From 8c5d74faefca26e5f63e739cd19822edb07495e1 Mon Sep 17 00:00:00 2001
From: Brian Gough <brian.gough@overleaf.com>
Date: Tue, 12 Feb 2019 16:45:11 +0000
Subject: [PATCH] use explicit json content-type to avoid security issues with
 text/html

---
 .../app/coffee/HttpController.coffee            |  2 +-
 .../HttpController/HttpControllerTests.coffee   | 17 ++++++++++-------
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/services/document-updater/app/coffee/HttpController.coffee b/services/document-updater/app/coffee/HttpController.coffee
index 93f915d662..d0e8e1994b 100644
--- a/services/document-updater/app/coffee/HttpController.coffee
+++ b/services/document-updater/app/coffee/HttpController.coffee
@@ -25,7 +25,7 @@ module.exports = HttpController =
 			logger.log project_id: project_id, doc_id: doc_id, "got doc via http"
 			if !lines? or !version?
 				return next(new Errors.NotFoundError("document not found"))
-			res.send JSON.stringify
+			res.json
 				id: doc_id
 				lines: lines
 				version: version
diff --git a/services/document-updater/test/unit/coffee/HttpController/HttpControllerTests.coffee b/services/document-updater/test/unit/coffee/HttpController/HttpControllerTests.coffee
index ab6718c12a..15b9142647 100644
--- a/services/document-updater/test/unit/coffee/HttpController/HttpControllerTests.coffee
+++ b/services/document-updater/test/unit/coffee/HttpController/HttpControllerTests.coffee
@@ -22,6 +22,7 @@ describe "HttpController", ->
 		@next = sinon.stub()
 		@res =
 			send: sinon.stub()
+			json: sinon.stub()
 	
 	describe "getDoc", ->
 		beforeEach ->
@@ -47,15 +48,15 @@ describe "HttpController", ->
 					.should.equal true
 
 			it "should return the doc as JSON", ->
-				@res.send
-					.calledWith(JSON.stringify({
+				@res.json
+					.calledWith({
 						id: @doc_id
 						lines: @lines
 						version: @version
 						ops: []
 						ranges: @ranges
 						pathname: @pathname
-					}))
+					})
 					.should.equal true
 
 			it "should log the request", ->
@@ -68,7 +69,7 @@ describe "HttpController", ->
 
 		describe "when recent ops are requested", ->
 			beforeEach ->
-				@DocumentManager.getDocAndRecentOpsWithLock = sinon.stub().callsArgWith(3, null, @lines, @version, @ops)
+				@DocumentManager.getDocAndRecentOpsWithLock = sinon.stub().callsArgWith(3, null, @lines, @version, @ops, @ranges, @pathname)
 				@req.query = fromVersion: "#{@fromVersion}"
 				@HttpController.getDoc(@req, @res, @next)
 
@@ -78,13 +79,15 @@ describe "HttpController", ->
 					.should.equal true
 
 			it "should return the doc as JSON", ->
-				@res.send
-					.calledWith(JSON.stringify({
+				@res.json
+					.calledWith({
 						id: @doc_id
 						lines: @lines
 						version: @version
 						ops: @ops
-					}))
+						ranges: @ranges
+						pathname: @pathname
+					})
 					.should.equal true
 
 			it "should log the request", ->