From 35cf1498763759a3cd5cbf3a8b019e24e7cf5e68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=A6=86=E6=9C=A8?=
 <43062104+yumusb@users.noreply.github.com>
Date: Thu, 13 Jul 2023 12:27:38 +0800
Subject: [PATCH] Check the hostname value for legality to eliminate dirty data

Check the hostname value for legality to eliminate dirty data
---
 lib/session.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/session.ts b/lib/session.ts
index 29ff694f..2725f04c 100644
--- a/lib/session.ts
+++ b/lib/session.ts
@@ -30,6 +30,13 @@ export async function findSession(req: NextApiRequestCollect) {
   // Verify payload
   const { website: websiteId, hostname, screen, language } = payload;
 
+
+  // Check the hostname value for legality to eliminate dirty data
+  const validHostnameRegex = /^[\w-.]+$/;
+  if (!validHostnameRegex.test(hostname)) {
+    throw new Error('Invalid hostname.');
+  }
+
   if (!validate(websiteId)) {
     throw new Error('Invalid website ID.');
   }