Merge pull request #4 from nashe/jsonp_fix

Added a jsonp var checker
2018-04-03 10:29:52 +01:00 · 2018-04-03 10:29:52 +01:00 · 50bbcb87bb
parent 6c2135bf9a dd7894d3c9
commit 50bbcb87bb
2 changed files with 88 additions and 5 deletions
--- a/src/node/hooks/express/apicalls.js
+++ b/src/node/hooks/express/apicalls.js
@ -3,7 +3,7 @@ var apiLogger = log4js.getLogger("API");
 var clientLogger = log4js.getLogger("client");
 var formidable = require('formidable');
 var apiHandler = require('../../handler/APIHandler');
-var isVarName = require('is-var-name');
+var isValidJSONPName = require('./isValidJsonPName');

 //This is for making an api call, collecting all post information and passing it to the apiHandler
 var apiCaller = function(req, res, fields) {
@ -19,7 +19,7 @@ var apiCaller = function(req, res, fields) {
    apiLogger.info("RESPONSE, " + req.params.func + ", " + response);

    //is this a jsonp call, if yes, add the function call
-    if(req.query.jsonp && isVarName(req.query.jsonp))
+    if(req.query.jsonp && isValidJSONPName.check(req.query.jsonp))
      response = req.query.jsonp + "(" + response + ")";

    res._____send(response);
@ -46,7 +46,7 @@ exports.expressCreateServer = function (hook_name, args, cb) {

  //The Etherpad client side sends information about how a disconnect happened
  args.app.post('/ep/pad/connection-diagnostic-info', function(req, res) {
-    new formidable.IncomingForm().parse(req, function(err, fields, files) { 
+    new formidable.IncomingForm().parse(req, function(err, fields, files) {
      clientLogger.info("DIAGNOSTIC-INFO: " + fields.diagnosticInfo);
      res.end("OK");
    });
@ -54,7 +54,7 @@ exports.expressCreateServer = function (hook_name, args, cb) {

  //The Etherpad client side sends information about client side javscript errors
  args.app.post('/jserror', function(req, res) {
-    new formidable.IncomingForm().parse(req, function(err, fields, files) { 
+    new formidable.IncomingForm().parse(req, function(err, fields, files) {
      try {
        var data = JSON.parse(fields.errorInfo)
      }catch(e){
@ -64,7 +64,7 @@ exports.expressCreateServer = function (hook_name, args, cb) {
      res.end("OK");
    });
  });
-  
+
  //Provide a possibility to query the latest available API version
  args.app.get('/api', function (req, res) {
     res.json({"currentVersion" : apiHandler.latestApiVersion});
--- a/src/node/hooks/express/isValidJSONPName.js
+++ b/src/node/hooks/express/isValidJSONPName.js
@ -0,0 +1,83 @@
+const RESERVED_WORDS = [
+  'abstract',
+  'arguments',
+  'await',
+  'boolean',
+  'break',
+  'byte',
+  'case',
+  'catch',
+  'char',
+  'class',
+  'const',
+  'continue',
+  'debugger',
+  'default',
+  'delete',
+  'do',
+  'double',
+  'else',
+  'enum',
+  'eval',
+  'export',
+  'extends',
+  'false',
+  'final',
+  'finally',
+  'float',
+  'for',
+  'function',
+  'goto',
+  'if',
+  'implements',
+  'import',
+  'in',
+  'instanceof',
+  'int',
+  'interface',
+  'let',
+  'long',
+  'native',
+  'new',
+  'null',
+  'package',
+  'private',
+  'protected',
+  'public',
+  'return',
+  'short',
+  'static',
+  'super',
+  'switch',
+  'synchronized',
+  'this',
+  'throw',
+  'throws',
+  'transient',
+  'true',
+  'try',
+  'typeof',
+  'var',
+  'void',
+  'volatile',
+  'while',
+  'with',
+  'yield'
+];
+
+const regex = /^[a-zA-Z_$][0-9a-zA-Z_$]*(?:\[(?:".+"|\'.+\'|\d+)\])*?$/;
+
+module.exports.check = function(inputStr) {
+  var isValid = true;
+  inputStr.split(".").forEach(function(part) {
+    if (!regex.test(part)) {
+      isValid = false;
+    }
+
+    if (RESERVED_WORDS.indexOf(part) !== -1) {
+      isValid = false;
+    }
+  });
+
+  return isValid;
+}