Problem
Room socket events trust client-supplied roomId and guestId values.
Evidence
Affected code:
backend/server.js
frontend/src/components/chat/RoomChatPanel.tsx
Client emits:
socket.emit("joinRoom", roomId)
socket.emit("roomMessage", { roomId, text })
socket.emit("removeGuest", { roomId, guestId })
The server must verify that:
- the sender belongs to the room
- the sender is host before removing guests
- guests cannot join arbitrary rooms
Impact
A malicious socket client can join or send messages to arbitrary rooms, impersonate room activity, or attempt to remove guests without host authority.
Expected fix
- Store server-side room membership and host identity
- Validate every room socket event against that state
- Reject unauthorized removeGuest
- Add socket integration tests for guest, host, and non-member cases
Problem
Room socket events trust client-supplied
roomIdandguestIdvalues.Evidence
Affected code:
backend/server.jsfrontend/src/components/chat/RoomChatPanel.tsxClient emits:
The server must verify that:
Impact
A malicious socket client can join or send messages to arbitrary rooms, impersonate room activity, or attempt to remove guests without host authority.
Expected fix