Skip to content

fix(chat): enforce soft-delete checks and sanitize invisible characters. #40779 #40859

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sam28u wants to merge 7 commits into
base: develop
Choose a base branch
from
+29 −0
Open

fix(chat): enforce soft-delete checks and sanitize invisible characters. #40779 #40859

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2d7fc74
fix(chat): enforce soft-delete checks and sanitize invisible characte…
sam28u Jun 9, 2026
add18da
fix(chat): update regex to catch all control chars and add changeset
sam28u Jun 9, 2026
2194b2c
fix(chat): update regex to catch all control chars and add changeset
sam28u Jun 9, 2026
dddeb0c
fix(chat): refine control character regex to preserve safe whitespace
sam28u Jun 9, 2026
e578cb4
Merge branch 'develop' into develop
sam28u Jun 10, 2026
453dca3
Merge branch 'develop' into develop
sam28u Jun 10, 2026
f30ae1f
Merge branch 'develop' into develop
sam28u Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions apps/meteor/app/api/server/v1/chat.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,22 @@ const chatEndpoints = API.v1
return API.v1.failure(`No message found with the id of "${bodyParams.msgId}".`);
}

// Prevent editing of soft-deleted messages (Zombie Edits fix)
if (msg.t === 'rm') {
return API.v1.failure('Cannot edit a deleted message.');
}

// --- Fix : Strict Input Sanitization for updates ---
if ('text' in bodyParams && typeof bodyParams.text === 'string') {
const sanitizedText = bodyParams.text.replace(/\u0000/g, '').trim();
Comment thread
cubic-dev-ai[bot] marked this conversation as resolved.
Outdated

if (sanitizedText.length === 0) {
return API.v1.failure('Message cannot be empty or contain only invisible control characters.');
}

bodyParams.text = bodyParams.text.replace(/\u0000/g, '');
}
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated

if (bodyParams.roomId !== msg.rid) {
return API.v1.failure('The room id provided does not match where the message is from.');
}
Expand Down Expand Up @@ -837,6 +853,21 @@ const chatEndpoints = API.v1
throw new Error("Cannot send system messages using 'chat.sendMessage'");
}

// --- Fix : Strict Input Sanitization (Invisible Character Bypass) ---
const msgPayload = this.bodyParams.message as { msg?: string; attachments?: any[] };
if (msgPayload && typeof msgPayload.msg === 'string') {
// Strip null bytes and trim
const sanitizedMsg = msgPayload.msg.replace(/\u0000/g, '').trim();

// If the message is completely empty after stripping, and has no attachments, reject it
if (sanitizedMsg.length === 0 && (!msgPayload.attachments || msgPayload.attachments.length === 0)) {
return API.v1.failure('Message cannot be empty or contain only invisible control characters.');
}

// Clean the actual payload sent to the database
msgPayload.msg = msgPayload.msg.replace(/\u0000/g, '');
}

const sent = await applyAirGappedRestrictionsValidation(() =>
executeSendMessage(this.user, this.bodyParams.message as Pick<IMessage, 'rid'>, { previewUrls: this.bodyParams.previewUrls }),
);
Expand Down