From 07ec567b07ece03ad1b43d0cefff2b07ffbdc99f Mon Sep 17 00:00:00 2001 From: Shane Kilkelly Date: Wed, 21 Apr 2021 09:23:46 +0100 Subject: [PATCH] Merge pull request #3902 from overleaf/sk-ref-providers-hide Editor: don't leak encrypted tokens to frontend GitOrigin-RevId: 245c1e9d479f7eec2979b46a5959bd3eb9f08363 --- .../src/Features/Project/ProjectController.js | 2 +- .../test/acceptance/src/ProjectCRUDTests.js | 25 ++++++++++++++++++- .../src/Project/ProjectControllerTests.js | 17 ++++++++++++- 3 files changed, 41 insertions(+), 3 deletions(-) diff --git a/services/web/app/src/Features/Project/ProjectController.js b/services/web/app/src/Features/Project/ProjectController.js index 5e6b3afd29..6af78d4e75 100644 --- a/services/web/app/src/Features/Project/ProjectController.js +++ b/services/web/app/src/Features/Project/ProjectController.js @@ -819,7 +819,7 @@ const ProjectController = { allowedFreeTrial: allowedFreeTrial, featureSwitches: user.featureSwitches, features: user.features, - refProviders: user.refProviders, + refProviders: _.mapValues(user.refProviders, Boolean), alphaProgram: user.alphaProgram, betaProgram: user.betaProgram, isAdmin: user.isAdmin diff --git a/services/web/test/acceptance/src/ProjectCRUDTests.js b/services/web/test/acceptance/src/ProjectCRUDTests.js index a8de99521e..80071d6e6f 100644 --- a/services/web/test/acceptance/src/ProjectCRUDTests.js +++ b/services/web/test/acceptance/src/ProjectCRUDTests.js @@ -2,15 +2,38 @@ const { expect } = require('chai') const User = require('./helpers/User').promises const { Project } = require('../../../app/src/models/Project') const { ObjectId } = require('mongodb') +const cheerio = require('cheerio') describe('Project CRUD', function () { beforeEach(async function () { this.user = new User() await this.user.login() - this.projectId = await this.user.createProject('example-project') }) + describe('project page', function () { + it('should cast refProviders to booleans', async function () { + await this.user.mongoUpdate({ + $set: { + refProviders: { + mendeley: { encrypted: 'aaa' }, + zotero: { encrypted: 'bbb' } + } + } + }) + const { response, body } = await this.user.doRequest( + 'GET', + `/project/${this.projectId}` + ) + expect(response.statusCode).to.equal(200) + const dom = cheerio.load(body) + const metaOlUser = dom('meta[name="ol-user"]')[0] + const userData = JSON.parse(metaOlUser.attribs.content) + expect(userData.refProviders.mendeley).to.equal(true) + expect(userData.refProviders.zotero).to.equal(true) + }) + }) + describe("when project doesn't exist", function () { it('should return 404', async function () { const { response } = await this.user.doRequest( diff --git a/services/web/test/unit/src/Project/ProjectControllerTests.js b/services/web/test/unit/src/Project/ProjectControllerTests.js index 180bc4bfa5..87d6bf4ef1 100644 --- a/services/web/test/unit/src/Project/ProjectControllerTests.js +++ b/services/web/test/unit/src/Project/ProjectControllerTests.js @@ -896,7 +896,11 @@ describe('ProjectController', function () { fontSize: 'massive', theme: 'sexy' }, - email: 'bob@bob.com' + email: 'bob@bob.com', + refProviders: { + mendeley: { encrypted: 'aaaa' }, + zotero: { encrypted: 'bbbb' } + } } this.ProjectGetter.getProject.callsArgWith(2, null, this.project) this.UserModel.findById.callsArgWith(2, null, this.user) @@ -927,6 +931,17 @@ describe('ProjectController', function () { this.ProjectController.loadEditor(this.req, this.res) }) + it('should sanitize refProviders', function (done) { + this.res.render = (_pageName, opts) => { + expect(opts.user.refProviders).to.deep.equal({ + mendeley: true, + zotero: true + }) + done() + } + this.ProjectController.loadEditor(this.req, this.res) + }) + it('should add on userSettings', function (done) { this.res.render = (pageName, opts) => { opts.userSettings.fontSize.should.equal(this.user.ace.fontSize)