🛡️ fix: Minor Vulnerabilities (#4543)

* fix: ReDoS in ChatGPT Import * ci: should correctly process citations from real ChatGPT data * ci: Add ReDoS vulnerability test for processAssistantMessage * refactor: Update thread management and citation handling * refactor(validateImageRequest): robust validation * refactor(Prompt.js): update name search regex to escape special characters * refactor(Preset): exclude user from preset update to prevent mass assignment * refactor(files.js): Improve file deletion process * ci: updated validateImageRequest.spec.js * a11y: plugin pagination * refactor(CreatePromptForm.tsx): Improve input field styling * chore(Prompts): typing and accessibility * fix: prompt creation access role check * chore: remove duplicate jsdocs
2025-12-17 17:00:15 +01:00 · 2024-10-24 15:50:48 -04:00 · 2024-10-24 15:50:48 -04:00 · 3f3b5929e9
commit 3f3b5929e9
parent 094a40dbb0
15 changed files with 698 additions and 53 deletions
--- a/api/server/utils/import/importers.js
+++ b/api/server/utils/import/importers.js
@ -277,34 +277,39 @@ function processConversation(conv, importBatchBuilder, requestUserId) {

 /**
 * Processes text content of messages authored by an assistant, inserting citation links as required.
- * Applies citation metadata to construct regex patterns and replacements for inserting links into the text.
+ * Uses citation start and end indices to place links at the correct positions.
 *
 * @param {ChatGPTMessage} messageData - The message data containing metadata about citations.
 * @param {string} messageText - The original text of the message which may be altered by inserting citation links.
 * @returns {string} - The updated message text after processing for citations.
 */
 function processAssistantMessage(messageData, messageText) {
-  const citations = messageData.metadata.citations ?? [];
+  if (!messageText) {
+    return messageText;
+  }

-  for (const citation of citations) {
+  const citations = messageData.metadata?.citations ?? [];
+
+  const sortedCitations = [...citations].sort((a, b) => b.start_ix - a.start_ix);
+
+  let result = messageText;
+  for (const citation of sortedCitations) {
    if (
-      !citation.metadata ||
-      !citation.metadata.extra ||
-      !citation.metadata.extra.cited_message_idx ||
-      (citation.metadata.type && citation.metadata.type !== 'webpage')
+      !citation.metadata?.type ||
+      citation.metadata.type !== 'webpage' ||
+      typeof citation.start_ix !== 'number' ||
+      typeof citation.end_ix !== 'number' ||
+      citation.start_ix >= citation.end_ix
    ) {
      continue;
    }

-    const pattern = new RegExp(
-      `\\u3010${citation.metadata.extra.cited_message_idx}\\u2020.+?\\u3011`,
-      'g',
-    );
    const replacement = ` ([${citation.metadata.title}](${citation.metadata.url}))`;
-    messageText = messageText.replace(pattern, replacement);
+
+    result = result.slice(0, citation.start_ix) + replacement + result.slice(citation.end_ix);
  }

-  return messageText;
+  return result;
 }

 /**
@ -342,4 +347,4 @@ function formatMessageText(messageData) {
  return messageText;
 }

-module.exports = { getImporter };
+module.exports = { getImporter, processAssistantMessage };