From ff2175e72796527122e914c6878f79e04fd2aeed Mon Sep 17 00:00:00 2001
From: Brian Gough <brian.gough@overleaf.com>
Date: Thu, 13 May 2021 14:56:15 +0100
Subject: [PATCH] add validation for express :content_id parameter

---
 services/clsi/app.js                        | 21 +++++++++++++++++++++
 services/clsi/app/js/ContentCacheManager.js |  5 ++++-
 services/clsi/app/js/OutputCacheManager.js  |  1 +
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/services/clsi/app.js b/services/clsi/app.js
index 6266c86b16..77ab922987 100644
--- a/services/clsi/app.js
+++ b/services/clsi/app.js
@@ -29,6 +29,7 @@ Metrics.memory.monitor(logger)
 
 const ProjectPersistenceManager = require('./app/js/ProjectPersistenceManager')
 const OutputCacheManager = require('./app/js/OutputCacheManager')
+const ContentCacheManager = require('./app/js/ContentCacheManager')
 
 require('./app/js/db').sync()
 
@@ -76,6 +77,26 @@ app.param('build_id', function (req, res, next, buildId) {
   }
 })
 
+app.param('contentId', function (req, res, next, contentId) {
+  if (
+    contentId != null
+      ? contentId.match(OutputCacheManager.CONTENT_REGEX)
+      : undefined
+  ) {
+    return next()
+  } else {
+    return next(new Error(`invalid content id ${contentId}`))
+  }
+})
+
+app.param('hash', function (req, res, next, hash) {
+  if (hash != null ? hash.match(ContentCacheManager.HASH_REGEX) : undefined) {
+    return next()
+  } else {
+    return next(new Error(`invalid hash ${hash}`))
+  }
+})
+
 app.post(
   '/project/:project_id/compile',
   bodyParser.json({ limit: Settings.compileSizeLimit }),
diff --git a/services/clsi/app/js/ContentCacheManager.js b/services/clsi/app/js/ContentCacheManager.js
index 94ed9ebc00..099f0ee801 100644
--- a/services/clsi/app/js/ContentCacheManager.js
+++ b/services/clsi/app/js/ContentCacheManager.js
@@ -115,4 +115,7 @@ async function writePdfStream(dir, hash, buffers) {
   return true
 }
 
-module.exports = { update: callbackify(update) }
+module.exports = {
+  HASH_REGEX: /^[0-9a-f]{64}$/,
+  update: callbackify(update)
+}
diff --git a/services/clsi/app/js/OutputCacheManager.js b/services/clsi/app/js/OutputCacheManager.js
index cd1bd883a2..fe23ae3e3c 100644
--- a/services/clsi/app/js/OutputCacheManager.js
+++ b/services/clsi/app/js/OutputCacheManager.js
@@ -34,6 +34,7 @@ module.exports = OutputCacheManager = {
   // build id is HEXDATE-HEXRANDOM from Date.now()and RandomBytes
   // for backwards compatibility, make the randombytes part optional
   BUILD_REGEX: /^[0-9a-f]+(-[0-9a-f]+)?$/,
+  CONTENT_REGEX: /^[0-9a-f]+(-[0-9a-f]+)?$/,
   CACHE_LIMIT: 2, // maximum number of cache directories
   CACHE_AGE: 60 * 60 * 1000, // up to one hour old