From 334fd9cdd02ad4aa6a3c9bdfc95e7764651c13f4 Mon Sep 17 00:00:00 2001
From: timothycarambat <rambat1010@gmail.com>
Date: Tue, 27 Aug 2024 16:38:20 -0700
Subject: [PATCH] pre-validate sessionID type for embed chats

---
 server/models/embedChats.js                | 10 +++++-----
 server/utils/middleware/embedMiddleware.js | 13 ++++++++++++-
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/server/models/embedChats.js b/server/models/embedChats.js
index 77b7201052..1c46f6d4a3 100644
--- a/server/models/embedChats.js
+++ b/server/models/embedChats.js
@@ -15,7 +15,7 @@ const EmbedChats = {
           embed_id: Number(embedId),
           response: JSON.stringify(response),
           connection_information: JSON.stringify(connection_information),
-          session_id: sessionId,
+          session_id: String(sessionId),
         },
       });
       return { chat, message: null };
@@ -36,8 +36,8 @@ const EmbedChats = {
     try {
       const chats = await prisma.embed_chats.findMany({
         where: {
-          embed_id: embedId,
-          session_id: sessionId,
+          embed_id: Number(embedId),
+          session_id: String(sessionId),
           include: true,
         },
         ...(limit !== null ? { take: limit } : {}),
@@ -56,8 +56,8 @@ const EmbedChats = {
     try {
       await prisma.embed_chats.updateMany({
         where: {
-          embed_id: embedId,
-          session_id: sessionId,
+          embed_id: Number(embedId),
+          session_id: String(sessionId),
         },
         data: {
           include: false,
diff --git a/server/utils/middleware/embedMiddleware.js b/server/utils/middleware/embedMiddleware.js
index e9d1c3eae4..013ef1252d 100644
--- a/server/utils/middleware/embedMiddleware.js
+++ b/server/utils/middleware/embedMiddleware.js
@@ -1,4 +1,4 @@
-const { v4: uuidv4 } = require("uuid");
+const { v4: uuidv4, validate } = require("uuid");
 const { VALID_CHAT_MODE } = require("../chats/stream");
 const { EmbedChats } = require("../../models/embedChats");
 const { EmbedConfig } = require("../../models/embedConfig");
@@ -78,6 +78,17 @@ async function canRespond(request, response, next) {
     }
 
     const { sessionId, message } = reqBody(request);
+    if (typeof sessionId !== "string" || !validate(String(sessionId))) {
+      response.status(404).json({
+        id: uuidv4(),
+        type: "abort",
+        textResponse: null,
+        sources: [],
+        close: true,
+        error: "Invalid session ID.",
+      });
+      return;
+    }
 
     if (!message?.length || !VALID_CHAT_MODE.includes(embed.chat_mode)) {
       response.status(400).json({