From 625fa810c25a28fdf9aee9068ae1307bb012177e Mon Sep 17 00:00:00 2001 From: Henry Oswald Date: Fri, 17 Mar 2017 14:42:07 +0000 Subject: [PATCH] validate mongo id in getPrivilegeLevelForProject https://sentry.io/sharelatex-1/sl-web-server-prod/issues/204397665/ --- .../Authorization/AuthorizationManager.coffee | 4 ++++ .../AuthorizationManagerTests.coffee | 15 ++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/services/web/app/coffee/Features/Authorization/AuthorizationManager.coffee b/services/web/app/coffee/Features/Authorization/AuthorizationManager.coffee index ded0b6f979..90c8cdb485 100644 --- a/services/web/app/coffee/Features/Authorization/AuthorizationManager.coffee +++ b/services/web/app/coffee/Features/Authorization/AuthorizationManager.coffee @@ -4,6 +4,8 @@ User = require("../../models/User").User PrivilegeLevels = require("./PrivilegeLevels") PublicAccessLevels = require("./PublicAccessLevels") Errors = require("../Errors/Errors") +ObjectId = require("mongojs").ObjectId + module.exports = AuthorizationManager = # Get the privilege level that the user has for the project @@ -13,6 +15,8 @@ module.exports = AuthorizationManager = # * becausePublic: true if the access level is only because the project is public. getPrivilegeLevelForProject: (user_id, project_id, callback = (error, privilegeLevel, becausePublic) ->) -> getPublicAccessLevel = () -> + if !ObjectId.isValid(project_id) + return callback(new Error("invalid project id")) Project.findOne { _id: project_id }, { publicAccesLevel: 1 }, (error, project) -> return callback(error) if error? if !project? diff --git a/services/web/test/UnitTests/coffee/Authorization/AuthorizationManagerTests.coffee b/services/web/test/UnitTests/coffee/Authorization/AuthorizationManagerTests.coffee index fcacce5164..b85449d7fd 100644 --- a/services/web/test/UnitTests/coffee/Authorization/AuthorizationManagerTests.coffee +++ b/services/web/test/UnitTests/coffee/Authorization/AuthorizationManagerTests.coffee @@ -136,7 +136,20 @@ describe "AuthorizationManager", -> it "should return a NotFoundError", -> @AuthorizationManager.getPrivilegeLevelForProject @user_id, @project_id, (error) -> error.should.be.instanceof Errors.NotFoundError - + + describe "when the project id is not validssssssss", -> + beforeEach -> + @AuthorizationManager.isUserSiteAdmin.withArgs(@user_id).yields(null, false) + @CollaboratorsHandler.getMemberIdPrivilegeLevel + .withArgs(@user_id, @project_id) + .yields(null, "readOnly") + + it "should return a error", (done)-> + @AuthorizationManager.getPrivilegeLevelForProject undefined, "not project id", (err) => + @Project.findOne.called.should.equal false + expect(err).to.exist + done() + describe "canUserReadProject", -> beforeEach -> @AuthorizationManager.getPrivilegeLevelForProject = sinon.stub()