diff --git a/lib/sanitize.js b/lib/sanitize.js new file mode 100644 index 0000000000000000000000000000000000000000..dd02b5d22324f62862bb8a29016c6287531f5789 --- /dev/null +++ b/lib/sanitize.js @@ -0,0 +1,36 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// a teensy tinsy module to do parameter sanitization. A good candiate for future +// librification. +// +// usage: +// +// const sanitize = require('sanitize'); +// +// sanitize(value).isEmail(); +// sanitize(value).isDomain(); + +// XXX - should review these simple regexps + +var logger = require('./logging.js').logger; + +module.exports = function (value) { + var isEmail = function() { + + if (!value.toLowerCase().match(/^[\w.!#$%&'*+\-/=?\^`{|}~]+@[a-z\d-]+(\.[a-z\d-]+)+$/i)) + throw "not a valid email"; + }; + + var isDomain = function() { + if (!value.match(/^[a-z\d-]+(\.[a-z\d-]+)+$/i)) { + throw "not a valid domain"; + } + }; + + return { + isEmail: isEmail, + isDomain: isDomain + }; +}; diff --git a/lib/wsapi/stage_email.js b/lib/wsapi/stage_email.js index 8acda357269408aacc0fb5741172dd9015c4709c..7d59d4924ae4e0d1f85df9add857454337e083aa 100644 --- a/lib/wsapi/stage_email.js +++ b/lib/wsapi/stage_email.js @@ -7,7 +7,8 @@ db = require('../db.js'), wsapi = require('../wsapi.js'), httputils = require('../httputils'), logger = require('../logging.js').logger, -email = require('../email.js'); +email = require('../email.js'), +sanitize = require('../sanitize'); /* First half of account creation. Stages a user account for creation. * this involves creating a secret url that must be delivered to the @@ -22,6 +23,11 @@ exports.args = ['email','site']; exports.i18n = true; exports.process = function(req, res) { + // validate + // should do this one but it's failing for some reason + sanitize(req.body.email).isEmail(); + sanitize(req.body.site).isDomain(); + db.lastStaged(req.body.email, function (err, last) { if (err) return wsapi.databaseDown(res, err); diff --git a/lib/wsapi/stage_user.js b/lib/wsapi/stage_user.js index 14bb947e148a270e4f5b25c7714a1d24f94114fd..7ff035f29d6f251fece35d7e303dea52b4093a6a 100644 --- a/lib/wsapi/stage_user.js +++ b/lib/wsapi/stage_user.js @@ -7,7 +7,8 @@ db = require('../db.js'), wsapi = require('../wsapi.js'), httputils = require('../httputils'), logger = require('../logging.js').logger, -email = require('../email.js'); +email = require('../email.js'), +sanitize = require('../sanitize'); /* First half of account creation. Stages a user account for creation. * this involves creating a secret url that must be delivered to the @@ -27,6 +28,10 @@ exports.process = function(req, resp) { // staging a user logs you out. wsapi.clearAuthenticatedUser(req.session); + // validate + sanitize(req.body.email).isEmail(); + sanitize(req.body.site).isDomain(); + db.lastStaged(req.body.email, function (err, last) { if (err) return wsapi.databaseDown(resp, err); diff --git a/tests/add-email-with-assertion-test.js b/tests/add-email-with-assertion-test.js index 900e5d4a6139957188a2312060bd46d356f65bc2..ce85baeabde4cf334338b44641b073885cfc091a 100755 --- a/tests/add-email-with-assertion-test.js +++ b/tests/add-email-with-assertion-test.js @@ -31,7 +31,7 @@ start_stop.addStartupBatches(suite); const TEST_DOMAIN = 'example.domain', TEST_EMAIL = 'testuser@' + TEST_DOMAIN, TEST_ORIGIN = 'http://127.0.0.1:10002', - TEST_FIRST_ACCT = 'testuser@fake.domain'; + TEST_FIRST_ACCT = 'test.user+folder@fake.domain'; // This test will excercise the ability to add an email to an // account using an assertion from a primary