public-offering
/
pad.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ImportEtherpad: Reject unknown DB records

pull/5304/head
Richard Hansen 2021-11-25 02:05:09 -05:00
parent 8e9bc8d325
commit 00fc7c8e86
2 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/node/utils/ImportEtherpad.js
View File

@ -53,17 +53,18 @@ exports.setPadRaw = async (padId, r) => {
return; return;
} }
value.padIDs = {[padId]: 1}; value.padIDs = {[padId]: 1};
} else { } else if (padKeyPrefixes.includes(prefix)) {
if (prefix === 'pad' && keyParts.length === 2 && value.pool) { if (prefix === 'pad' && keyParts.length === 2 && value.pool) {
for (const attrib of Object.keys(value.pool.numToAttrib)) { for (const attrib of Object.keys(value.pool.numToAttrib)) {
const attribName = value.pool.numToAttrib[attrib][0]; const attribName = value.pool.numToAttrib[attrib][0];
if (!supportedElems.has(attribName)) unsupportedElements.add(attribName); if (!supportedElems.has(attribName)) unsupportedElements.add(attribName);
} }
} }
if (padKeyPrefixes.includes(prefix)) {
keyParts[1] = padId; keyParts[1] = padId;
key = keyParts.join(':'); key = keyParts.join(':');
} } else {
logger.warn(`(pad ${padId}) Ignoring record with unsupported key: ${key}`);
return;
} }
await db.set(key, value); await db.set(key, value);
})); }));

10
src/tests/backend/specs/ImportEtherpad.js
View File

@ -2,6 +2,7 @@
const assert = require('assert').strict; const assert = require('assert').strict;
const authorManager = require('../../../node/db/AuthorManager'); const authorManager = require('../../../node/db/AuthorManager');
const db = require('../../../node/db/DB');
const importEtherpad = require('../../../node/utils/ImportEtherpad'); const importEtherpad = require('../../../node/utils/ImportEtherpad');
const padManager = require('../../../node/db/PadManager'); const padManager = require('../../../node/db/PadManager');
const {randomString} = require('../../../static/js/pad_utils'); const {randomString} = require('../../../static/js/pad_utils');
@ -52,6 +53,15 @@ describe(__filename, function () {
assert(!await padManager.doesPadExist(padId)); assert(!await padManager.doesPadExist(padId));
}); });
it('unknown db records are ignored', async function () {
const badKey = `maliciousDbKey${randomString(10)}`;
await importEtherpad.setPadRaw(padId, JSON.stringify({
[badKey]: 'value',
...makeExport(makeAuthorId()),
}));
assert(await db.get(badKey) == null);
});
describe('author pad IDs', function () { describe('author pad IDs', function () {
let existingAuthorId; let existingAuthorId;
let newAuthorId; let newAuthorId;