fix (gateway): harden chat.send message input sanitization

2026-05-08 22:38:26 +00:00 · 2026-02-14 21:09:00 -08:00
parent 457e5308a9
commit a2fe3b6610
3 changed files with 85 additions and 4 deletions
--- a/src/gateway/server-methods/chat.sanitize-message.test.ts
+++ b/src/gateway/server-methods/chat.sanitize-message.test.ts
@@ -0,0 +1,20 @@
+import { describe, expect, it } from "vitest";
+import { sanitizeChatSendMessageInput } from "./chat.js";
+
+describe("sanitizeChatSendMessageInput", () => {
+  it("rejects null bytes", () => {
+    expect(sanitizeChatSendMessageInput("before\u0000after")).toEqual({
+      ok: false,
+      error: "message must not contain null bytes",
+    });
+  });
+
+  it("strips unsafe control characters while preserving tab/newline/carriage return", () => {
+    const result = sanitizeChatSendMessageInput("a\u0001b\tc\nd\re\u0007f\u007f");
+    expect(result).toEqual({ ok: true, message: "ab\tc\nd\ref" });
+  });
+
+  it("normalizes unicode to NFC", () => {
+    expect(sanitizeChatSendMessageInput("Cafe\u0301")).toEqual({ ok: true, message: "Café" });
+  });
+});