mirror of
https://github.com/overleaf/overleaf.git
synced 2024-10-31 21:21:03 -04:00
48 lines
954 B
Text
48 lines
954 B
Text
|
#!/bin/bash
|
||
|
|
|
||
|
|
set -e
|
||
|
|
|
||
|
|
POTENTIAL_SEND_USAGE=$(\
|
||
|
|
grep \
|
||
|
|
--files-with-matches \
|
||
|
|
--recursive \
|
||
|
|
app.js \
|
||
|
|
app/ \
|
||
|
|
modules/*/app \
|
||
|
|
test/acceptance/ \
|
||
|
|
modules/*/test/acceptance/ \
|
||
|
|
--regex "\.send\b" \
|
||
|
|
--regex "\bsend(" \
|
||
|
|
)
|
||
|
|
HELPER_MODULE="app/src/infrastructure/Response.js"
|
||
|
|
if [[ "$POTENTIAL_SEND_USAGE" == "$HELPER_MODULE" ]]; then
|
||
|
|
exit 0
|
||
|
|
fi
|
||
|
|
|
||
|
|
for file in ${POTENTIAL_SEND_USAGE}; do
|
||
|
|
if [[ "$file" == "$HELPER_MODULE" ]]; then
|
||
|
|
continue
|
||
|
|
fi
|
||
|
|
|
||
|
|
cat <<MSG >&2
|
||
|
|
|
||
|
|
ERROR: $file contains a potential use of 'res.send'.
|
||
|
|
|
||
|
|
---
|
||
|
|
$(grep -n -C 3 "$file" --regex "\.send\b" --regex "\bsend(")
|
||
|
|
---
|
||
|
|
|
||
|
|
Using 'res.send' is prone to introducing XSS vulnerabilities.
|
||
|
|
|
||
|
|
Consider using 'res.json' or one of the helpers in $HELPER_MODULE.
|
||
|
|
|
||
|
|
If this is a false-positive, consider using a more specific name than 'send'
|
||
|
|
for your newly introduced function.
|
||
|
|
|
||
|
|
Links:
|
||
|
|
- https://github.com/overleaf/internal/issues/6268
|
||
|
|
|
||
|
|
MSG
|
||
|
|
exit 1
|
||
|
|
done
|