github/overleaf
1
0
Fork 0
mirror of https://github.com/overleaf/overleaf.git synced 2024-11-07 20:31:06 -05:00
Code Issues Projects Releases Packages Wiki Activity

Sanitize rootResourcePath

Browse source
This commit is contained in:
James Allen 2015-02-11 12:03:36 +00:00
parent 1f8ddac27d
commit 561ce7dc60
2 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
services/clsi/app/coffee/RequestParser.coffee
View file

@ -27,10 +27,12 @@ module.exports = RequestParser =
response.timeout = response.timeout * 1000 # milliseconds
response.resources = (@_parseResource(resource) for resource in (compile.resources or []))
response.rootResourcePath = @_parseAttribute "rootResourcePath",
rootResourcePath = @_parseAttribute "rootResourcePath",
compile.rootResourcePath
default: "main.tex"
type: "string"
response.rootResourcePath = RequestParser._sanitizePath(rootResourcePath)
catch error
return callback error
@ -72,3 +74,5 @@ module.exports = RequestParser =
throw "Default not implemented"
return attribute
_sanitizePath: (path) ->
path.replace(/[^a-zA-Z0-9_\-;.,\/ ]/g, "")

9
services/clsi/test/unit/coffee/RequestParserTests.coffee
View file

@ -204,6 +204,13 @@ describe "RequestParser", ->
@callback.calledWith("rootResourcePath attribute should be a string")
.should.equal true
describe "with a root resource path that needs escaping", ->
beforeEach ->
@validRequest.compile.rootResourcePath = "`rm -rf foo`.tex"
@RequestParser.parse @validRequest, @callback
@data = @callback.args[0][1]
it "should return the escaped resource", ->
@data.rootResourcePath.should.equal "rm -rf foo.tex"