mirror of
https://github.com/ether/etherpad-lite.git
synced 2025-05-09 00:15:13 -04:00
enforce sanitizing padID for websocket connections
- only enforce for newly created pads, to combat case-sensitive pad name hijacking
This commit is contained in:
Daniel Habenicht
SamTV12345
parent
bf810c7114
commit
3e0e649279
2 changed files with 16 additions and 11 deletions
|
|
@ -236,6 +236,11 @@ exports.handleMessage = async (socket, message) => {
|
||||||
padID: message.padId,
|
padID: message.padId,
|
||||||
token: message.token,
|
token: message.token,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
// Pad does not exist, so we need to sanitize the id
|
||||||
|
if (!(await padManager.doesPadExist(thisSession.auth.padID))) {
|
||||||
|
thisSession.auth.padID = await padManager.sanitizePadId(thisSession.auth.padID);
|
||||||
|
}
|
||||||
const padIds = await readOnlyManager.getIds(thisSession.auth.padID);
|
const padIds = await readOnlyManager.getIds(thisSession.auth.padID);
|
||||||
thisSession.padId = padIds.padId;
|
thisSession.padId = padIds.padId;
|
||||||
thisSession.readOnlyPadId = padIds.readOnlyPadId;
|
thisSession.readOnlyPadId = padIds.readOnlyPadId;
|
||||||
|
|
|
||||||
|
|
@ -8,8 +8,8 @@ const settings = require('../../../node/utils/Settings');
|
||||||
describe(__filename, function () {
|
describe(__filename, function () {
|
||||||
let agent;
|
let agent;
|
||||||
const cleanUpPads = async () => {
|
const cleanUpPads = async () => {
|
||||||
const padIds = ['UPPERCASEpad', 'uppercasepad', 'ALREADYexistingPad', 'alreadyexistingpad'];
|
const {padIDs} = await padManager.listAllPads();
|
||||||
await Promise.all(padIds.map(async (padId) => {
|
await Promise.all(padIDs.map(async (padId) => {
|
||||||
if (await padManager.doesPadExist(padId)) {
|
if (await padManager.doesPadExist(padId)) {
|
||||||
const pad = await padManager.getPad(padId);
|
const pad = await padManager.getPad(padId);
|
||||||
await pad.remove();
|
await pad.remove();
|
||||||
|
|
@ -77,14 +77,14 @@ describe(__filename, function () {
|
||||||
assert.equal(newPadHandshake.data.collab_client_vars.initialAttributedText.text, 'newpad\n');
|
assert.equal(newPadHandshake.data.collab_client_vars.initialAttributedText.text, 'newpad\n');
|
||||||
});
|
});
|
||||||
|
|
||||||
// it('disallow socket connection', async function () {
|
it('disallow creation of different case pad-name via socket connection', async function () {
|
||||||
// debugger;
|
await padManager.getPad('maliciousattempt', 'attempt');
|
||||||
// const res = await agent.get('/p/pad').expect(200);
|
|
||||||
// const socket = await common.connect(res);
|
const newPad = await agent.get('/p/maliciousattempt').expect(200);
|
||||||
// const deny = await common.handshake(socket, 'Pad');
|
const newPadSocket = await common.connect(newPad);
|
||||||
// assert.equal(deny.accessStatus, 'deny');
|
const newPadHandshake = await common.handshake(newPadSocket, 'MaliciousAttempt');
|
||||||
// const ok = await common.handshake(socket, 'pad');
|
|
||||||
// assert.equal(ok.type, 'CLIENT_VARS');
|
assert.equal(newPadHandshake.data.collab_client_vars.initialAttributedText.text, 'attempt\n');
|
||||||
// });
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue