validate the request body at all — any payload is accepted and passed to the SDP handler.

Affected File

  • `src/api_productions.ts` (~line 748–764)

Vulnerable Code

fastify.patch<{
  Params: { sessionId: string };
  Body: SdpAnswer;
}>(
  '/session/:sessionId',
  {
    schema: {
      // ❌ body: SdpAnswer is NOT here — AJV skips body validation entirely
      params: SessionIdParams,
      response: { ... }
    }
  },
  async (request, reply) => { ... }
);

Risk

  • A malformed SDP answer string passes unvalidated to the SDP processing logic
  • An oversized payload (up to Fastify's 1 MiB default limit) is accepted with no `maxLength` guard on `sdpAnswer`

Recommendation

Add `body: SdpAnswer` to the schema object:

schema: {
  params: SessionIdParams,
  body: SdpAnswer,   // ✅ add this
  response: { ... }
}

Also add `maxLength` to `SdpAnswer.sdpAnswer` in `models.ts` (see also #239):

export const SdpAnswer = Type.Object({
  sdpAnswer: Type.String({ maxLength: 65536 })
});

Severity

Medium — Body is processed unsanitised; defence-in-depth requires schema enforcement.


Found by automated security audit.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions