Merge pull request #55 from sharelatex/bg-avoid-text-html-content-type-in-responses

use explicit json content-type to avoid security issues with text/html
This commit is contained in:
Brian Gough 2019-02-22 10:20:16 +00:00 committed by GitHub
commit 60cee0a219
2 changed files with 7 additions and 6 deletions

View file

@ -79,7 +79,7 @@ module.exports = HttpController =
logger.log {project_id, doc_id, from, to}, "getting diff"
DiffManager.getDiff project_id, doc_id, from, to, (error, diff) ->
return next(error) if error?
res.send JSON.stringify(diff: diff)
res.json {diff: diff}
getUpdates: (req, res, next = (error) ->) ->
project_id = req.params.project_id
@ -91,9 +91,10 @@ module.exports = HttpController =
UpdatesManager.getSummarizedProjectUpdates project_id, before: before, min_count: min_count, (error, updates, nextBeforeTimestamp) ->
return next(error) if error?
res.send JSON.stringify
res.json {
updates: updates
nextBeforeTimestamp: nextBeforeTimestamp
}
restore: (req, res, next = (error) ->) ->
{doc_id, project_id, version} = req.params

View file

@ -71,7 +71,7 @@ describe "HttpController", ->
from: @from.toString()
to: @to.toString()
@res =
send: sinon.stub()
json: sinon.stub()
@diff = [ u: "mock-diff" ]
@DiffManager.getDiff = sinon.stub().callsArgWith(4, null, @diff)
@HttpController.getDiff @req, @res, @next
@ -82,7 +82,7 @@ describe "HttpController", ->
.should.equal true
it "should return the diff", ->
@res.send.calledWith(JSON.stringify(diff: @diff)).should.equal true
@res.json.calledWith({diff: @diff}).should.equal true
describe "getUpdates", ->
beforeEach ->
@ -96,7 +96,7 @@ describe "HttpController", ->
before: @before.toString()
min_count: @min_count.toString()
@res =
send: sinon.stub()
json: sinon.stub()
@updates = ["mock-summarized-updates"]
@UpdatesManager.getSummarizedProjectUpdates = sinon.stub().callsArgWith(2, null, @updates, @nextBeforeTimestamp)
@HttpController.getUpdates @req, @res, @next
@ -107,7 +107,7 @@ describe "HttpController", ->
.should.equal true
it "should return the formatted updates", ->
@res.send.calledWith(JSON.stringify(updates: @updates, nextBeforeTimestamp: @nextBeforeTimestamp)).should.equal true
@res.json.calledWith({updates: @updates, nextBeforeTimestamp: @nextBeforeTimestamp}).should.equal true
describe "RestoreManager", ->
beforeEach ->