Security: Fix revision parsing (#5772)

A carefully crated URL can cause Etherpad to hang.
2025-04-21 16:06:16 -04:00 · 2023-06-26 18:17:06 +01:00 · 2023-06-26 18:17:06 +01:00 · 1e98033632
commit 1e98033632
parent 1d289520eb
9 changed files with 325 additions and 29 deletions
--- a/src/node/utils/ExportHelper.js
+++ b/src/node/utils/ExportHelper.js
@ -21,10 +21,14 @@

 const AttributeMap = require('../../static/js/AttributeMap');
 const Changeset = require('../../static/js/Changeset');
+const { checkValidRev } = require('./checkValidRev');

+/*
+ * This method seems unused in core and no plugins depend on it
+ */
 exports.getPadPlainText = (pad, revNum) => {
  const _analyzeLine = exports._analyzeLine;
-  const atext = ((revNum !== undefined) ? pad.getInternalRevisionAText(revNum) : pad.atext);
+  const atext = ((revNum !== undefined) ? pad.getInternalRevisionAText(checkValidRev(revNum)) : pad.atext);
  const textLines = atext.text.slice(0, -1).split('\n');
  const attribLines = Changeset.splitAttributionLines(atext.attribs, atext.text);
  const apool = pad.pool;
--- a/src/node/utils/checkValidRev.js
+++ b/src/node/utils/checkValidRev.js
@ -0,0 +1,34 @@
+'use strict';
+
+const CustomError = require('../utils/customError');
+
+// checks if a rev is a legal number
+// pre-condition is that `rev` is not undefined
+const checkValidRev = (rev) => {
+  if (typeof rev !== 'number') {
+    rev = parseInt(rev, 10);
+  }
+
+  // check if rev is a number
+  if (isNaN(rev)) {
+    throw new CustomError('rev is not a number', 'apierror');
+  }
+
+  // ensure this is not a negative number
+  if (rev < 0) {
+    throw new CustomError('rev is not a negative number', 'apierror');
+  }
+
+  // ensure this is not a float value
+  if (!isInt(rev)) {
+    throw new CustomError('rev is a float value', 'apierror');
+  }
+
+  return rev;
+};
+
+// checks if a number is an int
+const isInt = (value) => (parseFloat(value) === parseInt(value, 10)) && !isNaN(value);
+
+exports.isInt = isInt;
+exports.checkValidRev = checkValidRev;