diff --git a/lib/sanitize.js b/lib/sanitize.js
index dd02b5d22324f62862bb8a29016c6287531f5789..78d905bb284d379db14d3b1a50bc095c20c3b3b4 100644
--- a/lib/sanitize.js
+++ b/lib/sanitize.js
@@ -28,9 +28,17 @@ module.exports = function (value) {
throw "not a valid domain";
}
};
-
+
+ var isOrigin = function() {
+ // allow single hostnames, e.g. localhost
+ if (!value.match(/^https?:\/\/[a-z\d-]+(\.[a-z\d-]+)*(:\d+)?$/i)) {
+ throw "not a valid origin";
+ }
+ };
+
return {
isEmail: isEmail,
- isDomain: isDomain
+ isDomain: isDomain,
+ isOrigin: isOrigin
};
};
diff --git a/lib/validate.js b/lib/validate.js
index ebe808dd35e85057f200f33cdc28900a716ffc45..7eb2a6f04e1444db5875d6fe1aeb1976e98d91be 100644
--- a/lib/validate.js
+++ b/lib/validate.js
@@ -31,11 +31,14 @@ module.exports = function (params) {
throw k;
}
});
- next();
} catch(e) {
var msg = "missing '" + e + "' argument";
- logger.warn("bad request recieved: " + msg);
+ logger.warn("bad request received: " + msg);
return httputils.badRequest(resp, msg);
}
+
+ // this is called outside the try/catch because errors
+ // in the handling of the request should be caught separately
+ next();
};
};
diff --git a/lib/wsapi/stage_email.js b/lib/wsapi/stage_email.js
index 7d59d4924ae4e0d1f85df9add857454337e083aa..76bca3b86b2e20b4268e2c53791db39c36228874 100644
--- a/lib/wsapi/stage_email.js
+++ b/lib/wsapi/stage_email.js
@@ -26,7 +26,7 @@ exports.process = function(req, res) {
// validate
// should do this one but it's failing for some reason
sanitize(req.body.email).isEmail();
- sanitize(req.body.site).isDomain();
+ sanitize(req.body.site).isOrigin();
db.lastStaged(req.body.email, function (err, last) {
if (err) return wsapi.databaseDown(res, err);
diff --git a/lib/wsapi/stage_user.js b/lib/wsapi/stage_user.js
index 7ff035f29d6f251fece35d7e303dea52b4093a6a..ca1a3318c4eb194829e2a36fce08c628835be335 100644
--- a/lib/wsapi/stage_user.js
+++ b/lib/wsapi/stage_user.js
@@ -30,7 +30,7 @@ exports.process = function(req, resp) {
// validate
sanitize(req.body.email).isEmail();
- sanitize(req.body.site).isDomain();
+ sanitize(req.body.site).isOrigin();
db.lastStaged(req.body.email, function (err, last) {
if (err) return wsapi.databaseDown(resp, err);
diff --git a/tests/add-email-with-assertion-test.js b/tests/add-email-with-assertion-test.js
index ce85baeabde4cf334338b44641b073885cfc091a..aca86c04c874d112f634a5a0b13d8e1bbb992dbb 100755
--- a/tests/add-email-with-assertion-test.js
+++ b/tests/add-email-with-assertion-test.js
@@ -112,7 +112,7 @@ suite.addBatch({
"stage an account": {
topic: wsapi.post('/wsapi/stage_user', {
email: TEST_FIRST_ACCT,
- site:'fakesite.com'
+ site:'http://fakesite.com:652'
}),
"works": function(err, r) {
assert.strictEqual(r.code, 200);
diff --git a/tests/cert-emails-test.js b/tests/cert-emails-test.js
index d58dea80a63c7fe6f2e1e16a95168febe59f5e38..e8b2ef5a39ad5cc4f6cb9b2851160b47b13dec3b 100755
--- a/tests/cert-emails-test.js
+++ b/tests/cert-emails-test.js
@@ -35,7 +35,7 @@ suite.addBatch({
topic: wsapi.post('/wsapi/stage_user', {
email: 'syncer@somehost.com',
pubkey: 'fakekey',
- site:'fakesite.com'
+ site:'http://fakesite.com'
}),
"succeeds": function(err, r) {
assert.strictEqual(r.code, 200);
diff --git a/tests/email-throttling-test.js b/tests/email-throttling-test.js
index ba807a7829aa692ca705946e767ec9c461a7a7de..4cceed04d5c83ee9c07d7a4e9bd3d87586d5207a 100755
--- a/tests/email-throttling-test.js
+++ b/tests/email-throttling-test.js
@@ -24,7 +24,7 @@ suite.addBatch({
"staging a registration": {
topic: wsapi.post('/wsapi/stage_user', {
email: 'first@fakeemail.com',
- site:'fakesite.com'
+ site:'https://fakesite.com:443'
}),
"returns 200": function(err, r) {
assert.strictEqual(r.code, 200);
@@ -49,7 +49,7 @@ suite.addBatch({
"immediately staging another": {
topic: wsapi.post('/wsapi/stage_user', {
email: 'first@fakeemail.com',
- site:'fakesite.com'
+ site:'http://fakesite.com:80'
}),
"is throttled": function(err, r) {
assert.strictEqual(r.code, 429);
@@ -74,7 +74,7 @@ suite.addBatch({
"add a new email address to our account": {
topic: wsapi.post('/wsapi/stage_email', {
email: 'second@fakeemail.com',
- site:'fakesite.com'
+ site:'https://fakesite.com'
}),
"works": function(err, r) {
assert.strictEqual(r.code, 200);
@@ -99,7 +99,7 @@ suite.addBatch({
"re-adding that same new email address a second time": {
topic: wsapi.post('/wsapi/stage_email', {
email: 'second@fakeemail.com',
- site:'fakesite.com'
+ site:'http://fakesite.com'
}),
"is throttled with a 429": function(err, r) {
assert.strictEqual(r.code, 429);
diff --git a/tests/forgotten-email-test.js b/tests/forgotten-email-test.js
index ed0fbc8ce9801f0e03ce04a9cd88bac833e5425e..7c4f875e6dd9de6991f6856226e153ae0158fc28 100755
--- a/tests/forgotten-email-test.js
+++ b/tests/forgotten-email-test.js
@@ -25,7 +25,7 @@ suite.addBatch({
"staging an account": {
topic: wsapi.post('/wsapi/stage_user', {
email: 'first@fakeemail.com',
- site:'fakesite.com'
+ site:'http://localhost:123'
}),
"works": function(err, r) {
assert.strictEqual(r.code, 200);
@@ -74,7 +74,7 @@ suite.addBatch({
"add a new email address to our account": {
topic: wsapi.post('/wsapi/stage_email', {
email: 'second@fakeemail.com',
- site:'fakesite.com'
+ site:'https://fakesite.foobar.bizbaz.uk'
}),
"works": function(err, r) {
assert.strictEqual(r.code, 200);
@@ -137,7 +137,7 @@ suite.addBatch({
"re-stage first account": {
topic: wsapi.post('/wsapi/stage_user', {
email: 'first@fakeemail.com',
- site:'otherfakesite.com'
+ site:'https://otherfakesite.com'
}),
"works": function(err, r) {
assert.strictEqual(r.code, 200);
diff --git a/tests/list-emails-wsapi-test.js b/tests/list-emails-wsapi-test.js
index 7ed5a742a3e6b88e53355479a36e8246e097dbc8..09fa35775cd57cbfc53ae6fa6c475dc0839e7bce 100755
--- a/tests/list-emails-wsapi-test.js
+++ b/tests/list-emails-wsapi-test.js
@@ -27,7 +27,7 @@ suite.addBatch({
"stage an account": {
topic: wsapi.post('/wsapi/stage_user', {
email: 'syncer@somehost.com',
- site:'fakesite.com'
+ site:'https://foobar.fakesite.com'
}),
"works": function(err, r) {
assert.strictEqual(r.code, 200);
diff --git a/tests/no-cookie-test.js b/tests/no-cookie-test.js
index 150d92cd448d862b228f2736abb5f86c9bec703d..33a2db02f237d4a816503b19be3cdfbf01e611f9 100755
--- a/tests/no-cookie-test.js
+++ b/tests/no-cookie-test.js
@@ -27,7 +27,7 @@ suite.addBatch({
"start registration": {
topic: wsapi.post('/wsapi/stage_user', {
email: 'first@fakeemail.com',
- site:'fakesite.com'
+ site:'http://fakesite.com:123'
}),
"returns 200": function(err, r) {
assert.strictEqual(r.code, 200);
diff --git a/tests/password-bcrypt-update-test.js b/tests/password-bcrypt-update-test.js
index c403d6ef715d1250b6671128abd9a64b1b7af923..de9ea66d47d55757750bd0ce29e1d4b29df50c5d 100755
--- a/tests/password-bcrypt-update-test.js
+++ b/tests/password-bcrypt-update-test.js
@@ -46,7 +46,7 @@ suite.addBatch({
"account staging": {
topic: wsapi.post('/wsapi/stage_user', {
email: TEST_EMAIL,
- site:'fakesite.com'
+ site:'https://fakesite.com'
}),
"works": function(err, r) {
assert.equal(r.code, 200);
diff --git a/tests/password-length-test.js b/tests/password-length-test.js
index 2c956b1a1313a8a46f94718b0860364b6314f29f..8988e94cda546001dd6eb40b8f54bd57f609e3a5 100755
--- a/tests/password-length-test.js
+++ b/tests/password-length-test.js
@@ -44,7 +44,7 @@ suite.addBatch({
"account staging": {
