Skip to content

Commit

Permalink
fieldKeyParser: handle bad uri-encoded prefix key
Browse files Browse the repository at this point in the history 
Closes getodk#1266
  • Loading branch information
alxndrsn committed Nov 4, 2024
1 parent 346d78a commit afb0240
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 4 deletions.
15 changes: 11 additions & 4 deletions lib/http/middleware.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,17 @@ const versionParser = (request, response, next) => {
// TODO: we should probably reject as usual if multiple auth mechs are used
// at once but that seems like a corner of a corner case here?
const fieldKeyParser = (request, response, next) => {
let prefixKey;
const match = /^\/key\/([^/]+)\//.exec(request.url);

const prefixKey = Option.of(match).map((m) => decodeURIComponent(m[1]));
prefixKey.ifDefined(() => { request.url = request.url.slice(match[0].length - 1); });
if (match != null) {
try {
prefixKey = decodeURIComponent(match[1]);
request.url = request.url.slice(match[0].length - 1);
} catch (err) {
if (err instanceof URIError) return next(Problem.user.authenticationFailed());
else return next(err);
}
}

const queryKey = Option.of(request.query.st);
queryKey.ifDefined((token) => {
Expand All @@ -53,7 +60,7 @@ const fieldKeyParser = (request, response, next) => {
request.originalUrl = `/v1/key/${token.replace(/\//g, '%2F')}${request.originalUrl.slice(3)}`;
});

request.fieldKey = Option.of(prefixKey.orElse(queryKey));
request.fieldKey = Option.of(prefixKey ?? queryKey);

next();
};
Expand Down
10 changes: 10 additions & 0 deletions test/unit/http/middleware.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,16 @@ describe('middleware', () => {
});
});

it('should return error for unparsable percent-encoded prefix keys', (done) => {
const request = createRequest({ url: '/key/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%eaaa!aaaaaaaaaaaaaaaaaa/users/23' });
fieldKeyParser(request, null, (error) => {
error.should.be.a.Problem();
error.problemCode.should.equal(401.2);
error.message.should.equal('Could not authenticate with the provided credentials.');
done();
});
});

it('should pass through any query key content', (done) => {
const request = createRequest({ url: '/v1/users/23?st=inva|id' });
fieldKeyParser(request, null, () => {
Expand Down

0 comments on commit afb0240

Please sign in to comment.