From e6908d9e048a3d937889591d4075a4d0022e182d Mon Sep 17 00:00:00 2001
From: Mike Cao <mike@mikecao.com>
Date: Fri, 17 Jul 2020 21:01:49 -0700
Subject: [PATCH] Improve hash validation.

---
 lib/utils.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/utils.js b/lib/utils.js
index 06cd14ac..a02387e8 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -11,6 +11,10 @@ export function hash(s) {
   return uuid(s, md5(process.env.HASH_SALT));
 }
 
+export function validHash(s) {
+  return /^[0-9a-f]{8}-[0-9a-f]{4}-[0-5][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}$/.test(s);
+}
+
 export function getIpAddress(req) {
   if (req.headers['cf-connecting-ip']) {
     return req.headers['cf-connecting-ip'];
@@ -58,7 +62,12 @@ export function parseCollectRequest(req) {
       session: { website_id, session_id, time, hash: validationHash },
     } = payload;
 
-    if (hash(`${website_id}${session_id}${time}`) === validationHash) {
+    if (
+      validHash(website_id) &&
+      validHash(session_id) &&
+      validHash(validationHash) &&
+      hash(`${website_id}${session_id}${time}`) === validationHash
+    ) {
       return {
         valid: true,
         type,