From 00fc7c8e86802f6e624c98fc826f600e14e12155 Mon Sep 17 00:00:00 2001
From: Richard Hansen <rhansen@rhansen.org>
Date: Thu, 25 Nov 2021 02:05:09 -0500
Subject: [PATCH] ImportEtherpad: Reject unknown DB records

---
 src/node/utils/ImportEtherpad.js          | 11 ++++++-----
 src/tests/backend/specs/ImportEtherpad.js | 10 ++++++++++
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/node/utils/ImportEtherpad.js b/src/node/utils/ImportEtherpad.js
index 714e1deb8..59a407e9d 100644
--- a/src/node/utils/ImportEtherpad.js
+++ b/src/node/utils/ImportEtherpad.js
@@ -53,17 +53,18 @@ exports.setPadRaw = async (padId, r) => {
         return;
       }
       value.padIDs = {[padId]: 1};
-    } else {
+    } else if (padKeyPrefixes.includes(prefix)) {
       if (prefix === 'pad' && keyParts.length === 2 && value.pool) {
         for (const attrib of Object.keys(value.pool.numToAttrib)) {
           const attribName = value.pool.numToAttrib[attrib][0];
           if (!supportedElems.has(attribName)) unsupportedElements.add(attribName);
         }
       }
-      if (padKeyPrefixes.includes(prefix)) {
-        keyParts[1] = padId;
-        key = keyParts.join(':');
-      }
+      keyParts[1] = padId;
+      key = keyParts.join(':');
+    } else {
+      logger.warn(`(pad ${padId}) Ignoring record with unsupported key: ${key}`);
+      return;
     }
     await db.set(key, value);
   }));
diff --git a/src/tests/backend/specs/ImportEtherpad.js b/src/tests/backend/specs/ImportEtherpad.js
index c32cdb858..a339e9b4d 100644
--- a/src/tests/backend/specs/ImportEtherpad.js
+++ b/src/tests/backend/specs/ImportEtherpad.js
@@ -2,6 +2,7 @@
 
 const assert = require('assert').strict;
 const authorManager = require('../../../node/db/AuthorManager');
+const db = require('../../../node/db/DB');
 const importEtherpad = require('../../../node/utils/ImportEtherpad');
 const padManager = require('../../../node/db/PadManager');
 const {randomString} = require('../../../static/js/pad_utils');
@@ -52,6 +53,15 @@ describe(__filename, function () {
     assert(!await padManager.doesPadExist(padId));
   });
 
+  it('unknown db records are ignored', async function () {
+    const badKey = `maliciousDbKey${randomString(10)}`;
+    await importEtherpad.setPadRaw(padId, JSON.stringify({
+      [badKey]: 'value',
+      ...makeExport(makeAuthorId()),
+    }));
+    assert(await db.get(badKey) == null);
+  });
+
   describe('author pad IDs', function () {
     let existingAuthorId;
     let newAuthorId;