Merge pull request #228 from overleaf/bg-add-content-id-validation

add validation for express content routes

services/clsi/app.js

@@ -29,6 +29,7 @@ Metrics.memory.monitor(logger)
 
 const ProjectPersistenceManager = require('./app/js/ProjectPersistenceManager')
 const OutputCacheManager = require('./app/js/OutputCacheManager')
+const ContentCacheManager = require('./app/js/ContentCacheManager')
 
 require('./app/js/db').sync()
 
@@ -76,6 +77,26 @@ app.param('build_id', function (req, res, next, buildId) {
   }
 })
 
+app.param('contentId', function (req, res, next, contentId) {
+  if (
+    contentId != null
+      ? contentId.match(OutputCacheManager.CONTENT_REGEX)
+      : undefined
+  ) {
+    return next()
+  } else {
+    return next(new Error(`invalid content id ${contentId}`))
+  }
+})
+
+app.param('hash', function (req, res, next, hash) {
+  if (hash != null ? hash.match(ContentCacheManager.HASH_REGEX) : undefined) {
+    return next()
+  } else {
+    return next(new Error(`invalid hash ${hash}`))
+  }
+})
+
 app.post(
   '/project/:project_id/compile',
   bodyParser.json({ limit: Settings.compileSizeLimit }),

services/clsi/app/js/ContentCacheManager.js

@@ -115,4 +115,7 @@ async function writePdfStream(dir, hash, buffers) {
   return true
 }
 
-module.exports = { update: callbackify(update) }
+module.exports = {
+  HASH_REGEX: /^[0-9a-f]{64}$/,
+  update: callbackify(update)
+}

services/clsi/app/js/OutputCacheManager.js

@@ -34,6 +34,7 @@ module.exports = OutputCacheManager = {
   // build id is HEXDATE-HEXRANDOM from Date.now()and RandomBytes
   // for backwards compatibility, make the randombytes part optional
   BUILD_REGEX: /^[0-9a-f]+(-[0-9a-f]+)?$/,
+  CONTENT_REGEX: /^[0-9a-f]+(-[0-9a-f]+)?$/,
   CACHE_LIMIT: 2, // maximum number of cache directories
   CACHE_AGE: 60 * 60 * 1000, // up to one hour old