fix(http): escape req.query.to in replaceTemplates

This commit is contained in:
Joe Previte 2021-06-30 10:39:48 -07:00
parent 2ba03c3424
commit c0e123a801
No known key found for this signature in database
GPG Key ID: 2C91590C6B742C24
3 changed files with 10 additions and 7 deletions

View File

@ -7,7 +7,7 @@ import { normalize, Options } from "../common/util"
import { AuthType, DefaultedArgs } from "./cli"
import { commit, rootPath } from "./constants"
import { Heart } from "./heart"
import { getPasswordMethod, IsCookieValidArgs, isCookieValid, sanitizeString } from "./util"
import { getPasswordMethod, IsCookieValidArgs, isCookieValid, sanitizeString, escapeHtml } from "./util"
declare global {
// eslint-disable-next-line @typescript-eslint/no-namespace
@ -35,7 +35,7 @@ export const replaceTemplates = <T extends object>(
...extraOpts,
}
return content
.replace(/{{TO}}/g, (typeof req.query.to === "string" && req.query.to) || "/")
.replace(/{{TO}}/g, (typeof req.query.to === "string" && escapeHtml(req.query.to)) || "/")
.replace(/{{BASE}}/g, options.base)
.replace(/{{CS_STATIC_BASE}}/g, options.csStaticBase)
.replace(/"{{OPTIONS}}"/, `'${JSON.stringify(options)}'`)

View File

@ -112,7 +112,7 @@ router.post("/", async (req, res) => {
throw new Error("Incorrect password")
} catch (error) {
const htmlToRender = await getRoot(req, error)
res.send(htmlToRender)
const renderedHtml = await getRoot(req, error)
res.send(renderedHtml)
}
})

View File

@ -1,8 +1,7 @@
import { RateLimiter } from "../../../src/node/routes/login"
import * as httpserver from "../../utils/httpserver"
import * as integration from "../../utils/integration"
import { RateLimiter } from "../../../src/node/routes/login"
describe("login", () => {
describe("RateLimiter", () => {
it("should allow one try ", () => {
@ -56,8 +55,12 @@ describe("login", () => {
_codeServer = await integration.setup(["--auth=password"], "")
})
afterEach(() => {
afterEach(async () => {
process.env.PASSWORD = previousEnvPassword
if (_codeServer) {
await _codeServer.close()
_codeServer = undefined
}
})
it("should return HTML with 'Missing password' message", async () => {