Merge pull request #3902 from overleaf/sk-ref-providers-hide

Editor: don't leak encrypted tokens to frontend GitOrigin-RevId: 245c1e9d479f7eec2979b46a5959bd3eb9f08363
2024-11-07 20:31:06 -05:00 · 2021-04-21 09:23:46 +01:00 · 2021-04-21 09:23:46 +01:00 · 07ec567b07
commit 07ec567b07
parent 58fbbf6269
3 changed files with 41 additions and 3 deletions
--- a/services/web/app/src/Features/Project/ProjectController.js
+++ b/services/web/app/src/Features/Project/ProjectController.js
@ -819,7 +819,7 @@ const ProjectController = {
                allowedFreeTrial: allowedFreeTrial,
                featureSwitches: user.featureSwitches,
                features: user.features,
-                refProviders: user.refProviders,
+                refProviders: _.mapValues(user.refProviders, Boolean),
                alphaProgram: user.alphaProgram,
                betaProgram: user.betaProgram,
                isAdmin: user.isAdmin
--- a/services/web/test/acceptance/src/ProjectCRUDTests.js
+++ b/services/web/test/acceptance/src/ProjectCRUDTests.js
@ -2,15 +2,38 @@ const { expect } = require('chai')
 const User = require('./helpers/User').promises
 const { Project } = require('../../../app/src/models/Project')
 const { ObjectId } = require('mongodb')
+const cheerio = require('cheerio')

 describe('Project CRUD', function () {
  beforeEach(async function () {
    this.user = new User()
    await this.user.login()
-
    this.projectId = await this.user.createProject('example-project')
  })

+  describe('project page', function () {
+    it('should cast refProviders to booleans', async function () {
+      await this.user.mongoUpdate({
+        $set: {
+          refProviders: {
+            mendeley: { encrypted: 'aaa' },
+            zotero: { encrypted: 'bbb' }
+          }
+        }
+      })
+      const { response, body } = await this.user.doRequest(
+        'GET',
+        `/project/${this.projectId}`
+      )
+      expect(response.statusCode).to.equal(200)
+      const dom = cheerio.load(body)
+      const metaOlUser = dom('meta[name="ol-user"]')[0]
+      const userData = JSON.parse(metaOlUser.attribs.content)
+      expect(userData.refProviders.mendeley).to.equal(true)
+      expect(userData.refProviders.zotero).to.equal(true)
+    })
+  })
+
  describe("when project doesn't exist", function () {
    it('should return 404', async function () {
      const { response } = await this.user.doRequest(
--- a/services/web/test/unit/src/Project/ProjectControllerTests.js
+++ b/services/web/test/unit/src/Project/ProjectControllerTests.js
@ -896,7 +896,11 @@ describe('ProjectController', function () {
          fontSize: 'massive',
          theme: 'sexy'
        },
-        email: 'bob@bob.com'
+        email: 'bob@bob.com',
+        refProviders: {
+          mendeley: { encrypted: 'aaaa' },
+          zotero: { encrypted: 'bbbb' }
+        }
      }
      this.ProjectGetter.getProject.callsArgWith(2, null, this.project)
      this.UserModel.findById.callsArgWith(2, null, this.user)
@ -927,6 +931,17 @@ describe('ProjectController', function () {
      this.ProjectController.loadEditor(this.req, this.res)
    })

+    it('should sanitize refProviders', function (done) {
+      this.res.render = (_pageName, opts) => {
+        expect(opts.user.refProviders).to.deep.equal({
+          mendeley: true,
+          zotero: true
+        })
+        done()
+      }
+      this.ProjectController.loadEditor(this.req, this.res)
+    })
+
    it('should add on userSettings', function (done) {
      this.res.render = (pageName, opts) => {
        opts.userSettings.fontSize.should.equal(this.user.ace.fontSize)