fix: add validation guards for status expiration inputs

ricardogarim · ricardogarim · commit 807228e51101 · 2026-05-11T20:15:30.000-03:00
diff --git a/apps/meteor/app/api/server/v1/users.ts b/apps/meteor/app/api/server/v1/users.ts
@@ -649,7 +649,7 @@ API.v1.addRoute(
 				if (!canViewFullOtherUserInfo) {
 					return API.v1.forbidden();
 				}
-				const escapedEmail = escapeRegExp(this.queryParams.email as string);
+				const escapedEmail = escapeRegExp(this.queryParams.email);
 				nonEmptyQuery['emails.address'] = {
 					$regex: `^${escapedEmail}$`,
 					$options: 'i',
@@ -2002,7 +2002,16 @@ API.v1
 						statusDefault: status,
 						statusSource: 'manual',
 						...(this.bodyParams.message != null && { statusText: this.bodyParams.message }),
-						...(this.bodyParams.expiresAt && { statusExpiresAt: new Date(this.bodyParams.expiresAt) }),
+						...(this.bodyParams.expiresAt &&
+							(() => {
+								const date = new Date(this.bodyParams.expiresAt);
+								if (isNaN(date.getTime())) {
+									throw new Meteor.Error('error-invalid-date', 'Invalid expiresAt date string', {
+										method: 'users.setStatus',
+									});
+								}
+								return { statusExpiresAt: date };
+							})()),
 					});
 				}
 
diff --git a/apps/meteor/client/components/UserStatusText/useExpirationText.ts b/apps/meteor/client/components/UserStatusText/useExpirationText.ts
@@ -15,7 +15,8 @@ export function parseExpiresAt(value?: unknown): Date | undefined {
 	}
 
 	if (typeof value === 'object' && '$date' in (value as Record<string, unknown>)) {
-		return new Date((value as { $date: number }).$date);
+		const date = new Date((value as { $date: number }).$date);
+		return Number.isNaN(date.getTime()) ? undefined : date;
 	}
 
 	if (typeof value === 'string') {
diff --git a/apps/meteor/client/navbar/NavBarSettingsToolbar/UserMenu/EditStatusModal.tsx b/apps/meteor/client/navbar/NavBarSettingsToolbar/UserMenu/EditStatusModal.tsx
@@ -98,6 +98,7 @@ const EditStatusModal = ({ onClose, userStatus, userStatusText }: EditStatusModa
 	const [duration, setDuration] = useState('');
 	const [customDate, setCustomDate] = useState(() => new Date().toLocaleDateString('en-CA'));
 	const [customTime, setCustomTime] = useState(() => new Date().toTimeString().slice(0, 5));
+	const minCustomDate = useMemo(() => new Date().toLocaleDateString('en-CA'), []);
 
 	const setUserStatus = useEndpoint('POST', '/v1/users.setStatus');
 	const formatTime = useFormatTime();
@@ -123,9 +124,13 @@ const EditStatusModal = ({ onClose, userStatus, userStatusText }: EditStatusModa
 
 	const computeExpiresAt = useCallback((): Date | undefined => {
 		if (duration === 'custom') {
+			if (!customDate || !customTime) {
+				return undefined;
+			}
 			const [year, month, day] = customDate.split('-').map(Number);
 			const [hours, mins] = customTime.split(':').map(Number);
-			return new Date(year, month - 1, day, hours, mins, 0, 0);
+			const parsedDate = new Date(year, month - 1, day, hours, mins, 0, 0);
+			return Number.isNaN(parsedDate.getTime()) ? undefined : parsedDate;
 		}
 
 		const option = DURATION_OPTIONS.find((o) => o.value === duration);
@@ -143,6 +148,10 @@ const EditStatusModal = ({ onClose, userStatus, userStatusText }: EditStatusModa
 	const handleSaveStatus = useCallback(async () => {
 		try {
 			const expiresAt = computeExpiresAt();
+			if (duration === 'custom' && !expiresAt) {
+				dispatchToastMessage({ type: 'error', message: t('Status_choose_date_and_time') });
+				return;
+			}
 			await setUserStatus({
 				message: statusText,
 				status: statusType as UserStatusType,
@@ -155,7 +164,7 @@ const EditStatusModal = ({ onClose, userStatus, userStatusText }: EditStatusModa
 		}
 
 		onClose();
-	}, [onClose, setUserStatus, statusText, statusType, computeExpiresAt, setCustomStatus, dispatchToastMessage, t]);
+	}, [onClose, setUserStatus, statusText, statusType, computeExpiresAt, setCustomStatus, dispatchToastMessage, t, duration]);
 
 	return (
 		<Modal
@@ -234,7 +243,7 @@ const EditStatusModal = ({ onClose, userStatus, userStatusText }: EditStatusModa
 										flexGrow={1}
 										value={customDate}
 										onChange={(e: ChangeEvent<HTMLInputElement>) => setCustomDate(e.currentTarget.value)}
-										min={customDate}
+										min={minCustomDate}
 									/>
 									<InputBox
 										aria-label='Expiration time'
diff --git a/apps/meteor/client/sidebar/RoomList/SidebarItemTemplateWithData.tsx b/apps/meteor/client/sidebar/RoomList/SidebarItemTemplateWithData.tsx
@@ -168,6 +168,7 @@ const keys: (keyof RoomListRowProps)[] = [
 	't',
 	'sidebarViewMode',
 	'videoConfActions',
+	'userId',
 ];
 
 export default memo(SidebarItemTemplateWithData, (prevProps, nextProps) => {

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,8 @@ export function parseExpiresAt(value?: unknown): Date \| undefined {`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`if (typeof value === 'object' && '$date' in (value as Record<string, unknown>)) {`
`18`		`- return new Date((value as { $date: number }).$date);`
	`18`	`+ const date = new Date((value as { $date: number }).$date);`
	`19`	`+ return Number.isNaN(date.getTime()) ? undefined : date;`
`19`	`20`	`}`
`20`	`21`
`21`	`22`	`if (typeof value === 'string') {`