From 586eed1407a78a1c1ec3af9bef3866104d3ef7cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Fri, 30 Dec 2022 09:49:22 -0500
Subject: [PATCH] fix: vulnerability in socket.io nested namespaces (#11117)

---
 src/socket.io/index.js |  2 +-
 test/socket.io.js      | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/socket.io/index.js b/src/socket.io/index.js
index b77edbb57d..60c7a8cd27 100644
--- a/src/socket.io/index.js
+++ b/src/socket.io/index.js
@@ -123,7 +123,7 @@ async function onMessage(socket, payload) {
 	const parts = eventName.toString().split('.');
 	const namespace = parts[0];
 	const methodToCall = parts.reduce((prev, cur) => {
-		if (prev !== null && prev[cur]) {
+		if (prev !== null && prev[cur] && (!prev.hasOwnProperty || prev.hasOwnProperty(cur))) {
 			return prev[cur];
 		}
 		return null;
diff --git a/test/socket.io.js b/test/socket.io.js
index a4db2b7aaa..1a94a38f7c 100644
--- a/test/socket.io.js
+++ b/test/socket.io.js
@@ -91,6 +91,22 @@ describe('socket.io', () => {
 		});
 	});
 
+	it('should return error for unknown event', (done) => {
+		io.emit('user.gdpr.__proto__.constructor.toString', (err) => {
+			assert(err);
+			assert.equal(err.message, '[[error:invalid-event, user.gdpr.__proto__.constructor.toString]]');
+			done();
+		});
+	});
+
+	it('should return error for unknown event', (done) => {
+		io.emit('constructor.toString', (err) => {
+			assert(err);
+			assert.equal(err.message, '[[error:invalid-event, constructor.toString]]');
+			done();
+		});
+	});
+
 	it('should get installed themes', (done) => {
 		const themes = ['nodebb-theme-lavender', 'nodebb-theme-persona', 'nodebb-theme-vanilla'];
 		io.emit('admin.themes.getInstalled', (err, data) => {