enforce sanitizing padID for websocket connections

- only enforce for newly created pads, to combat case-sensitive pad name hijacking
2025-05-08 16:05:05 -04:00 · 2022-05-30 12:15:57 +02:00 · 2022-05-30 12:15:57 +02:00 · 3e0e649279
commit 3e0e649279
parent bf810c7114
2 changed files with 16 additions and 11 deletions
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@ -236,6 +236,11 @@ exports.handleMessage = async (socket, message) => {
      padID: message.padId,
      token: message.token,
    };
+
+    // Pad does not exist, so we need to sanitize the id
+    if (!(await padManager.doesPadExist(thisSession.auth.padID))) {
+      thisSession.auth.padID = await padManager.sanitizePadId(thisSession.auth.padID);
+    }
    const padIds = await readOnlyManager.getIds(thisSession.auth.padID);
    thisSession.padId = padIds.padId;
    thisSession.readOnlyPadId = padIds.readOnlyPadId;
--- a/src/tests/backend/specs/lowerCasePadIds.js
+++ b/src/tests/backend/specs/lowerCasePadIds.js
@ -8,8 +8,8 @@ const settings = require('../../../node/utils/Settings');
 describe(__filename, function () {
  let agent;
  const cleanUpPads = async () => {
-    const padIds = ['UPPERCASEpad', 'uppercasepad', 'ALREADYexistingPad', 'alreadyexistingpad'];
-    await Promise.all(padIds.map(async (padId) => {
+    const {padIDs} = await padManager.listAllPads();
+    await Promise.all(padIDs.map(async (padId) => {
      if (await padManager.doesPadExist(padId)) {
        const pad = await padManager.getPad(padId);
        await pad.remove();
@ -77,14 +77,14 @@ describe(__filename, function () {
      assert.equal(newPadHandshake.data.collab_client_vars.initialAttributedText.text, 'newpad\n');
    });

-    // it('disallow socket connection', async function () {
-    //   debugger;
-    //   const res = await agent.get('/p/pad').expect(200);
-    //   const socket = await common.connect(res);
-    //   const deny = await common.handshake(socket, 'Pad');
-    //   assert.equal(deny.accessStatus, 'deny');
-    //   const ok = await common.handshake(socket, 'pad');
-    //   assert.equal(ok.type, 'CLIENT_VARS');
-    // });
+    it('disallow creation of different case pad-name via socket connection', async function () {
+      await padManager.getPad('maliciousattempt', 'attempt');
+
+      const newPad = await agent.get('/p/maliciousattempt').expect(200);
+      const newPadSocket = await common.connect(newPad);
+      const newPadHandshake = await common.handshake(newPadSocket, 'MaliciousAttempt');
+
+      assert.equal(newPadHandshake.data.collab_client_vars.initialAttributedText.text, 'attempt\n');
+    });
  });
 });