topic: wsapi.post('/wsapi/stage_user', {
email: 'first@fakeemail.com',
- site:'fakesite.com'
+ site:'https://fakesite.com:123'
}),
"works": function(err, r) {
assert.equal(r.code, 200);
diff --git a/tests/password-update-test.js b/tests/password-update-test.js
index 9d484f56f47025c365bedee2af4a39fac4caf7eb..dcaeda0d5abb553ecd500bfce2d58bd9fd2de44e 100755
--- a/tests/password-update-test.js
+++ b/tests/password-update-test.js
@@ -34,7 +34,7 @@ suite.addBatch({
"account staging": {
topic: wsapi.post('/wsapi/stage_user', {
email: TEST_EMAIL,
- site: 'fakesite.com'
+ site: 'https://fakesite.com:123'
}),
"works": function(err, r) {
assert.equal(r.code, 200);
diff --git a/tests/primary-then-secondary-test.js b/tests/primary-then-secondary-test.js
index 6b47385a950056d788ba6c144def02c805cacb05..da0e7e5103429ac5533d5b07b91957612752d6fc 100755
--- a/tests/primary-then-secondary-test.js
+++ b/tests/primary-then-secondary-test.js
@@ -81,7 +81,7 @@ suite.addBatch({
"add a new email address to our account": {
topic: wsapi.post('/wsapi/stage_email', {
email: SECONDARY_EMAIL,
- site:'fakesite.com'
+ site:'https://fakesite.com'
}),
"works": function(err, r) {
assert.strictEqual(r.code, 200);
@@ -146,7 +146,7 @@ suite.addBatch({
"add a new email address to our account": {
topic: wsapi.post('/wsapi/stage_email', {
email: SECOND_SECONDARY_EMAIL,
- site:'fakesite.com'
+ site:'http://fakesite.com:123'
}),
"works": function(err, r) {
assert.strictEqual(r.code, 200);
diff --git a/tests/registration-status-wsapi-test.js b/tests/registration-status-wsapi-test.js
index 394383c207dabeb1b78e1a924d4f91ec55064c37..cac3a6050e4c430cc24da3c71f399fd717e8dddc 100755
--- a/tests/registration-status-wsapi-test.js
+++ b/tests/registration-status-wsapi-test.js
@@ -47,7 +47,7 @@ suite.addBatch({
"start registration": {
topic: wsapi.post('/wsapi/stage_user', {
email: 'first@fakeemail.com',
- site:'fakesite.com'
+ site:'https://fakesite.com'
}),
"returns 200": function(err, r) {
assert.strictEqual(r.code, 200);
@@ -166,7 +166,7 @@ suite.addBatch({
"re-registering an existing email": {
topic: wsapi.post('/wsapi/stage_user', {
email: 'first@fakeemail.com',
- site:'secondfakesite.com'
+ site:'http://secondfakesite.com'
}),
"yields a HTTP 200": function (err, r) {
assert.strictEqual(r.code, 200);
diff --git a/tests/stalled-mysql-test.js b/tests/stalled-mysql-test.js
index cd40adba4c379ee97fa585626ba816ff46eb6cd7..a5bba95070166f2f6691c18a705b6f6e2b5210d8 100755
--- a/tests/stalled-mysql-test.js
+++ b/tests/stalled-mysql-test.js
@@ -146,7 +146,7 @@ suite.addBatch({
"stage_user": {
topic: wsapi.post('/wsapi/stage_user', {
email: 'bogus@bogus.edu',
- site: 'whatev.er'
+ site: 'https://whatev.er'
}),
"fails with 503": function(err, r) {
assert.strictEqual(r.code, 503);
@@ -175,7 +175,7 @@ suite.addBatch({
"account staging": {
topic: wsapi.post('/wsapi/stage_user', {
email: "stalltest@whatev.er",
- site: 'fakesite.com'
+ site: 'http://fakesite.com'
}),
"works": function(err, r) {
assert.equal(r.code, 200);
@@ -264,7 +264,7 @@ suite.addBatch({
"stage_email": {
topic: wsapi.post('/wsapi/stage_email', {
email: "test2@whatev.er",
- site: "foo.com"
+ site: "https://foo.com"
}),
"fails with 503": function(err, r) {
assert.strictEqual(r.code, 503);
diff --git a/tests/verifier-test.js b/tests/verifier-test.js
index b2a455dc04807502630199c49333d5a9a42e7572..d9b0589b345916a92708303fc83f57e2007e4826 100755
--- a/tests/verifier-test.js
+++ b/tests/verifier-test.js
@@ -41,7 +41,7 @@ suite.addBatch({
"account staging": {
topic: wsapi.post('/wsapi/stage_user', {
email: TEST_EMAIL,
- site: TEST_DOMAIN
+ site: TEST_ORIGIN
}),
"works": function(err, r) {
assert.equal(r.code, 200);