mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 23:46:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

ImportEtherpad: Reject unknown DB records

Browse source
This commit is contained in:
Richard Hansen 2021-11-25 02:05:09 -05:00
parent 8e9bc8d325
commit 00fc7c8e86
2 changed files with 16 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/node/utils/ImportEtherpad.js
View file

@ -53,17 +53,18 @@ exports.setPadRaw = async (padId, r) => {
return;
}
value.padIDs = {[padId]: 1};
} else {
} else if (padKeyPrefixes.includes(prefix)) {
if (prefix === 'pad' && keyParts.length === 2 && value.pool) {
for (const attrib of Object.keys(value.pool.numToAttrib)) {
const attribName = value.pool.numToAttrib[attrib][0];
if (!supportedElems.has(attribName)) unsupportedElements.add(attribName);
}
}
if (padKeyPrefixes.includes(prefix)) {
keyParts[1] = padId;
key = keyParts.join(':');
}
keyParts[1] = padId;
key = keyParts.join(':');
} else {
logger.warn(`(pad ${padId}) Ignoring record with unsupported key: ${key}`);
return;
}
await db.set(key, value);
}));

10
src/tests/backend/specs/ImportEtherpad.js
View file

@ -2,6 +2,7 @@
const assert = require('assert').strict;
const authorManager = require('../../../node/db/AuthorManager');
const db = require('../../../node/db/DB');
const importEtherpad = require('../../../node/utils/ImportEtherpad');
const padManager = require('../../../node/db/PadManager');
const {randomString} = require('../../../static/js/pad_utils');
@ -52,6 +53,15 @@ describe(__filename, function () {
assert(!await padManager.doesPadExist(padId));
});
it('unknown db records are ignored', async function () {
const badKey = `maliciousDbKey${randomString(10)}`;
await importEtherpad.setPadRaw(padId, JSON.stringify({
[badKey]: 'value',
...makeExport(makeAuthorId()),
}));
assert(await db.get(badKey) == null);
});
describe('author pad IDs', function () {
let existingAuthorId;
let newAuthorId;