Improve fetcher input validation

This commit is contained in:
Yarmo Mackenbach 2021-04-15 19:07:56 +02:00
parent 8e1ac82fde
commit 91a3ed1e96
No known key found for this signature in database
GPG key ID: 37367F4AF4087AD1
6 changed files with 36 additions and 24 deletions

View file

@ -27,14 +27,7 @@ module.exports = async (data, opts) => {
const fetchPromise = new Promise(async (resolve, reject) => { const fetchPromise = new Promise(async (resolve, reject) => {
const urlUser = `https://${data.domain}/api/v4/users?username=${data.username}` const urlUser = `https://${data.domain}/api/v4/users?username=${data.username}`
let resUser const resUser = await req(urlUser, null, { Accept: 'application/json' })
try {
resUser = await req(urlUser, null, { Accept: 'application/json' })
} catch (e) {
resUser = await req(utils.generateProxyURL('web', urlUser, opts), null, {
Accept: 'application/json',
})
}
const jsonUser = await resUser.json() const jsonUser = await resUser.json()
const user = jsonUser.find((user) => user.username === match[2]) const user = jsonUser.find((user) => user.username === match[2])
@ -43,16 +36,7 @@ module.exports = async (data, opts) => {
} }
const urlProject = `https://${data.domain}/api/v4/users/${user.id}/projects` const urlProject = `https://${data.domain}/api/v4/users/${user.id}/projects`
let resProject const resProject = await req(urlProject, null, { Accept: 'application/json' })
try {
resProject = await req(urlProject, null, { Accept: 'application/json' })
} catch (e) {
resProject = await req(
utils.generateProxyURL('web', urlProject, opts),
null,
{ Accept: 'application/json' }
)
}
const jsonProject = await resProject.json() const jsonProject = await resProject.json()
const project = jsonProject.find((proj) => proj.path === 'gitlab_proof') const project = jsonProject.find((proj) => proj.path === 'gitlab_proof')

View file

@ -15,6 +15,7 @@ limitations under the License.
*/ */
const bent = require('bent') const bent = require('bent')
const req = bent('GET') const req = bent('GET')
const E = require('../enums')
module.exports = async (data, opts) => { module.exports = async (data, opts) => {
let timeoutHandle let timeoutHandle
@ -31,11 +32,11 @@ module.exports = async (data, opts) => {
return return
} }
switch (format) { switch (data.format) {
case 'json': case E.ProofFormat.JSON:
req(data.url, null, { req(data.url, null, {
Accept: 'application/json', Accept: 'application/json',
'User-Agent': `doipjs/${require('../package.json').version}`, 'User-Agent': `doipjs/${require('../../package.json').version}`,
}) })
.then(async (res) => { .then(async (res) => {
return await res.json() return await res.json()
@ -47,7 +48,7 @@ module.exports = async (data, opts) => {
reject(e) reject(e)
}) })
break break
case 'text': case E.ProofFormat.TEXT:
req(data.url) req(data.url)
.then(async (res) => { .then(async (res) => {
return await res.text() return await res.text()

View file

@ -25,6 +25,12 @@ module.exports = async (data, opts) => {
}) })
const fetchPromise = new Promise((resolve, reject) => { const fetchPromise = new Promise((resolve, reject) => {
try {
validator.isAscii(opts.claims.irc.nick)
} catch (err) {
throw new Error(`IRC fetcher was not set up properly (${err.message})`)
}
try { try {
const client = new irc.Client(data.domain, opts.nick, { const client = new irc.Client(data.domain, opts.nick, {
port: 6697, port: 6697,

View file

@ -15,6 +15,7 @@ limitations under the License.
*/ */
const bent = require('bent') const bent = require('bent')
const bentReq = bent('GET') const bentReq = bent('GET')
const validator = require('validator')
module.exports = async (data, opts) => { module.exports = async (data, opts) => {
let timeoutHandle let timeoutHandle
@ -25,9 +26,15 @@ module.exports = async (data, opts) => {
) )
}) })
const url = `https://${opts.instance}/_matrix/client/r0/rooms/${data.roomId}/event/${data.eventId}?access_token=${opts.accessToken}`
const fetchPromise = new Promise((resolve, reject) => { const fetchPromise = new Promise((resolve, reject) => {
try {
validator.isFQDN(opts.claims.matrix.instance)
validator.isAscii(opts.claims.matrix.accessToken)
} catch (err) {
throw new Error(`Matrix fetcher was not set up properly (${err.message})`)
}
const url = `https://${opts.claims.matrix.instance}/_matrix/client/r0/rooms/${data.roomId}/event/${data.eventId}?access_token=${opts.claims.matrix.accessToken}`
bentReq(url, null, { bentReq(url, null, {
Accept: 'application/json', Accept: 'application/json',
}) })

View file

@ -26,6 +26,12 @@ module.exports = async (data, opts) => {
}) })
const fetchPromise = new Promise((resolve, reject) => { const fetchPromise = new Promise((resolve, reject) => {
try {
validator.isAscii(opts.claims.twitter.bearerToken)
} catch (err) {
throw new Error(`Twitter fetcher was not set up properly (${err.message})`)
}
bentReq( bentReq(
`https://api.twitter.com/1.1/statuses/show.json?id=${data.tweetId}&tweet_mode=extended`, `https://api.twitter.com/1.1/statuses/show.json?id=${data.tweetId}&tweet_mode=extended`,
null, null,

View file

@ -52,6 +52,14 @@ module.exports = async (data, opts) => {
}) })
const fetchPromise = new Promise(async (resolve, reject) => { const fetchPromise = new Promise(async (resolve, reject) => {
try {
validator.isFQDN(opts.claims.xmpp.service)
validator.isAscii(opts.claims.xmpp.username)
validator.isAscii(opts.claims.xmpp.password)
} catch (err) {
throw new Error(`XMPP fetcher was not set up properly (${err.message})`)
}
if (!xmpp) { if (!xmpp) {
const xmppStartRes = await xmppStart( const xmppStartRes = await xmppStart(
opts.service, opts.service,