github/overleaf
1
0
Fork 0
mirror of https://github.com/overleaf/overleaf.git synced 2024-11-29 10:13:42 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #45 from sharelatex/bg-avoid-text-html-content-type-in-responses

Browse source 
use explicit json content-type to avoid security issues with text/html
This commit is contained in:
Brian Gough 2019-02-22 09:24:30 +00:00 committed by GitHub
commit 11f07d1f09
2 changed files with 11 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/document-updater/app/coffee/HttpController.coffee
View file

@ -25,7 +25,7 @@ module.exports = HttpController =
logger.log project_id: project_id, doc_id: doc_id, "got doc via http" logger.log project_id: project_id, doc_id: doc_id, "got doc via http"
if !lines? or !version? if !lines? or !version?
return next(new Errors.NotFoundError("document not found")) return next(new Errors.NotFoundError("document not found"))
res.send JSON.stringify res.json
id: doc_id id: doc_id
lines: lines lines: lines
version: version version: version

17
services/document-updater/test/unit/coffee/HttpController/HttpControllerTests.coffee
View file

@ -22,6 +22,7 @@ describe "HttpController", ->
@next = sinon.stub() @next = sinon.stub()
@res = @res =
send: sinon.stub() send: sinon.stub()
json: sinon.stub()
describe "getDoc", -> describe "getDoc", ->
beforeEach -> beforeEach ->
@ -47,15 +48,15 @@ describe "HttpController", ->
.should.equal true .should.equal true
it "should return the doc as JSON", -> it "should return the doc as JSON", ->
@res.send @res.json
.calledWith(JSON.stringify({ .calledWith({
id: @doc_id id: @doc_id
lines: @lines lines: @lines
version: @version version: @version
ops: [] ops: []
ranges: @ranges ranges: @ranges
pathname: @pathname pathname: @pathname
})) })
.should.equal true .should.equal true
it "should log the request", -> it "should log the request", ->
@ -68,7 +69,7 @@ describe "HttpController", ->
describe "when recent ops are requested", -> describe "when recent ops are requested", ->
beforeEach -> beforeEach ->
@DocumentManager.getDocAndRecentOpsWithLock = sinon.stub().callsArgWith(3, null, @lines, @version, @ops) @DocumentManager.getDocAndRecentOpsWithLock = sinon.stub().callsArgWith(3, null, @lines, @version, @ops, @ranges, @pathname)
@req.query = fromVersion: "#{@fromVersion}" @req.query = fromVersion: "#{@fromVersion}"
@HttpController.getDoc(@req, @res, @next) @HttpController.getDoc(@req, @res, @next)
@ -78,13 +79,15 @@ describe "HttpController", ->
.should.equal true .should.equal true
it "should return the doc as JSON", -> it "should return the doc as JSON", ->
@res.send @res.json
.calledWith(JSON.stringify({ .calledWith({
id: @doc_id id: @doc_id
lines: @lines lines: @lines
version: @version version: @version
ops: @ops ops: @ops
})) ranges: @ranges
pathname: @pathname
})
.should.equal true .should.equal true
it "should log the request", -> it "should log the request", ->