Skip to content

Room socket events do not enforce room membership or host permissions #193

Description

@ionfwsrijan

Problem

Room socket events trust client-supplied roomId and guestId values.

Evidence

Affected code:

  • backend/server.js
  • frontend/src/components/chat/RoomChatPanel.tsx

Client emits:

socket.emit("joinRoom", roomId)
socket.emit("roomMessage", { roomId, text })
socket.emit("removeGuest", { roomId, guestId })

The server must verify that:

  • the sender belongs to the room
  • the sender is host before removing guests
  • guests cannot join arbitrary rooms

Impact

A malicious socket client can join or send messages to arbitrary rooms, impersonate room activity, or attempt to remove guests without host authority.

Expected fix

  • Store server-side room membership and host identity
  • Validate every room socket event against that state
  • Reject unauthorized removeGuest
  • Add socket integration tests for guest, host, and non-member cases

Metadata

Metadata

Assignees

No one assigned

    Labels

    gssoc:approvedApproved for GirlScript Summer of Code

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions