From 255e99af3965eff599cefe8dffcacfc4f83f79dc Mon Sep 17 00:00:00 2001 From: Yarmo Mackenbach Date: Mon, 12 Feb 2024 10:26:24 +0100 Subject: [PATCH] feat: escape parameters --- src/routes/profile.js | 171 ++++++++++++++++++++++++------------------ 1 file changed, 97 insertions(+), 74 deletions(-) diff --git a/src/routes/profile.js b/src/routes/profile.js index 431c125..11b5edb 100644 --- a/src/routes/profile.js +++ b/src/routes/profile.js @@ -28,6 +28,7 @@ if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU AGPL, see . */ import express from 'express' +import { param } from 'express-validator' import bodyParserImport from 'body-parser' import { rateLimit } from 'express-rate-limit' import { generateSignatureProfile, utils, generateWKDProfile, generateHKPProfile, generateAutoProfile, generateKeybaseProfile } from '../server/index.js' @@ -60,90 +61,112 @@ if (process.env.ENABLE_EXPERIMENTAL_RATE_LIMITER) { { component: 'profile_rate_limiter', action: 'start' }) } -router.get('/sig', profileRateLimiter, (req, res) => { - res.render('profile', { isSignature: true, signature: null, meta: getMetaFromReq(req) }) -}) - -router.post('/sig', profileRateLimiter, bodyParser, async (req, res) => { - const data = await generateSignatureProfile(req.body.signature) - const title = utils.generatePageTitle('profile', data) - res.set('ariadne-identity-proof', data.identifier) - res.render('profile', { - title, - data: data instanceof Profile ? data.toJSON() : data, - isSignature: true, - signature: req.body.signature, - enable_message_encryption: false, - enable_signature_verification: false, - meta: getMetaFromReq(req) +router.get('/sig', + profileRateLimiter, + (req, res) => { + res.render('profile', { isSignature: true, signature: null, meta: getMetaFromReq(req) }) }) -}) -router.get('/wkd/:id', profileRateLimiter, async (req, res) => { - const data = await generateWKDProfile(req.params.id) - const title = utils.generatePageTitle('profile', data) - res.set('ariadne-identity-proof', data.identifier) - res.render('profile', { - title, - data: data instanceof Profile ? data.toJSON() : data, - enable_message_encryption: false, - enable_signature_verification: false, - meta: getMetaFromReq(req) +router.post('/sig', + profileRateLimiter, + bodyParser, + async (req, res) => { + const data = await generateSignatureProfile(req.body.signature) + const title = utils.generatePageTitle('profile', data) + res.set('ariadne-identity-proof', data.identifier) + res.render('profile', { + title, + data: data instanceof Profile ? data.toJSON() : data, + isSignature: true, + signature: req.body.signature, + enable_message_encryption: false, + enable_signature_verification: false, + meta: getMetaFromReq(req) + }) }) -}) -router.get('/hkp/:id', profileRateLimiter, async (req, res) => { - const data = await generateHKPProfile(req.params.id) - const title = utils.generatePageTitle('profile', data) - res.set('ariadne-identity-proof', data.identifier) - res.render('profile', { - title, - data: data instanceof Profile ? data.toJSON() : data, - enable_message_encryption: false, - enable_signature_verification: false, - meta: getMetaFromReq(req) +router.get('/wkd/:id', + profileRateLimiter, + param('id').escape(), + async (req, res) => { + const data = await generateWKDProfile(req.params.id) + const title = utils.generatePageTitle('profile', data) + res.set('ariadne-identity-proof', data.identifier) + res.render('profile', { + title, + data: data instanceof Profile ? data.toJSON() : data, + enable_message_encryption: false, + enable_signature_verification: false, + meta: getMetaFromReq(req) + }) }) -}) -router.get('/hkp/:server/:id', profileRateLimiter, async (req, res) => { - const data = await generateHKPProfile(req.params.id, req.params.server) - const title = utils.generatePageTitle('profile', data) - res.set('ariadne-identity-proof', data.identifier) - res.render('profile', { - title, - data: data instanceof Profile ? data.toJSON() : data, - enable_message_encryption: false, - enable_signature_verification: false, - meta: getMetaFromReq(req) +router.get('/hkp/:id', + profileRateLimiter, + param('id').escape(), + async (req, res) => { + const data = await generateHKPProfile(req.params.id) + const title = utils.generatePageTitle('profile', data) + res.set('ariadne-identity-proof', data.identifier) + res.render('profile', { + title, + data: data instanceof Profile ? data.toJSON() : data, + enable_message_encryption: false, + enable_signature_verification: false, + meta: getMetaFromReq(req) + }) }) -}) -router.get('/keybase/:username/:fingerprint', profileRateLimiter, async (req, res) => { - const data = await generateKeybaseProfile(req.params.username, req.params.fingerprint) - const title = utils.generatePageTitle('profile', data) - res.set('ariadne-identity-proof', data.identifier) - res.render('profile', { - title, - data: data instanceof Profile ? data.toJSON() : data, - enable_message_encryption: false, - enable_signature_verification: false, - meta: getMetaFromReq(req) +router.get('/hkp/:server/:id', + profileRateLimiter, + param('server').escape(), + param('id').escape(), + async (req, res) => { + const data = await generateHKPProfile(req.params.id, req.params.server) + const title = utils.generatePageTitle('profile', data) + res.set('ariadne-identity-proof', data.identifier) + res.render('profile', { + title, + data: data instanceof Profile ? data.toJSON() : data, + enable_message_encryption: false, + enable_signature_verification: false, + meta: getMetaFromReq(req) + }) }) -}) -router.get('/:id', profileRateLimiter, async (req, res) => { - const data = await generateAutoProfile(req.params.id) - const theme = generateProfileTheme(data) - const title = utils.generatePageTitle('profile', data) - res.set('ariadne-identity-proof', data.identifier) - res.render('profile', { - title, - data: data instanceof Profile ? data.toJSON() : data, - enable_message_encryption: false, - enable_signature_verification: false, - theme, - meta: getMetaFromReq(req) +router.get('/keybase/:username/:fingerprint', + profileRateLimiter, + param('username').escape(), + param('fingerprint').escape(), + async (req, res) => { + const data = await generateKeybaseProfile(req.params.username, req.params.fingerprint) + const title = utils.generatePageTitle('profile', data) + res.set('ariadne-identity-proof', data.identifier) + res.render('profile', { + title, + data: data instanceof Profile ? data.toJSON() : data, + enable_message_encryption: false, + enable_signature_verification: false, + meta: getMetaFromReq(req) + }) + }) + +router.get('/:id', + profileRateLimiter, + param('id').escape(), + async (req, res) => { + const data = await generateAutoProfile(req.params.id) + const theme = generateProfileTheme(data) + const title = utils.generatePageTitle('profile', data) + res.set('ariadne-identity-proof', data.identifier) + res.render('profile', { + title, + data: data instanceof Profile ? data.toJSON() : data, + enable_message_encryption: false, + enable_signature_verification: false, + theme, + meta: getMetaFromReq(req) + }) }) -}) export default router