From 8ce13a6b1e37838fc13749454cc49c862ef9777f Mon Sep 17 00:00:00 2001 From: Henry Oswald Date: Mon, 31 Mar 2014 16:46:28 +0100 Subject: [PATCH] changed xss lib to sanitize not validator --- .../Features/Editor/EditorController.coffee | 8 ++++---- .../Features/User/UserRegistrationHandler.coffee | 4 ++-- .../coffee/controllers/ProjectController.coffee | 6 +++--- .../app/coffee/controllers/UserController.coffee | 16 ++++++++-------- .../coffee/managers/CollaberationManager.coffee | 10 +++++----- services/web/app/coffee/models/Project.coffee | 4 ++-- services/web/package.json | 3 ++- 7 files changed, 26 insertions(+), 25 deletions(-) diff --git a/services/web/app/coffee/Features/Editor/EditorController.coffee b/services/web/app/coffee/Features/Editor/EditorController.coffee index c3cf4b6ac0..81084dc7e9 100644 --- a/services/web/app/coffee/Features/Editor/EditorController.coffee +++ b/services/web/app/coffee/Features/Editor/EditorController.coffee @@ -1,6 +1,6 @@ logger = require('logger-sharelatex') Metrics = require('../../infrastructure/Metrics') -sanitize = require('validator').sanitize +sanitize = require('sanitizer') ProjectEditorHandler = require('../Project/ProjectEditorHandler') ProjectEntityHandler = require('../Project/ProjectEntityHandler') ProjectOptionsHandler = require('../Project/ProjectOptionsHandler') @@ -163,7 +163,7 @@ module.exports = EditorController = addDoc: (project_id, folder_id, docName, docLines, sl_req_id, callback = (error, doc)->)-> {callback, sl_req_id} = slReqIdHelper.getCallbackAndReqId(callback, sl_req_id) - docName = sanitize(docName).xss() + docName = sanitize.escape(docName) logger.log sl_req_id:sl_req_id, "sending new doc to project #{project_id}" Metrics.inc "editor.add-doc" ProjectEntityHandler.addDoc project_id, folder_id, docName, docLines, sl_req_id, (err, doc, folder_id)=> @@ -172,7 +172,7 @@ module.exports = EditorController = addFile: (project_id, folder_id, fileName, path, sl_req_id, callback = (error, file)->)-> {callback, sl_req_id} = slReqIdHelper.getCallbackAndReqId(callback, sl_req_id) - fileName = sanitize(fileName).xss() + fileName = sanitize.escape(fileName) logger.log sl_req_id:sl_req_id, "sending new file to project #{project_id} with folderid: #{folder_id}" Metrics.inc "editor.add-file" ProjectEntityHandler.addFile project_id, folder_id, fileName, path, (err, fileRef, folder_id)=> @@ -185,7 +185,7 @@ module.exports = EditorController = addFolder: (project_id, folder_id, folderName, sl_req_id, callback = (error, folder)->)-> {callback, sl_req_id} = slReqIdHelper.getCallbackAndReqId(callback, sl_req_id) - folderName = sanitize(folderName).xss() + folderName = sanitize.escape(folderName) logger.log "sending new folder to project #{project_id}" Metrics.inc "editor.add-folder" ProjectEntityHandler.addFolder project_id, folder_id, folderName, (err, folder, folder_id)=> diff --git a/services/web/app/coffee/Features/User/UserRegistrationHandler.coffee b/services/web/app/coffee/Features/User/UserRegistrationHandler.coffee index b39a239341..c6672f6adf 100644 --- a/services/web/app/coffee/Features/User/UserRegistrationHandler.coffee +++ b/services/web/app/coffee/Features/User/UserRegistrationHandler.coffee @@ -1,4 +1,4 @@ -sanitize = require('validator').sanitize +sanitize = require('sanitizer') module.exports = validateEmail : (email) -> @@ -13,7 +13,7 @@ module.exports = return hasZeroLength validateRegisterRequest : (req, callback)-> - email = sanitize(req.body.email).xss().trim().toLowerCase() + email = sanitize.escape(req.body.email).trim().toLowerCase() password = req.body.password username = email.match(/^[^@]*/) if username? diff --git a/services/web/app/coffee/controllers/ProjectController.coffee b/services/web/app/coffee/controllers/ProjectController.coffee index 918d746350..bb53b6ee20 100755 --- a/services/web/app/coffee/controllers/ProjectController.coffee +++ b/services/web/app/coffee/controllers/ProjectController.coffee @@ -1,6 +1,6 @@ User = require('../models/User').User Project = require('../models/Project').Project -sanitize = require('validator').sanitize +sanitize = require('sanitizer') path = require "path" logger = require('logger-sharelatex') _ = require('underscore') @@ -72,8 +72,8 @@ module.exports = class ProjectController apiNewProject: (req, res)-> user = req.session.user - projectName = sanitize(req.body.projectName).xss() - template = sanitize(req.body.template).xss() + projectName = sanitize.escape(req.body.projectName) + template = sanitize.escape(req.body.template) logger.log user: user, type: template, name: projectName, "creating project" if template == 'example' projectCreationHandler.createExampleProject user._id, projectName, (err, project)-> diff --git a/services/web/app/coffee/controllers/UserController.coffee b/services/web/app/coffee/controllers/UserController.coffee index dd066bfc4a..e00a075c37 100644 --- a/services/web/app/coffee/controllers/UserController.coffee +++ b/services/web/app/coffee/controllers/UserController.coffee @@ -1,5 +1,5 @@ User = require('../models/User').User -sanitize = require('validator').sanitize +sanitize = require('sanitizer') fs = require('fs') _ = require('underscore') logger = require('logger-sharelatex') @@ -95,8 +95,8 @@ module.exports = title: 'Password Reset', doRequestPasswordReset : (req, res, next = (error) ->)-> - email = sanitize(req.body.email).xss() - email = sanitize(email).trim() + email = sanitize.escape(req.body.email) + email = sanitize.escape(email).trim() email = email.toLowerCase() logger.log email: email, "password reset requested" User.findOne {'email':email}, (err, user)-> @@ -156,11 +156,11 @@ module.exports = metrics.inc "user.settings-update" User.findById req.session.user._id, (err, user)-> if(user) - user.first_name = sanitize(req.body.first_name).xss().trim() - user.last_name = sanitize(req.body.last_name).xss().trim() - user.ace.mode = sanitize(req.body.mode).xss().trim() - user.ace.theme = sanitize(req.body.theme).xss().trim() - user.ace.fontSize = sanitize(req.body.fontSize).xss().trim() + user.first_name = sanitize.escape(req.body.first_name).trim() + user.last_name = sanitize.escape(req.body.last_name).trim() + user.ace.mode = sanitize.escape(req.body.mode).trim() + user.ace.theme = sanitize.escape(req.body.theme).trim() + user.ace.fontSize = sanitize.escape(req.body.fontSize).trim() user.ace.autoComplete = req.body.autoComplete == "true" user.ace.spellCheckLanguage = req.body.spellCheckLanguage user.ace.pdfViewer = req.body.pdfViewer diff --git a/services/web/app/coffee/managers/CollaberationManager.coffee b/services/web/app/coffee/managers/CollaberationManager.coffee index ed3aadf87c..28fcb00795 100644 --- a/services/web/app/coffee/managers/CollaberationManager.coffee +++ b/services/web/app/coffee/managers/CollaberationManager.coffee @@ -1,7 +1,7 @@ #this file is being slowly refactored out logger = require('logger-sharelatex') -sanitize = require('validator').sanitize +sanitize = require('sanitizer') projectHandler = require('../handlers/ProjectHandler') projectHandler = new projectHandler() SecurityManager = require('./SecurityManager') @@ -21,7 +21,7 @@ module.exports = class CollaberationManager projectHandler.deleteProject project_id, callback renameEntity: (project_id, entity_id, entityType, newName, callback)-> - newName = sanitize(newName).xss() + newName = sanitize.escape(newName) metrics.inc "editor.rename-entity" logger.log entity_id:entity_id, entity_id:entity_id, entity_id:entity_id, "reciving new name for entity for project" projectHandler.renameEntity project_id, entity_id, entityType, newName, => @@ -36,9 +36,9 @@ module.exports = class CollaberationManager callback?() renameProject: (project_id, window_id, newName, callback)-> - newName = sanitize(newName).xss() + newName = sanitize.escape(newName) projectHandler.renameProject project_id, window_id, newName, => - newName = sanitize(newName).xss() + newName = sanitize.escape(newName) EditorRealTimeController.emitToRoom project_id, 'projectNameUpdated', window_id, newName callback?() @@ -48,7 +48,7 @@ module.exports = class CollaberationManager callback?() distributMessage: (project_id, client, message)-> - message = sanitize(message).xss() + message = sanitize.escape(message) metrics.inc "editor.instant-message" client.get "first_name", (err, first_name)=> EditorRealTimeController.emitToRoom project_id, 'reciveNewMessage', first_name, message diff --git a/services/web/app/coffee/models/Project.coffee b/services/web/app/coffee/models/Project.coffee index a009dc2a45..bf6a1c1c27 100644 --- a/services/web/app/coffee/models/Project.coffee +++ b/services/web/app/coffee/models/Project.coffee @@ -3,7 +3,7 @@ Settings = require 'settings-sharelatex' _ = require('underscore') FolderSchema = require('./Folder.js').FolderSchema logger = require('logger-sharelatex') -sanitize = require('validator').sanitize +sanitize = require('sanitizer') concreteObjectId = require('mongoose').Types.ObjectId Errors = require "../errors" @@ -112,7 +112,7 @@ applyToAllFilesRecursivly = ProjectSchema.statics.applyToAllFilesRecursivly = (f ProjectSchema.methods.getSafeProjectName = -> safeProjectName = this.name.replace(new RegExp("\\W", "g"), '_') - return sanitize(safeProjectName).xss() + return sanitize.escape(safeProjectName) conn = mongoose.createConnection(Settings.mongo.url, server: poolSize: Settings.mongo.poolSize || 10) diff --git a/services/web/package.json b/services/web/package.json index 4d08ecc1f2..c99ee441b0 100644 --- a/services/web/package.json +++ b/services/web/package.json @@ -9,7 +9,6 @@ "express": "3.3.4", "mongoose": "3.6.19", "jade": "0.28.1", - "validator": "0.4.22", "underscore": "1.4.4", "node-fs": "0.1.5", "rimraf": "2.1.2", @@ -38,6 +37,8 @@ "nodetime": "0.8.15", "mocha": "1.17.1", "redback": "0.3.7" + "redback": "0.3.7", + "sanitizer": "0.1.1" }, "devDependencies": { "chai": "",