From 1d395bf70b4acc2c032b2b7934dfd3644212ccad Mon Sep 17 00:00:00 2001
From: webzwo0i <webzwo0i@c3d2.de>
Date: Thu, 24 Feb 2022 00:11:08 +0100
Subject: [PATCH] PadMessageHandler: prohibit reading of message.data.padId

---
 src/node/handler/PadMessageHandler.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js
index b0491e6b7..5aa3369d3 100644
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@@ -250,6 +250,12 @@ exports.handleMessage = async (socket, message) => {
     throw new Error('message.padId must not be accessed (for security reasons)');
   }});
 
+  if (message.data) {
+    Object.defineProperty(message.data, 'padId', {get: () => {
+      throw new Error('message.data.padId must not be accessed (for security reasons)');
+    }});
+  }
+
   const auth = thisSession.auth;
   if (!auth) {
     const ip = settings.disableIPlogging ? 'ANONYMOUS' : (socket.request.ip || '<unknown>');