From 5133a867982d26d625c830a2f30f6a29a8225c13 Mon Sep 17 00:00:00 2001 From: webzwo0i Date: Wed, 23 Dec 2020 21:23:49 +0100 Subject: [PATCH] enforece usage of require.define callback parameter for packages --- src/node/utils/caching_middleware.js | 13 +++++++++++-- tests/backend/specs/caching_middleware.js | 14 ++++++-------- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/src/node/utils/caching_middleware.js b/src/node/utils/caching_middleware.js index 2a4f142b2..1f81d7522 100644 --- a/src/node/utils/caching_middleware.js +++ b/src/node/utils/caching_middleware.js @@ -21,6 +21,8 @@ const path = require('path'); const zlib = require('zlib'); const settings = require('./Settings'); const existsSync = require('./path_exists'); +const queryString = require('querystring'); +const url = require('url'); /* * The crypto module can be absent on reduced node installations. @@ -89,9 +91,16 @@ CachingMiddleware.prototype = new function () { const old_res = {}; const supportsGzip = - (req.get('Accept-Encoding') || '').indexOf('gzip') != -1; + (req.get('Accept-Encoding') || '').indexOf('gzip') !== -1; + + const URL = url.parse(req.url); + const path = URL.pathname; + const query = queryString.parse(URL.query); + + if (query.callback !== 'require.define') { + return res.sendStatus(400); + } - const path = require('url').parse(req.url).pathname; const cacheKey = generateCacheKey(path); fs.stat(`${CACHE_DIR}minified_${cacheKey}`, (error, stats) => { diff --git a/tests/backend/specs/caching_middleware.js b/tests/backend/specs/caching_middleware.js index c032c93bf..b1805e334 100644 --- a/tests/backend/specs/caching_middleware.js +++ b/tests/backend/specs/caching_middleware.js @@ -139,17 +139,16 @@ describe(__filename, function () { }); }); - // TODO should probably be 404 - it('should 502 for unknown and known resources without jsonp callback', async function() { + it('should return 400 for unknown and known resources without jsonp callback', async function() { const missingCallbackUnknownFile = '/javascripts/lib/ep_etherpad-lite/static/js/ace2_inner2.js'; const missingCallbackKnownFile = '/javascripts/lib/ep_etherpad-lite/static/js/ace2_inner.js'; await agent.get(missingCallbackUnknownFile) .then((res) => { - assert.equal(res.statusCode, 502); + assert.equal(res.statusCode, 400); }); await agent.get(missingCallbackKnownFile) .then((res) => { - assert.equal(res.statusCode, 502); + assert.equal(res.statusCode, 400); }); }); @@ -272,17 +271,16 @@ describe(__filename, function () { }); }); - // TODO should probably be 404 - it('should 502 for unknown and known resources without jsonp callback', async function() { + it('should return 400 for unknown and known resources without jsonp callback', async function() { const missingCallbackUnknownFile = '/javascripts/lib/ep_etherpad-lite/static/js/ace2_inner2.js'; const missingCallbackKnownFile = '/javascripts/lib/ep_etherpad-lite/static/js/ace2_inner.js'; await agent.get(missingCallbackUnknownFile) .then((res) => { - assert.equal(res.statusCode, 502); + assert.equal(res.statusCode, 400); }); await agent.get(missingCallbackKnownFile) .then((res) => { - assert.equal(res.statusCode, 502); + assert.equal(res.statusCode, 400); }); });