Add room name validation to prevent DoS

2026-01-27 17:55:40 -05:00 · 2026-01-27 17:55:40 -05:00 · bad4cdac51
commit bad4cdac51
parent dcd97a451f
1 changed files with 12 additions and 0 deletions
--- a/src/index.ts
+++ b/src/index.ts
@ -8,6 +8,12 @@ import {

 const PORT = Number(process.env.PORT) || 4040;

+function isValidRoomName(name: unknown): name is string {
+  if (typeof name !== "string") return false;
+  if (name.length === 0 || name.length > 64) return false;
+  return /^[a-zA-Z0-9_-]+$/.test(name);
+}
+
 Bun.serve({
  port: PORT,
  fetch(req, server) {
@ -40,6 +46,12 @@ Bun.serve({

      switch (msg.type) {
        case "join": {
+          if (!isValidRoomName(msg.room)) {
+            ws.send(
+              JSON.stringify({ type: "error", message: "invalid room name" }),
+            );
+            break;
+          }
          const session = getOrCreateSession(msg.room);
          ws.data.room = msg.room;
          session.join(client);