Merge pull request #45 from sharelatex/bg-avoid-text-html-content-type-in-responses

use explicit json content-type to avoid security issues with text/html
2024-11-21 20:47:08 -05:00 · 2019-02-22 09:24:30 +00:00 · 2019-02-22 09:24:30 +00:00 · 11f07d1f09
commit 11f07d1f09
parent 946beb78f9 8c5d74faef
2 changed files with 11 additions and 8 deletions
--- a/services/document-updater/app/coffee/HttpController.coffee
+++ b/services/document-updater/app/coffee/HttpController.coffee
@ -25,7 +25,7 @@ module.exports = HttpController =
 			logger.log project_id: project_id, doc_id: doc_id, "got doc via http"
 			if !lines? or !version?
 				return next(new Errors.NotFoundError("document not found"))
-			res.send JSON.stringify
+			res.json
 				id: doc_id
 				lines: lines
 				version: version
--- a/services/document-updater/test/unit/coffee/HttpController/HttpControllerTests.coffee
+++ b/services/document-updater/test/unit/coffee/HttpController/HttpControllerTests.coffee
@ -22,6 +22,7 @@ describe "HttpController", ->
 		@next = sinon.stub()
 		@res =
 			send: sinon.stub()
+			json: sinon.stub()
 	
 	describe "getDoc", ->
 		beforeEach ->
@ -47,15 +48,15 @@ describe "HttpController", ->
 					.should.equal true

 			it "should return the doc as JSON", ->
-				@res.send
-					.calledWith(JSON.stringify({
+				@res.json
+					.calledWith({
 						id: @doc_id
 						lines: @lines
 						version: @version
 						ops: []
 						ranges: @ranges
 						pathname: @pathname
-					}))
+					})
 					.should.equal true

 			it "should log the request", ->
@ -68,7 +69,7 @@ describe "HttpController", ->

 		describe "when recent ops are requested", ->
 			beforeEach ->
-				@DocumentManager.getDocAndRecentOpsWithLock = sinon.stub().callsArgWith(3, null, @lines, @version, @ops)
+				@DocumentManager.getDocAndRecentOpsWithLock = sinon.stub().callsArgWith(3, null, @lines, @version, @ops, @ranges, @pathname)
 				@req.query = fromVersion: "#{@fromVersion}"
 				@HttpController.getDoc(@req, @res, @next)

@ -78,13 +79,15 @@ describe "HttpController", ->
 					.should.equal true

 			it "should return the doc as JSON", ->
-				@res.send
-					.calledWith(JSON.stringify({
+				@res.json
+					.calledWith({
 						id: @doc_id
 						lines: @lines
 						version: @version
 						ops: @ops
-					}))
+						ranges: @ranges
+						pathname: @pathname
+					})
 					.should.equal true

 			it "should log the request", ->