mirror of
https://github.com/overleaf/overleaf.git
synced 2024-12-28 07:52:10 +00:00
d720d6affa
[web] send explicit content type in responses GitOrigin-RevId: d5aeaba57a7d2fc053fbf5adc2299fb46e435341
47 lines
954 B
Bash
Executable file
47 lines
954 B
Bash
Executable file
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
POTENTIAL_SEND_USAGE=$(\
|
|
grep \
|
|
--files-with-matches \
|
|
--recursive \
|
|
app.js \
|
|
app/ \
|
|
modules/*/app \
|
|
test/acceptance/ \
|
|
modules/*/test/acceptance/ \
|
|
--regex "\.send\b" \
|
|
--regex "\bsend(" \
|
|
)
|
|
HELPER_MODULE="app/src/infrastructure/Response.js"
|
|
if [[ "$POTENTIAL_SEND_USAGE" == "$HELPER_MODULE" ]]; then
|
|
exit 0
|
|
fi
|
|
|
|
for file in ${POTENTIAL_SEND_USAGE}; do
|
|
if [[ "$file" == "$HELPER_MODULE" ]]; then
|
|
continue
|
|
fi
|
|
|
|
cat <<MSG >&2
|
|
|
|
ERROR: $file contains a potential use of 'res.send'.
|
|
|
|
---
|
|
$(grep -n -C 3 "$file" --regex "\.send\b" --regex "\bsend(")
|
|
---
|
|
|
|
Using 'res.send' is prone to introducing XSS vulnerabilities.
|
|
|
|
Consider using 'res.json' or one of the helpers in $HELPER_MODULE.
|
|
|
|
If this is a false-positive, consider using a more specific name than 'send'
|
|
for your newly introduced function.
|
|
|
|
Links:
|
|
- https://github.com/overleaf/internal/issues/6268
|
|
|
|
MSG
|
|
exit 1
|
|
done
|