mirror of
https://github.com/overleaf/overleaf.git
synced 2024-12-29 06:03:32 +00:00
Sanitize resource path along with rootResourcePath
This commit is contained in:
parent
373d9e02da
commit
4c04a5df3f
2 changed files with 19 additions and 3 deletions
|
@ -42,7 +42,13 @@ module.exports = RequestParser =
|
|||
compile.rootResourcePath
|
||||
default: "main.tex"
|
||||
type: "string"
|
||||
response.rootResourcePath = RequestParser._sanitizePath(rootResourcePath)
|
||||
originalRootResourcePath = rootResourcePath
|
||||
sanitizedRootResourcePath = RequestParser._sanitizePath(rootResourcePath)
|
||||
response.rootResourcePath = sanitizedRootResourcePath
|
||||
|
||||
for resource in response.resources
|
||||
if resource.path == originalRootResourcePath
|
||||
resource.path = sanitizedRootResourcePath
|
||||
catch error
|
||||
return callback error
|
||||
|
||||
|
|
|
@ -206,11 +206,21 @@ describe "RequestParser", ->
|
|||
|
||||
describe "with a root resource path that needs escaping", ->
|
||||
beforeEach ->
|
||||
@validRequest.compile.rootResourcePath = "`rm -rf foo`.tex"
|
||||
@badPath = "`rm -rf foo`.tex"
|
||||
@goodPath = "rm -rf foo.tex"
|
||||
@validRequest.compile.rootResourcePath = @badPath
|
||||
@validRequest.compile.resources.push {
|
||||
path: @badPath
|
||||
date: "12:00 01/02/03"
|
||||
content: "Hello world"
|
||||
}
|
||||
@RequestParser.parse @validRequest, @callback
|
||||
@data = @callback.args[0][1]
|
||||
|
||||
it "should return the escaped resource", ->
|
||||
@data.rootResourcePath.should.equal "rm -rf foo.tex"
|
||||
@data.rootResourcePath.should.equal @goodPath
|
||||
|
||||
it "should also escape the resource path", ->
|
||||
@data.resources[0].path.should.equal @goodPath
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue