From e96f7df704ee6a3f43e487c24616bde89232ac72 Mon Sep 17 00:00:00 2001 From: Jakob Ackermann Date: Thu, 1 Sep 2022 10:51:46 +0100 Subject: [PATCH] Merge pull request #9475 from overleaf/jpa-ta-clsi-root-doc-path [clsi] remove stripping of characters from the root doc path GitOrigin-RevId: 18a8a5c66eecc1cf21aa202180720707d27671ea --- services/clsi/app/js/RequestParser.js | 17 +------------ .../clsi/test/unit/js/RequestParserTests.js | 25 +------------------ 2 files changed, 2 insertions(+), 40 deletions(-) diff --git a/services/clsi/app/js/RequestParser.js b/services/clsi/app/js/RequestParser.js index 2b817b0aeb..a6eead0135 100644 --- a/services/clsi/app/js/RequestParser.js +++ b/services/clsi/app/js/RequestParser.js @@ -4,7 +4,6 @@ const VALID_COMPILERS = ['pdflatex', 'latex', 'xelatex', 'lualatex'] const MAX_TIMEOUT = 600 function parse(body, callback) { - let resource const response = {} if (body.compile == null) { @@ -127,15 +126,7 @@ function parse(body, callback) { type: 'string', } ) - const originalRootResourcePath = rootResourcePath - const sanitizedRootResourcePath = _sanitizePath(rootResourcePath) - response.rootResourcePath = _checkPath(sanitizedRootResourcePath) - - for (resource of response.resources) { - if (resource.path === originalRootResourcePath) { - resource.path = sanitizedRootResourcePath - } - } + response.rootResourcePath = _checkPath(rootResourcePath) } catch (error1) { const error = error1 return callback(error) @@ -204,12 +195,6 @@ function _parseAttribute(name, attribute, options) { return attribute } -function _sanitizePath(path) { - // See http://php.net/manual/en/function.escapeshellcmd.php - // eslint-disable-next-line no-control-regex - return path.replace(/[#&;`|*?~<>^()[\]{}$\\\x0A\xFF\x00]/g, '') -} - function _checkPath(path) { // check that the request does not use a relative path for (const dir of Array.from(path.split('/'))) { diff --git a/services/clsi/test/unit/js/RequestParserTests.js b/services/clsi/test/unit/js/RequestParserTests.js index 1574a05c9d..4cf31a2b37 100644 --- a/services/clsi/test/unit/js/RequestParserTests.js +++ b/services/clsi/test/unit/js/RequestParserTests.js @@ -402,29 +402,6 @@ describe('RequestParser', function () { }) }) - describe('with a root resource path that needs escaping', function () { - beforeEach(function () { - this.badPath = '`rm -rf foo`.tex' - this.goodPath = 'rm -rf foo.tex' - this.validRequest.compile.rootResourcePath = this.badPath - this.validRequest.compile.resources.push({ - path: this.badPath, - date: '12:00 01/02/03', - content: 'Hello world', - }) - this.RequestParser.parse(this.validRequest, this.callback) - this.data = this.callback.args[0][1] - }) - - it('should return the escaped resource', function () { - this.data.rootResourcePath.should.equal(this.goodPath) - }) - - it('should also escape the resource path', function () { - this.data.resources[0].path.should.equal(this.goodPath) - }) - }) - describe('with a root resource path that has a relative path', function () { beforeEach(function () { this.validRequest.compile.rootResourcePath = 'foo/../../bar.tex' @@ -441,7 +418,7 @@ describe('RequestParser', function () { describe('with a root resource path that has unescaped + relative path', function () { beforeEach(function () { - this.validRequest.compile.rootResourcePath = 'foo/#../bar.tex' + this.validRequest.compile.rootResourcePath = 'foo/../bar.tex' this.RequestParser.parse(this.validRequest, this.callback) this.data = this.callback.args[0][1] })