[HttpController] double down on request validation

2024-11-21 20:47:08 -05:00 · 2021-02-17 11:31:27 +00:00 · 2021-02-17 11:31:27 +00:00 · 0c169cb242
commit 0c169cb242
parent 26bc074098
2 changed files with 37 additions and 2 deletions
--- a/services/docstore/app/js/HttpController.js
+++ b/services/docstore/app/js/HttpController.js
@ -191,7 +191,17 @@ module.exports = HttpController = {
  patchDoc(req, res, next) {
    const { project_id, doc_id } = req.params
    logger.log({ project_id, doc_id }, 'patching doc')
-    DocManager.patchDoc(project_id, doc_id, req.body, function (error) {
+
+    const allowedFields = ['deleted', 'deletedAt', 'name']
+    const meta = {}
+    Object.entries(req.body).forEach(([field, value]) => {
+      if (allowedFields.includes(field)) {
+        meta[field] = value
+      } else {
+        logger.fatal({ field }, 'joi validation for pathDoc is broken')
+      }
+    })
+    DocManager.patchDoc(project_id, doc_id, meta, function (error) {
      if (error) {
        return next(error)
      }
--- a/services/docstore/test/unit/js/HttpControllerTests.js
+++ b/services/docstore/test/unit/js/HttpControllerTests.js
@ -32,7 +32,8 @@ describe('HttpController', function () {
        './DocArchiveManager': (this.DocArchiveManager = {}),
        'logger-sharelatex': (this.logger = {
          log: sinon.stub(),
-          error: sinon.stub()
+          error: sinon.stub(),
+          fatal: sinon.stub()
        }),
        'settings-sharelatex': settings,
        './HealthChecker': {}
@ -477,6 +478,30 @@ describe('HttpController', function () {
    it('should return a 204 (No Content)', function () {
      expect(this.res.sendStatus).to.have.been.calledWith(204)
    })
+
+    describe('with an invalid payload', function () {
+      beforeEach(function () {
+        this.req.body = { cannot: 'happen' }
+
+        this.DocManager.patchDoc = sinon.stub().yields(null)
+        this.HttpController.patchDoc(this.req, this.res, this.next)
+      })
+
+      it('should log a message', function () {
+        expect(this.logger.fatal).to.have.been.calledWith(
+          { field: 'cannot' },
+          'joi validation for pathDoc is broken'
+        )
+      })
+
+      it('should not pass the invalid field along', function () {
+        expect(this.DocManager.patchDoc).to.have.been.calledWith(
+          this.project_id,
+          this.doc_id,
+          {}
+        )
+      })
+    })
  })

  describe('archiveAllDocs', function () {