From 3e0e649279d8e9f3e59a3ec5601410f409aa00f8 Mon Sep 17 00:00:00 2001
From: Daniel Habenicht <daniel-habenicht@outlook.de>
Date: Mon, 30 May 2022 12:15:57 +0200
Subject: [PATCH] enforce sanitizing padID for websocket connections

- only enforce for newly created pads, to combat case-sensitive pad name hijacking
---
 src/node/handler/PadMessageHandler.js      |  5 +++++
 src/tests/backend/specs/lowerCasePadIds.js | 22 +++++++++++-----------
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js
index 35c76b5d9..2cfdcfc1a 100644
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@@ -236,6 +236,11 @@ exports.handleMessage = async (socket, message) => {
       padID: message.padId,
       token: message.token,
     };
+
+    // Pad does not exist, so we need to sanitize the id
+    if (!(await padManager.doesPadExist(thisSession.auth.padID))) {
+      thisSession.auth.padID = await padManager.sanitizePadId(thisSession.auth.padID);
+    }
     const padIds = await readOnlyManager.getIds(thisSession.auth.padID);
     thisSession.padId = padIds.padId;
     thisSession.readOnlyPadId = padIds.readOnlyPadId;
diff --git a/src/tests/backend/specs/lowerCasePadIds.js b/src/tests/backend/specs/lowerCasePadIds.js
index 8c8d297d3..489b0eda9 100644
--- a/src/tests/backend/specs/lowerCasePadIds.js
+++ b/src/tests/backend/specs/lowerCasePadIds.js
@@ -8,8 +8,8 @@ const settings = require('../../../node/utils/Settings');
 describe(__filename, function () {
   let agent;
   const cleanUpPads = async () => {
-    const padIds = ['UPPERCASEpad', 'uppercasepad', 'ALREADYexistingPad', 'alreadyexistingpad'];
-    await Promise.all(padIds.map(async (padId) => {
+    const {padIDs} = await padManager.listAllPads();
+    await Promise.all(padIDs.map(async (padId) => {
       if (await padManager.doesPadExist(padId)) {
         const pad = await padManager.getPad(padId);
         await pad.remove();
@@ -77,14 +77,14 @@ describe(__filename, function () {
       assert.equal(newPadHandshake.data.collab_client_vars.initialAttributedText.text, 'newpad\n');
     });
 
-    // it('disallow socket connection', async function () {
-    //   debugger;
-    //   const res = await agent.get('/p/pad').expect(200);
-    //   const socket = await common.connect(res);
-    //   const deny = await common.handshake(socket, 'Pad');
-    //   assert.equal(deny.accessStatus, 'deny');
-    //   const ok = await common.handshake(socket, 'pad');
-    //   assert.equal(ok.type, 'CLIENT_VARS');
-    // });
+    it('disallow creation of different case pad-name via socket connection', async function () {
+      await padManager.getPad('maliciousattempt', 'attempt');
+
+      const newPad = await agent.get('/p/maliciousattempt').expect(200);
+      const newPadSocket = await common.connect(newPad);
+      const newPadHandshake = await common.handshake(newPadSocket, 'MaliciousAttempt');
+
+      assert.equal(newPadHandshake.data.collab_client_vars.initialAttributedText.text, 'attempt\n');
+    });
   });
 });