Security: Fix revision parsing (#5772)

A carefully crated URL can cause Etherpad to hang.
2025-04-21 16:06:16 -04:00 · 2023-06-26 18:17:06 +01:00 · 2023-06-26 18:17:06 +01:00 · 1e98033632
commit 1e98033632
parent 1d289520eb
9 changed files with 325 additions and 29 deletions
--- a/src/tests/backend/specs/messages.js
+++ b/src/tests/backend/specs/messages.js
@ -77,6 +77,89 @@ describe(__filename, function () {
        await otherPad.remove();
      }
    });
+
+    it('CHANGESET_REQ: verify revNum is a number (regression)', async function () {
+      const otherPadId = `${padId}other`;
+      assert(!await padManager.doesPadExist(otherPadId));
+      const otherPad = await padManager.getPad(otherPadId, 'other text\n');
+      let errorCatched = 0;
+      try {
+        await otherPad.setText('other text\n');
+        await common.sendMessage(roSocket, {
+          component: 'pad',
+          padId: otherPadId, // The server should ignore this.
+          type: 'CHANGESET_REQ',
+          data: {
+            granularity: 1,
+            start: 'test123',
+            requestID: 'requestId',
+          },
+        });
+        assert.equal('This code should never run', 1);
+      }
+      catch(e) {
+        assert.match(e.message, /rev is not a number/);
+        errorCatched = 1;
+      }
+      finally {
+        await otherPad.remove();
+        assert.equal(errorCatched, 1);
+      }
+    });
+
+    it('CHANGESET_REQ: revNum is converted to number if possible (regression)', async function () {
+      const otherPadId = `${padId}other`;
+      assert(!await padManager.doesPadExist(otherPadId));
+      const otherPad = await padManager.getPad(otherPadId, 'other text\n');
+      try {
+        await otherPad.setText('other text\n');
+        const resP = common.waitForSocketEvent(roSocket, 'message');
+        await common.sendMessage(roSocket, {
+          component: 'pad',
+          padId: otherPadId, // The server should ignore this.
+          type: 'CHANGESET_REQ',
+          data: {
+            granularity: 1,
+            start: '1test123',
+            requestID: 'requestId',
+          },
+        });
+        const res = await resP;
+        assert.equal(res.type, 'CHANGESET_REQ');
+        assert.equal(res.data.requestID, 'requestId');
+        assert.equal(res.data.start, 1);
+      }
+      finally {
+        await otherPad.remove();
+      }
+    });
+
+    it('CHANGESET_REQ: revNum 2 is converted to head rev 1 (regression)', async function () {
+      const otherPadId = `${padId}other`;
+      assert(!await padManager.doesPadExist(otherPadId));
+      const otherPad = await padManager.getPad(otherPadId, 'other text\n');
+      try {
+        await otherPad.setText('other text\n');
+        const resP = common.waitForSocketEvent(roSocket, 'message');
+        await common.sendMessage(roSocket, {
+          component: 'pad',
+          padId: otherPadId, // The server should ignore this.
+          type: 'CHANGESET_REQ',
+          data: {
+            granularity: 1,
+            start: '2',
+            requestID: 'requestId',
+          },
+        });
+        const res = await resP;
+        assert.equal(res.type, 'CHANGESET_REQ');
+        assert.equal(res.data.requestID, 'requestId');
+        assert.equal(res.data.start, 1);
+      }
+      finally {
+        await otherPad.remove();
+      }
+    });
  });

  describe('USER_CHANGES', function () {