Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some more validations for improper Source Code #1857

Merged
merged 1 commit into from
Nov 25, 2021
Merged

Some more validations for improper Source Code #1857

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 33 additions & 1 deletion controllers/discussion.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -540,6 +540,12 @@ exports.createTopic = function (aReq, aRes, aNext) {
var content = aReq.body['comment-content'];
var userAgent = aReq.headers['user-agent'];

var parser = 'UserScript';
var rHeaderContent = new RegExp(
'^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
);
var headerContent = null;

if (!category) {
aNext();
return;
Expand All @@ -566,6 +572,16 @@ exports.createTopic = function (aReq, aRes, aNext) {
return;
}

// Simple validation check
headerContent = rHeaderContent.exec(content);
if (headerContent) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403, // Forbidden
statusMessage: 'Source Code not allowed in Comment.'
});
return;
}

postTopic(authedUser, category.slug, topic, content, false, userAgent, function (aDiscussion) {
if (!aDiscussion) {
exports.newTopic(aReq, aRes, aNext);
Expand All @@ -591,19 +607,35 @@ exports.createComment = function (aReq, aRes, aNext) {
var content = aReq.body['comment-content'];
var userAgent = aReq.headers['user-agent'];

var parser = 'UserScript';
var rHeaderContent = new RegExp(
'^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
);
var headerContent = null;

if (!aDiscussion) {
aNext();
return;
}

if (!content || !content.trim()) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403,
statusCode: 403, // Forbidden
statusMessage: 'You cannot post an empty comment to this discussion'
});
return;
}

// Simple validation check
headerContent = rHeaderContent.exec(content);
if (headerContent) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403, // Forbidden
statusMessage: 'Source Code not allowed in Comment.'
});
return;
}

postComment(authedUser, aDiscussion, content, false, userAgent, function (aDiscussion) {
if (!aDiscussion) {
statusCodePage(aReq, aRes, aNext, {
Expand Down
34 changes: 33 additions & 1 deletion controllers/issue.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -348,6 +348,12 @@ exports.open = function (aReq, aRes, aNext) {
var userAgent = aReq.headers['user-agent'];
var tasks = [];

var parser = 'UserScript';
var rHeaderContent = new RegExp(
'^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
);
var headerContent = null;

// Session
options.authedUser = authedUser = modelParser.parseUser(authedUser);
options.isMod = authedUser && authedUser.isMod;
Expand Down Expand Up @@ -377,6 +383,16 @@ exports.open = function (aReq, aRes, aNext) {
return;
}

// Simple validation check
headerContent = rHeaderContent.exec(content);
if (headerContent) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403, // Forbidden
statusMessage: 'Source Code not allowed in Comment.'
});
return;
}

// Issue Submission
discussionLib.postTopic(authedUser, category.slug, topic, content, true, userAgent,
function (aDiscussion) {
Expand Down Expand Up @@ -419,19 +435,35 @@ exports.comment = function (aReq, aRes, aNext) {
var category = type + '/' + installNameBase + '/issues';
var topic = aReq.params.topic;

var parser = 'UserScript';
var rHeaderContent = new RegExp(
'^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
);
var headerContent = null;

if (aErr || !aScript) {
aNext();
return;
}

if (!content || !content.trim()) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403,
statusCode: 403, // Forbidden
statusMessage: 'You cannot post an empty comment to this issue'
});
return;
}

// Simple validation check
headerContent = rHeaderContent.exec(content);
if (headerContent) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403, // Forbidden
statusMessage: 'Source Code not allowed in Comment.'
});
return;
}

discussionLib.findDiscussion(category, topic, function (aIssue) {
//
var authedUser = aReq.session.user;
Expand Down
17 changes: 17 additions & 0 deletions controllers/script.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ var getFlaggedListForContent = require('./flag').getFlaggedListForContent;
//--- Library inclusions
// var scriptLib = require('../libs/script');

var statusCodePage = require('../libs/templateHelpers').statusCodePage;
var isSameOrigin = require('../libs/helpers').isSameOrigin;

var voteLib = require('../libs/vote');
Expand Down Expand Up @@ -438,6 +439,12 @@ exports.edit = function (aReq, aRes, aNext) {
var scriptGroups = null;
var tasks = [];

var parser = 'UserScript';
var rHeaderContent = new RegExp(
'^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
);
var headerContent = null;

// ---
if (aErr || !aScript) {
aNext();
Expand Down Expand Up @@ -474,6 +481,16 @@ exports.edit = function (aReq, aRes, aNext) {
// POST
aScript.about = aReq.body.about;

// Simple validation check
headerContent = rHeaderContent.exec(aScript.about);
if (headerContent) {
statusCodePage(aReq, aRes, aNext, {
statusCode: 403, // Forbidden
statusMessage: 'Source Code not allowed in Script Info.'
});
return;
}

remark().use(stripHTML).use(stripMD).process(aScript.about, function(aErr, aFile) {
if (aErr || !aFile) {
aScript._about = (
Expand Down