[Bug]: Denial of Service (DoS) via Unvalidated Input

[DeveloperAmrit]

Bug Description

The InputHandler.ts file accepts input parameters (dx, dy, text) directly from the client without checking for reasonable bounds or types.
A malicious or malfunctioning client can send extreme values that cause the server-side automation library (nut-js) to behave unpredictably or consume excessive resources.

Specific Vulnerabilities:

1. Integer Overflow/Extreme Coordinates: Sending dx: 999999999 might cause the mouse cursor logic to wrap around or crash the process.
2. Memory Exhaustion: Sending a single packet with a 100MB text string in the text field will be accepted by JSON.parse and attempting to type it via keyboard.type() will likely freeze the Node.js process.

Steps to Reproduce

1. Connect to the WebSocket server.
2. Send a payload: {"type": "text", "text": "A" * 10000000} (a string with 10 million characters).
3. Result: The host server spikes in CPU/Memory usage and eventually crashes or hangs the system.

Expected Behavior

• Validation: Implement schema validation (e.g., using zod or manual checks) before processing messages.
• Constraints:
  • text: Max length 500 characters per packet.
  • dx/dy: Clamp values to reasonable screen deltas (e.g., -2000 to +2000).
  • key: Validate against an allowlist of known keys.

Desktop Operating System

macOS (Apple Silicon)

Mobile Device (Client)

Vivo T3x 5G

Rein Version

3

Console Logs / Error Messages

Screenshots / Recordings

No response

Checklist

• I have searched for existing issues to avoid duplicates