fix: resolve 5 critical vulnerabilities from L3 security audit
fix: resolve 5 critical vulnerabilities from L3 security audit
This commit is contained in:
@@ -3,7 +3,7 @@ import { Boom } from '@hapi/boom'
|
||||
import { randomBytes } from 'crypto'
|
||||
import Long from 'long'
|
||||
import { proto } from '../../WAProto/index.js'
|
||||
import { DEFAULT_CACHE_TTLS, KEY_BUNDLE_TYPE, MIN_PREKEY_COUNT, STATUS_EXPIRY_SECONDS } from '../Defaults'
|
||||
import { DEFAULT_CACHE_TTLS, DEFAULT_SESSION_CLEANUP_CONFIG, KEY_BUNDLE_TYPE, MIN_PREKEY_COUNT, STATUS_EXPIRY_SECONDS } from '../Defaults'
|
||||
import { metrics, recordMessageReceived, recordHistorySyncMessages, recordMessageRetry, recordMessageFailure } from '../Utils/prometheus-metrics.js'
|
||||
import type {
|
||||
GroupParticipant,
|
||||
@@ -76,8 +76,11 @@ export const makeMessagesRecvSocket = (config: SocketConfig) => {
|
||||
getMessage,
|
||||
shouldIgnoreJid,
|
||||
enableAutoSessionRecreation,
|
||||
enableCTWARecovery
|
||||
enableCTWARecovery,
|
||||
sessionCleanupConfig
|
||||
} = config
|
||||
// Use nullish coalescing to handle partial config properly
|
||||
const autoCleanCorrupted = sessionCleanupConfig?.autoCleanCorrupted ?? DEFAULT_SESSION_CLEANUP_CONFIG.autoCleanCorrupted
|
||||
const sock = makeMessagesSocket(config)
|
||||
const {
|
||||
ev,
|
||||
@@ -1227,7 +1230,7 @@ export const makeMessagesRecvSocket = (config: SocketConfig) => {
|
||||
category,
|
||||
author,
|
||||
decrypt
|
||||
} = decryptMessageNode(node, authState.creds.me!.id, authState.creds.me!.lid || '', signalRepository, logger)
|
||||
} = decryptMessageNode(node, authState.creds.me!.id, authState.creds.me!.lid || '', signalRepository, logger, autoCleanCorrupted)
|
||||
|
||||
const alt = msg.key.participantAlt || msg.key.remoteJidAlt
|
||||
// Handle LID/PN mappings with hybrid approach:
|
||||
|
||||
@@ -506,12 +506,17 @@ export const makeSocket = (config: SocketConfig) => {
|
||||
const sessionActivityTracker = makeSessionActivityTracker(keys, logger)
|
||||
|
||||
// Session cleanup manager - removes inactive/orphaned sessions
|
||||
// Merge user config with defaults to prevent partial overrides from breaking cleanup
|
||||
const sessionCleanupConfig = {
|
||||
...DEFAULT_SESSION_CLEANUP_CONFIG,
|
||||
...(config.sessionCleanupConfig || {})
|
||||
}
|
||||
const sessionCleanup = makeSessionCleanup(
|
||||
keys,
|
||||
signalRepository.lidMapping,
|
||||
sessionActivityTracker,
|
||||
logger,
|
||||
DEFAULT_SESSION_CLEANUP_CONFIG
|
||||
sessionCleanupConfig
|
||||
)
|
||||
|
||||
let lastDateRecv: Date
|
||||
|
||||
Reference in New Issue
Block a user