Export: verify revisions are numbers

CHANGELOG.md

@@ -1,3 +1,11 @@
+# Next release
+
+### Notable enhancements and fixes
+
+* Bugfixes
+  * revisions in `CHANGESET_REQ` (timeslider) and export (txt, html, custom)
+    are now checked to be numbers.
+
 # 1.9.0
 
 ### Notable enhancements and fixes

src/node/handler/ExportHandler.js

@@ -29,6 +29,7 @@ const os = require('os');
 const hooks = require('../../static/js/pluginfw/hooks');
 const TidyHtml = require('../utils/TidyHtml');
 const util = require('util');
+const { checkValidRev } = require('../utils/checkValidRev');
 
 const fsp_writeFile = util.promisify(fs.writeFile);
 const fsp_unlink = util.promisify(fs.unlink);
@@ -53,6 +54,12 @@ exports.doExport = async (req, res, padId, readOnlyId, type) => {
   // tell the browser that this is a downloadable file
   res.attachment(`${fileName}.${type}`);
 
+  if (req.params.rev !== undefined) {
+    // ensure revision is a number
+    // modify req, as we use it in a later call to exportConvert
+    req.params.rev = checkValidRev(req.params.rev);
+  }
+
   // if this is a plain text export, we can do this directly
   // We have to over engineer this because tabs are stored as attributes and not plain text
   if (type === 'etherpad') {

src/node/utils/ExportHelper.js

@@ -21,10 +21,14 @@
 
 const AttributeMap = require('../../static/js/AttributeMap');
 const Changeset = require('../../static/js/Changeset');
+const { checkValidRev } = require('./checkValidRev');
 
+/*
+ * This method seems unused in core and no plugins depend on it
+ */
 exports.getPadPlainText = (pad, revNum) => {
   const _analyzeLine = exports._analyzeLine;
-  const atext = ((revNum !== undefined) ? pad.getInternalRevisionAText(revNum) : pad.atext);
+  const atext = ((revNum !== undefined) ? pad.getInternalRevisionAText(checkValidRev(revNum)) : pad.atext);
   const textLines = atext.text.slice(0, -1).split('\n');
   const attribLines = Changeset.splitAttributionLines(atext.attribs, atext.text);
   const apool = pad.pool;