fix: resolve 5 critical vulnerabilities from L3 security audit

fix: resolve 5 critical vulnerabilities from L3 security audit
This commit is contained in:
Renato Alcara
2026-02-11 00:32:13 -03:00
committed by GitHub
8 changed files with 95 additions and 45 deletions
+6 -3
View File
@@ -3,7 +3,7 @@ import { Boom } from '@hapi/boom'
import { randomBytes } from 'crypto'
import Long from 'long'
import { proto } from '../../WAProto/index.js'
import { DEFAULT_CACHE_TTLS, KEY_BUNDLE_TYPE, MIN_PREKEY_COUNT, STATUS_EXPIRY_SECONDS } from '../Defaults'
import { DEFAULT_CACHE_TTLS, DEFAULT_SESSION_CLEANUP_CONFIG, KEY_BUNDLE_TYPE, MIN_PREKEY_COUNT, STATUS_EXPIRY_SECONDS } from '../Defaults'
import { metrics, recordMessageReceived, recordHistorySyncMessages, recordMessageRetry, recordMessageFailure } from '../Utils/prometheus-metrics.js'
import type {
GroupParticipant,
@@ -76,8 +76,11 @@ export const makeMessagesRecvSocket = (config: SocketConfig) => {
getMessage,
shouldIgnoreJid,
enableAutoSessionRecreation,
enableCTWARecovery
enableCTWARecovery,
sessionCleanupConfig
} = config
// Use nullish coalescing to handle partial config properly
const autoCleanCorrupted = sessionCleanupConfig?.autoCleanCorrupted ?? DEFAULT_SESSION_CLEANUP_CONFIG.autoCleanCorrupted
const sock = makeMessagesSocket(config)
const {
ev,
@@ -1227,7 +1230,7 @@ export const makeMessagesRecvSocket = (config: SocketConfig) => {
category,
author,
decrypt
} = decryptMessageNode(node, authState.creds.me!.id, authState.creds.me!.lid || '', signalRepository, logger)
} = decryptMessageNode(node, authState.creds.me!.id, authState.creds.me!.lid || '', signalRepository, logger, autoCleanCorrupted)
const alt = msg.key.participantAlt || msg.key.remoteJidAlt
// Handle LID/PN mappings with hybrid approach:
+6 -1
View File
@@ -506,12 +506,17 @@ export const makeSocket = (config: SocketConfig) => {
const sessionActivityTracker = makeSessionActivityTracker(keys, logger)
// Session cleanup manager - removes inactive/orphaned sessions
// Merge user config with defaults to prevent partial overrides from breaking cleanup
const sessionCleanupConfig = {
...DEFAULT_SESSION_CLEANUP_CONFIG,
...(config.sessionCleanupConfig || {})
}
const sessionCleanup = makeSessionCleanup(
keys,
signalRepository.lidMapping,
sessionActivityTracker,
logger,
DEFAULT_SESSION_CLEANUP_CONFIG
sessionCleanupConfig
)
let lastDateRecv: Date