From cdf1a26c0e2cb8d5254fc57acc427133de3bd823 Mon Sep 17 00:00:00 2001
From: Nico Krause <post@nicokrause.com>
Date: Sat, 18 Jan 2025 20:19:42 +0500
Subject: [PATCH] fix: sanitize IPFS URLs before processing

- Ensure nameOp.nameValue is properly sanitized before IPFS processing
- Add HTML sanitization to prevent potential XSS attacks
- Only process values that start with 'ipfs://' after sanitization
---
 relay/package.json                           | 2 +-
 relay/src/pinner/nameOpsFileManager.js       | 2 +-
 relay/src/pinner/scanBlockchainForNameOps.js | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/relay/package.json b/relay/package.json
index a7b6099..f5ad2a4 100644
--- a/relay/package.json
+++ b/relay/package.json
@@ -1,6 +1,6 @@
 {
   "name": "libp2p-relay",
-  "version": "0.12.19",
+  "version": "0.12.22",
   "private": true,
   "scripts": {
     "start:no-restart": "node src/relay.js",
diff --git a/relay/src/pinner/nameOpsFileManager.js b/relay/src/pinner/nameOpsFileManager.js
index 36e3354..ca02d43 100644
--- a/relay/src/pinner/nameOpsFileManager.js
+++ b/relay/src/pinner/nameOpsFileManager.js
@@ -27,7 +27,7 @@ class OrbitDBInterface {
     const dbPath = './orbitdb/nameops';
     
     // Clean up any stale lock files before opening
-    await this.cleanupLockFiles(dbPath);
+    await cleanupLockFiles(dbPath);
     
     this.db = await this.orbitdb.open(dbName, {
       type: 'documents',
diff --git a/relay/src/pinner/scanBlockchainForNameOps.js b/relay/src/pinner/scanBlockchainForNameOps.js
index cc0e6a8..125310c 100644
--- a/relay/src/pinner/scanBlockchainForNameOps.js
+++ b/relay/src/pinner/scanBlockchainForNameOps.js
@@ -180,7 +180,7 @@ async function processBlocks(
             allowedAttributes: {},
           });
 
-          if (sanitizedValue && !sanitizedValue.startsWith('ipfs://')) {
+          if (sanitizedValue && sanitizedValue.startsWith('ipfs://')) {
             // Use the pinQueue for pinIpfsContent operation
             // TODO: sanitize metadata before pinning
             pinQueue.add(() =>
@@ -208,9 +208,9 @@ async function processBlocks(
                 })
             );
           } else {
-            logger.warn(
-              `Invalid or potentially harmful nameValue detected: ${nameOp.nameValue}`
-            );
+            // logger.warn(
+            //   `Invalid or potentially harmful nameValue detected: ${nameOp.nameValue}`
+            // );
           }
         }
       } else {