use explicit json content-type to avoid security issues with text/html

This commit is contained in:
Brian Gough 2019-02-12 16:45:11 +00:00
parent fa40e2c95f
commit 8c5d74faef
2 changed files with 11 additions and 8 deletions

View file

@ -25,7 +25,7 @@ module.exports = HttpController =
logger.log project_id: project_id, doc_id: doc_id, "got doc via http"
if !lines? or !version?
return next(new Errors.NotFoundError("document not found"))
res.send JSON.stringify
res.json
id: doc_id
lines: lines
version: version

View file

@ -22,6 +22,7 @@ describe "HttpController", ->
@next = sinon.stub()
@res =
send: sinon.stub()
json: sinon.stub()
describe "getDoc", ->
beforeEach ->
@ -47,15 +48,15 @@ describe "HttpController", ->
.should.equal true
it "should return the doc as JSON", ->
@res.send
.calledWith(JSON.stringify({
@res.json
.calledWith({
id: @doc_id
lines: @lines
version: @version
ops: []
ranges: @ranges
pathname: @pathname
}))
})
.should.equal true
it "should log the request", ->
@ -68,7 +69,7 @@ describe "HttpController", ->
describe "when recent ops are requested", ->
beforeEach ->
@DocumentManager.getDocAndRecentOpsWithLock = sinon.stub().callsArgWith(3, null, @lines, @version, @ops)
@DocumentManager.getDocAndRecentOpsWithLock = sinon.stub().callsArgWith(3, null, @lines, @version, @ops, @ranges, @pathname)
@req.query = fromVersion: "#{@fromVersion}"
@HttpController.getDoc(@req, @res, @next)
@ -78,13 +79,15 @@ describe "HttpController", ->
.should.equal true
it "should return the doc as JSON", ->
@res.send
.calledWith(JSON.stringify({
@res.json
.calledWith({
id: @doc_id
lines: @lines
version: @version
ops: @ops
}))
ranges: @ranges
pathname: @pathname
})
.should.equal true
it "should log the request", ->