Skip to content

fix(chat): enforce soft-delete checks and sanitize invisible characters. #40779 #40859

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sam28u wants to merge 7 commits into
base: develop
Choose a base branch
from
+29 −0
Open

fix(chat): enforce soft-delete checks and sanitize invisible characters. #40779 #40859

Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2d7fc74
fix(chat): enforce soft-delete checks and sanitize invisible characte…
sam28u Jun 9, 2026
add18da
fix(chat): update regex to catch all control chars and add changeset
sam28u Jun 9, 2026
2194b2c
fix(chat): update regex to catch all control chars and add changeset
sam28u Jun 9, 2026
dddeb0c
fix(chat): refine control character regex to preserve safe whitespace
sam28u Jun 9, 2026
e578cb4
Merge branch 'develop' into develop
sam28u Jun 10, 2026
453dca3
Merge branch 'develop' into develop
sam28u Jun 10, 2026
f30ae1f
Merge branch 'develop' into develop
sam28u Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions apps/meteor/app/api/server/v1/chat.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,22 @@ const chatEndpoints = API.v1
return API.v1.failure(`No message found with the id of "${bodyParams.msgId}".`);
}

// Reject modifications to soft-deleted messages
if (msg.t === 'rm') {
return API.v1.failure('Cannot edit a deleted message.');
}

// Sanitize invisible control characters to prevent empty message bypass
if ('text' in bodyParams && typeof bodyParams.text === 'string') {
const sanitizedText = bodyParams.text.replace(/[\p{Cc}]/gu, '').trim();
Comment thread
cubic-dev-ai[bot] marked this conversation as resolved.
Outdated

if (sanitizedText.length === 0) {
return API.v1.failure('Message cannot be empty or contain only invisible control characters.');
}

bodyParams.text = bodyParams.text.replace(/[\p{Cc}]/gu, '');
}

if (bodyParams.roomId !== msg.rid) {
return API.v1.failure('The room id provided does not match where the message is from.');
}
Expand Down Expand Up @@ -837,6 +853,19 @@ const chatEndpoints = API.v1
throw new Error("Cannot send system messages using 'chat.sendMessage'");
}

// Sanitize invisible control characters to prevent empty message bypass
const msgPayload = this.bodyParams.message as { msg?: string; attachments?: any[] };
if (msgPayload && typeof msgPayload.msg === 'string') {
const sanitizedMsg = msgPayload.msg.replace(/[\p{Cc}]/gu, '').trim();

// Reject if the message is empty and has no attachments
if (sanitizedMsg.length === 0 && (!msgPayload.attachments || msgPayload.attachments.length === 0)) {
return API.v1.failure('Message cannot be empty or contain only invisible control characters.');
}

msgPayload.msg = msgPayload.msg.replace(/[\p{Cc}]/gu, '');
}

const sent = await applyAirGappedRestrictionsValidation(() =>
executeSendMessage(this.user, this.bodyParams.message as Pick<IMessage, 'rid'>, { previewUrls: this.bodyParams.previewUrls }),
);
Expand Down