Merge pull request #2302 from Gared/create_pad_special_characters

Add check for special url characters to createPad API function
2015-04-11 14:56:26 +01:00 · 2015-04-11 14:56:26 +01:00 · 5ef22e649b
parent 27aa71f3a4 83094e0dfd
commit 5ef22e649b
3 changed files with 36 additions and 6 deletions
--- a/doc/api/http_api.md
+++ b/doc/api/http_api.md
@ -388,10 +388,12 @@ Group pads are normal pads, but with the name schema GROUPID$PADNAME. A security
 * API >= 1

 creates a new (non-group) pad.  Note that if you need to create a group Pad, you should call **createGroupPad**.
+You get an error message if you use one of the following characters in the padID: "/", "?", "&" or "#".

 *Example returns:*
  * `{code: 0, message:"ok", data: null}`
-  * `{code: 1, message:"pad does already exist", data: null}`
+  * `{code: 1, message:"padID does already exist", data: null}`
+  * `{code: 1, message:"malformed padID: Remove special characters", data: null}`

 #### getRevisionsCount(padID)
 * API >= 1
--- a/src/node/db/API.js
+++ b/src/node/db/API.js
@ -687,12 +687,21 @@ Example returns:
 exports.createPad = function(padID, text, callback)
 {  
  //ensure there is no $ in the padID
-  if(padID && padID.indexOf("$") != -1)
+  if(padID)
  {
-    callback(new customError("createPad can't create group pads","apierror"));
-    return;
+    if(padID.indexOf("$") != -1)
+    {
+      callback(new customError("createPad can't create group pads","apierror"));
+      return;
+    }
+    //check for url special characters
+    else if(padID.match(/(\/|\?|&|#)/))
+    {
+      callback(new customError("malformed padID: Remove special characters","apierror"));
+      return;
+    }
  }
-  
+
  //create pad
  getPadSafe(padID, false, text, function(err)
  {
--- a/tests/backend/specs/api/pad.js
+++ b/tests/backend/specs/api/pad.js
@ -2,7 +2,8 @@ var assert = require('assert')
 supertest = require(__dirname+'/../../../../src/node_modules/supertest'),
        fs = require('fs'),
       api = supertest('http://localhost:9001');
-      path = require('path');
+      path = require('path'),
+     async = require(__dirname+'/../../../../src/node_modules/async');

 var filePath = path.join(__dirname, '../../../../APIKEY.txt');

@ -80,6 +81,7 @@ describe('Permission', function(){
                               -> setHTML(padID) -- Should fail on invalid HTML
                                -> setHTML(padID) *3 -- Should fail on invalid HTML
                                 -> getHTML(padID) -- Should return HTML close to posted HTML
+                                  -> createPad -- Tries to create pads with bad url characters

 */

@ -494,6 +496,23 @@ describe('getHTML', function(){
  });
 })

+describe('createPad', function(){
+  it('errors if pad can be created', function(done) {
+    var badUrlChars = ["/", "%23", "%3F", "%26"];
+    async.map(
+      badUrlChars, 
+      function (badUrlChar, cb) {
+        api.get(endPoint('createPad')+"&padID="+badUrlChar)
+        .expect(function(res){
+          if(res.body.code !== 1) throw new Error("Pad with bad characters was created");
+        })
+        .expect('Content-Type', /json/)
+        .end(cb);
+      },
+      done);
+  });
+})
+

 /*
                          -> movePadForce Test