Skip to content

Commit

Permalink
Some more validations for improper Source Code (#1857)
Browse files Browse the repository at this point in the history 
* Moderators and above may still flag if further abused and of course optionally, unannounced, removal by Admin+. These are covered in the TOS already. Try a preemptive strategy instead.

Post #1847 and applies to #657

Auto-merge
  • Loading branch information
@Martii
Martii committed Nov 25, 2021
1 parent 8bcb318 commit d5313db
Show file tree
Hide file tree
Showing 3 changed files with 83 additions and 2 deletions.
34 changes: 33 additions & 1 deletion controllers/discussion.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -540,6 +540,12 @@ exports.createTopic = function (aReq, aRes, aNext) {
var content = aReq.body['comment-content'];
var userAgent = aReq.headers['user-agent'];

var parser = 'UserScript';
var rHeaderContent = new RegExp(
'^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
);
var headerContent = null;

if (!category) {
aNext();
return;
Expand All @@ -566,6 +572,16 @@ exports.createTopic = function (aReq, aRes, aNext) {
return;
}

// Simple validation check
headerContent = rHeaderContent.exec(content);
if (headerContent) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403, // Forbidden
statusMessage: 'Source Code not allowed in Comment.'
});
return;
}

postTopic(authedUser, category.slug, topic, content, false, userAgent, function (aDiscussion) {
if (!aDiscussion) {
exports.newTopic(aReq, aRes, aNext);
Expand All @@ -591,19 +607,35 @@ exports.createComment = function (aReq, aRes, aNext) {
var content = aReq.body['comment-content'];
var userAgent = aReq.headers['user-agent'];

var parser = 'UserScript';
var rHeaderContent = new RegExp(
'^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
);
var headerContent = null;

if (!aDiscussion) {
aNext();
return;
}

if (!content || !content.trim()) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403,
statusCode: 403, // Forbidden
statusMessage: 'You cannot post an empty comment to this discussion'
});
return;
}

// Simple validation check
headerContent = rHeaderContent.exec(content);
if (headerContent) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403, // Forbidden
statusMessage: 'Source Code not allowed in Comment.'
});
return;
}

postComment(authedUser, aDiscussion, content, false, userAgent, function (aDiscussion) {
if (!aDiscussion) {
statusCodePage(aReq, aRes, aNext, {
Expand Down
34 changes: 33 additions & 1 deletion controllers/issue.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -348,6 +348,12 @@ exports.open = function (aReq, aRes, aNext) {
var userAgent = aReq.headers['user-agent'];
var tasks = [];

var parser = 'UserScript';
var rHeaderContent = new RegExp(
'^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
);
var headerContent = null;

// Session
options.authedUser = authedUser = modelParser.parseUser(authedUser);
options.isMod = authedUser && authedUser.isMod;
Expand Down Expand Up @@ -377,6 +383,16 @@ exports.open = function (aReq, aRes, aNext) {
return;
}

// Simple validation check
headerContent = rHeaderContent.exec(content);
if (headerContent) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403, // Forbidden
statusMessage: 'Source Code not allowed in Comment.'
});
return;
}

// Issue Submission
discussionLib.postTopic(authedUser, category.slug, topic, content, true, userAgent,
function (aDiscussion) {
Expand Down Expand Up @@ -419,19 +435,35 @@ exports.comment = function (aReq, aRes, aNext) {
var category = type + '/' + installNameBase + '/issues';
var topic = aReq.params.topic;

var parser = 'UserScript';
var rHeaderContent = new RegExp(
'^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
);
var headerContent = null;

if (aErr || !aScript) {
aNext();
return;
}

if (!content || !content.trim()) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403,
statusCode: 403, // Forbidden
statusMessage: 'You cannot post an empty comment to this issue'
});
return;
}

// Simple validation check
headerContent = rHeaderContent.exec(content);
if (headerContent) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403, // Forbidden
statusMessage: 'Source Code not allowed in Comment.'
});
return;
}

discussionLib.findDiscussion(category, topic, function (aIssue) {
//
var authedUser = aReq.session.user;
Expand Down
17 changes: 17 additions & 0 deletions controllers/script.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ var getFlaggedListForContent = require('./flag').getFlaggedListForContent;
//--- Library inclusions
// var scriptLib = require('../libs/script');

var statusCodePage = require('../libs/templateHelpers').statusCodePage;
var isSameOrigin = require('../libs/helpers').isSameOrigin;

var voteLib = require('../libs/vote');
Expand Down Expand Up @@ -438,6 +439,12 @@ exports.edit = function (aReq, aRes, aNext) {
var scriptGroups = null;
var tasks = [];

var parser = 'UserScript';
var rHeaderContent = new RegExp(
'^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
);
var headerContent = null;

// ---
if (aErr || !aScript) {
aNext();
Expand Down Expand Up @@ -474,6 +481,16 @@ exports.edit = function (aReq, aRes, aNext) {
// POST
aScript.about = aReq.body.about;

// Simple validation check
headerContent = rHeaderContent.exec(aScript.about);
if (headerContent) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403, // Forbidden
statusMessage: 'Source Code not allowed in Script Info.'
});
return;
}

remark().use(stripHTML).use(stripMD).process(aScript.about, function(aErr, aFile) {
if (aErr || !aFile) {
aScript._about = (
Expand Down

0 comments on commit d5313db

Please sign in to comment.