Sanitize resource path along with rootResourcePath

2024-11-21 20:47:08 -05:00 · 2016-09-21 15:09:01 +01:00 · 2016-09-21 15:09:01 +01:00 · 4c04a5df3f
commit 4c04a5df3f
parent 373d9e02da
2 changed files with 19 additions and 3 deletions
--- a/services/clsi/app/coffee/RequestParser.coffee
+++ b/services/clsi/app/coffee/RequestParser.coffee
@ -42,7 +42,13 @@ module.exports = RequestParser =
 				compile.rootResourcePath
 				default: "main.tex"
 				type: "string"
-			response.rootResourcePath = RequestParser._sanitizePath(rootResourcePath)
+			originalRootResourcePath = rootResourcePath
+			sanitizedRootResourcePath = RequestParser._sanitizePath(rootResourcePath)
+			response.rootResourcePath = sanitizedRootResourcePath
+			
+			for resource in response.resources
+				if resource.path == originalRootResourcePath
+					resource.path = sanitizedRootResourcePath
 		catch error
 			return callback error

--- a/services/clsi/test/unit/coffee/RequestParserTests.coffee
+++ b/services/clsi/test/unit/coffee/RequestParserTests.coffee
@ -206,11 +206,21 @@ describe "RequestParser", ->

 	describe "with a root resource path that needs escaping", ->
 		beforeEach ->
-			@validRequest.compile.rootResourcePath = "`rm -rf foo`.tex"
+			@badPath = "`rm -rf foo`.tex"
+			@goodPath = "rm -rf foo.tex"
+			@validRequest.compile.rootResourcePath = @badPath
+			@validRequest.compile.resources.push {
+				path: @badPath
+				date: "12:00 01/02/03"
+				content: "Hello world"
+			}
 			@RequestParser.parse @validRequest, @callback
 			@data = @callback.args[0][1]
 			
 		it "should return the escaped resource", ->
-			@data.rootResourcePath.should.equal "rm -rf foo.tex"
+			@data.rootResourcePath.should.equal @goodPath
+			
+		it "should also escape the resource path", ->
+			@data.resources[0].path.should.equal @goodPath