From 6177691ed8de44afb47f5702b4b203e11a7a5b86 Mon Sep 17 00:00:00 2001
From: Ben Adida <ben@adida.net>
Date: Tue, 3 Apr 2012 16:48:27 -0700
Subject: [PATCH] added sanitization of email and domain parameters in
stage_user and stage_email
---
lib/sanitize.js | 36 ++++++++++++++++++++++++++
lib/wsapi/stage_email.js | 8 +++++-
lib/wsapi/stage_user.js | 7 ++++-
tests/add-email-with-assertion-test.js | 2 +-
4 files changed, 50 insertions(+), 3 deletions(-)
create mode 100644 lib/sanitize.js
diff --git a/lib/sanitize.js b/lib/sanitize.js
new file mode 100644
index 000000000..dd02b5d22
--- /dev/null
+++ b/lib/sanitize.js
@@ -0,0 +1,36 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// a teensy tinsy module to do parameter sanitization. A good candiate for future
+// librification.
+//
+// usage:
+//
+// const sanitize = require('sanitize');
+//
+// sanitize(value).isEmail();
+// sanitize(value).isDomain();
+
+// XXX - should review these simple regexps
+
+var logger = require('./logging.js').logger;
+
+module.exports = function (value) {
+ var isEmail = function() {
+
+ if (!value.toLowerCase().match(/^[\w.!#$%&'*+\-/=?\^`{|}~]+@[a-z\d-]+(\.[a-z\d-]+)+$/i))
+ throw "not a valid email";
+ };
+
+ var isDomain = function() {
+ if (!value.match(/^[a-z\d-]+(\.[a-z\d-]+)+$/i)) {
+ throw "not a valid domain";
+ }
+ };
+
+ return {
+ isEmail: isEmail,
+ isDomain: isDomain
+ };
+};
diff --git a/lib/wsapi/stage_email.js b/lib/wsapi/stage_email.js
index 8acda3572..7d59d4924 100644
--- a/lib/wsapi/stage_email.js
+++ b/lib/wsapi/stage_email.js
@@ -7,7 +7,8 @@ db = require('../db.js'),
wsapi = require('../wsapi.js'),
httputils = require('../httputils'),
logger = require('../logging.js').logger,
-email = require('../email.js');
+email = require('../email.js'),
+sanitize = require('../sanitize');
/* First half of account creation. Stages a user account for creation.
* this involves creating a secret url that must be delivered to the
@@ -22,6 +23,11 @@ exports.args = ['email','site'];
exports.i18n = true;
exports.process = function(req, res) {
+ // validate
+ // should do this one but it's failing for some reason
+ sanitize(req.body.email).isEmail();
+ sanitize(req.body.site).isDomain();
+
db.lastStaged(req.body.email, function (err, last) {
if (err) return wsapi.databaseDown(res, err);
diff --git a/lib/wsapi/stage_user.js b/lib/wsapi/stage_user.js
index 14bb947e1..7ff035f29 100644
--- a/lib/wsapi/stage_user.js
+++ b/lib/wsapi/stage_user.js
@@ -7,7 +7,8 @@ db = require('../db.js'),
wsapi = require('../wsapi.js'),
httputils = require('../httputils'),
logger = require('../logging.js').logger,
-email = require('../email.js');
+email = require('../email.js'),
+sanitize = require('../sanitize');
/* First half of account creation. Stages a user account for creation.
* this involves creating a secret url that must be delivered to the
@@ -27,6 +28,10 @@ exports.process = function(req, resp) {
// staging a user logs you out.
wsapi.clearAuthenticatedUser(req.session);
+ // validate
+ sanitize(req.body.email).isEmail();
+ sanitize(req.body.site).isDomain();
+
db.lastStaged(req.body.email, function (err, last) {
if (err) return wsapi.databaseDown(resp, err);
diff --git a/tests/add-email-with-assertion-test.js b/tests/add-email-with-assertion-test.js
index 900e5d4a6..ce85baeab 100755
--- a/tests/add-email-with-assertion-test.js
+++ b/tests/add-email-with-assertion-test.js
@@ -31,7 +31,7 @@ start_stop.addStartupBatches(suite);
const TEST_DOMAIN = 'example.domain',
TEST_EMAIL = 'testuser@' + TEST_DOMAIN,
TEST_ORIGIN = 'http://127.0.0.1:10002',
- TEST_FIRST_ACCT = 'testuser@fake.domain';
+ TEST_FIRST_ACCT = 'test.user+folder@fake.domain';
// This test will excercise the ability to add an email to an
// account using an assertion from a primary
--
GitLab