From 561ce7dc603d5033cd5546fb07d1fa43ad684e5e Mon Sep 17 00:00:00 2001 From: James Allen Date: Wed, 11 Feb 2015 12:03:36 +0000 Subject: [PATCH] Sanitize rootResourcePath --- services/clsi/app/coffee/RequestParser.coffee | 6 +++++- services/clsi/test/unit/coffee/RequestParserTests.coffee | 9 ++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/services/clsi/app/coffee/RequestParser.coffee b/services/clsi/app/coffee/RequestParser.coffee index d98ca82435..93c843dd4f 100644 --- a/services/clsi/app/coffee/RequestParser.coffee +++ b/services/clsi/app/coffee/RequestParser.coffee @@ -27,10 +27,12 @@ module.exports = RequestParser = response.timeout = response.timeout * 1000 # milliseconds response.resources = (@_parseResource(resource) for resource in (compile.resources or [])) - response.rootResourcePath = @_parseAttribute "rootResourcePath", + + rootResourcePath = @_parseAttribute "rootResourcePath", compile.rootResourcePath default: "main.tex" type: "string" + response.rootResourcePath = RequestParser._sanitizePath(rootResourcePath) catch error return callback error @@ -72,3 +74,5 @@ module.exports = RequestParser = throw "Default not implemented" return attribute + _sanitizePath: (path) -> + path.replace(/[^a-zA-Z0-9_\-;.,\/ ]/g, "") \ No newline at end of file diff --git a/services/clsi/test/unit/coffee/RequestParserTests.coffee b/services/clsi/test/unit/coffee/RequestParserTests.coffee index 35ad6f4e14..8545ff22a2 100644 --- a/services/clsi/test/unit/coffee/RequestParserTests.coffee +++ b/services/clsi/test/unit/coffee/RequestParserTests.coffee @@ -204,6 +204,13 @@ describe "RequestParser", -> @callback.calledWith("rootResourcePath attribute should be a string") .should.equal true - + describe "with a root resource path that needs escaping", -> + beforeEach -> + @validRequest.compile.rootResourcePath = "`rm -rf foo`.tex" + @RequestParser.parse @validRequest, @callback + @data = @callback.args[0][1] + + it "should return the escaped resource", -> + @data.rootResourcePath.should.equal "rm -rf foo.tex"