Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lax content type validation in ChatSession.sendEvent() and ChatSession.sendMessage() #135

Open
marcogrcr opened this issue Feb 25, 2023 · 0 comments
Open

Lax content type validation in ChatSession.sendEvent() and ChatSession.sendMessage() #135

marcogrcr opened this issue Feb 25, 2023 · 0 comments
Labels
🗒️ In Backlog Reviewed by team, added to backlog

Comments

@marcogrcr
Copy link
Contributor

Context:

The ChatController.prototype.sendEvent() validates that the specified content type is valid before invoking connectparticipant:SendEvent:

amazon-connect-chatjs/src/core/chatController.js

Lines 128 to 131 in d85c517

sendEvent(args) {
const startTime = new Date().getTime();
const metadata = args.metadata || null;
this.argsValidator.validateSendEvent(args);

amazon-connect-chatjs/src/core/chatArgsValidator.js

Lines 41 to 43 in d85c517

validateSendEvent(args) {
this.validateContentType(args.contentType);
}

amazon-connect-chatjs/src/core/chatArgsValidator.js

Lines 19 to 21 in d85c517

validateContentType(contentType) {
Utils.assertIsEnum(contentType, Object.values(CONTENT_TYPE), "contentType");
}

The same applies for ChatController.prototype.sendMessage():

amazon-connect-chatjs/src/core/chatController.js

Lines 96 to 99 in d85c517

sendMessage(args) {
const startTime = new Date().getTime();
const metadata = args.metadata || null;
this.argsValidator.validateSendMessage(args);

amazon-connect-chatjs/src/core/chatArgsValidator.js

Lines 12 to 17 in d85c517

validateSendMessage(args) {
if (!Utils.isString(args.message)) {
throw new IllegalArgumentException(args.message + "is not a valid message");
}
this.validateContentType(args.contentType);
}

amazon-connect-chatjs/src/core/chatArgsValidator.js

Lines 19 to 21 in d85c517

validateContentType(contentType) {
Utils.assertIsEnum(contentType, Object.values(CONTENT_TYPE), "contentType");
}

The same would apply for ChatController.prototype.sendAttachment(), though it has not been added yet:

amazon-connect-chatjs/src/core/chatController.js

Lines 107 to 110 in d85c517

sendAttachment(args){
const startTime = new Date().getTime();
const metadata = args.metadata || null;
//TODO: validation

Problem:

However, the CONTENT_TYPE enum is overly permissive. It has the allowed content types for:

amazon-connect-chatjs/src/constants.js

Lines 68 to 101 in d85c517

export const CONTENT_TYPE = {
textPlain: "text/plain",
textMarkdown: "text/markdown",
textCsv: "text/csv",
applicationDoc: "application/msword",
applicationDocx: "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
applicationJson: "application/json",
applicationPdf: "application/pdf",
applicationPpt: "application/vnd.ms-powerpoint",
applicationPptx: "application/vnd.openxmlformats-officedocument.presentationml.presentation",
applicationXls: "application/vnd.ms-excel",
applicationXlsx: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
imageJpg: "image/jpeg",
imagePng: "image/png",
audioWav: "audio/wav",
audioXWav: "audio/x-wav", //Firefox
audioVndWave: "audio/vnd.wave", //IE
connectionAcknowledged: "application/vnd.amazonaws.connect.event.connection.acknowledged",
typing: "application/vnd.amazonaws.connect.event.typing",
participantJoined: "application/vnd.amazonaws.connect.event.participant.joined",
participantLeft: "application/vnd.amazonaws.connect.event.participant.left",
participantActive: "application/vnd.amazonaws.connect.event.participant.active",
participantInactive: "application/vnd.amazonaws.connect.event.participant.inactive",
transferSucceeded: "application/vnd.amazonaws.connect.event.transfer.succeeded",
transferFailed: "application/vnd.amazonaws.connect.event.transfer.failed",
chatEnded: "application/vnd.amazonaws.connect.event.chat.ended",
interactiveMessage: "application/vnd.amazonaws.connect.message.interactive",
interactiveMessageResponse: "application/vnd.amazonaws.connect.message.interactive.response",
readReceipt: "application/vnd.amazonaws.connect.event.message.read",
deliveredReceipt: "application/vnd.amazonaws.connect.event.message.delivered",
participantIdle: "application/vnd.amazonaws.connect.event.participant.idle",
participantReturned: "application/vnd.amazonaws.connect.event.participant.returned",
autoDisconnection: "application/vnd.amazonaws.connect.event.participant.autodisconnection"
};

This results in unnecessary invocations when a content type is invalid for the operation being invoked, but valid on either of the other two.

Proposed fix:

Make the validation stricter to only allow the content types of the invoked operation.
@spencerlepine spencerlepine added the ⌛️ Needs Triage Needs team review label Apr 27, 2023
@spencerlepine spencerlepine added 🗒️ In Backlog Reviewed by team, added to backlog and removed ⌛️ Needs Triage Needs team review labels May 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🗒️ In Backlog Reviewed by team, added to backlog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcogrcr @spencerlepine