fix defects found in code review for improved api argument validation, issue #1526

aa65d9cb · Lloyd Hilaiel · b0721b75 · aa65d9cb · aa65d9cb · b0721b75
Commit aa65d9cb authored 12 years ago by Lloyd Hilaiel
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -265,9 +265,6 @@ exports.setup = function(options, app) {

      // set up the argument validator
      if (api.args) {
-        if (Array.isArray(api.args)) {
-          console.log("WARNING: you should update", operation, "it uses unvalidated arguments");
-        }
        wsapis[operation].validate = validate(api.args);
      } else {
        wsapis[operation].validate = function(req,res,next) { next(); };

--- a/lib/wsapi/cert_key.js
+++ b/lib/wsapi/cert_key.js
@@ -37,8 +37,16 @@ exports.process = function(req, res) {
      // forward to the keysigner!
      var keysigner = urlparse(config.get('keysigner_url'));
      keysigner.path = '/wsapi/cert_key';
+
+      // parameter validation moves arguments from req.body to req.params,
+      // and removes them from req.body.  This feature makes it impossible
+      // to use unvalidated params in your wsapi "process" function.
+      // 
+      // http_forward, however, will only forward params in req.body
+      // or req.query.  so we explicitly copy req.params to req.body
+      // to cause them to be forwarded.
      req.body = req.params;
-      console.log('bid params', req.params);
+
      forward(keysigner, req, res, function(err) {
        if (err) {
          logger.error("error forwarding request to keysigner: " + err);

--- a/lib/wsapi/complete_reverify.js
+++ b/lib/wsapi/complete_reverify.js
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-const
-db = require('../db.js'),
-logger = require('../logging.js').logger,
-wsapi = require('../wsapi.js'),
-bcrypt = require('../bcrypt.js'),
-httputils = require('../httputils.js');
-
-exports.method = 'post';
-exports.writes_db = true;
-exports.authed = false;
-exports.args = {
-  'token': 'token',
-  // NOTE: 'pass' is required when a user is not authenticated
-  'pass': {
-    type: 'password',
-    optional: true
-  }
-};
-exports.i18n = false;
-
-exports.process = function(req, res) {
-  // in order to complete an email re-verification, one of the following must be true:
-  //
-  // 1. you must already be authenticated as the user who initiated the verification
-  // 2. you must provide the password of the initiator.
-
-  db.authForVerificationSecret(req.params.token, function(err, initiator_hash, initiator_uid) {
-    if (err) {
-      logger.info("unknown verification secret: " + err);
-      return wsapi.databaseDown(res, err);
-    }
-
-    if (req.session.userid === initiator_uid) {
-      postAuthentication();
-    } else if (typeof req.params.pass === 'string') {
-      bcrypt.compare(req.params.pass, initiator_hash, function (err, success) {
-        if (err) {
-          logger.warn("max load hit, failing on auth request with 503: " + err);
-          return httputils.serviceUnavailable(res, "server is too busy");
-        } else if (!success) {
-          return httputils.authRequired(res, "password mismatch");
-        } else {
-          postAuthentication();
-        }
-      });
-    } else {
-      return httputils.authRequired(res, "password required");
-    }
-
-    function postAuthentication() {
-      db.completeReverify(req.params.token, function(e, email, uid) {
-        if (e) {
-          logger.warn("couldn't complete email verification: " + e);
-          wsapi.databaseDown(res, e);
-        } else {
-          wsapi.authenticateSession(req.session, uid, 'password');
-          res.json({ success: true });
-        }
-      });
-    };
-  });
-};