[web] block malformed compile requests from known other frontends (#32461)

The req.body.rootResourcePath has been shipped three weeks ago, so it's unlikely to trip up stale editor sessions. For now, only block node-fetch and log the rest. GitOrigin-RevId: 541189675f68fdcab09f4b409b4143024a29f94a
2026-05-23 17:19:37 +02:00 · 2026-03-27 09:12:08 +01:00
parent 828e196a69
commit dec809913c
2 changed files with 23 additions and 11 deletions
--- a/services/web/app/src/Features/Compile/CompileController.mjs
+++ b/services/web/app/src/Features/Compile/CompileController.mjs
@@ -187,6 +187,24 @@ const _CompileController = {
      options.pdfCachingMinChunkSize = pdfCachingMinChunkSize
    }

+    if (!options.rootResourcePath) {
+      const agent = (req.headers['user-agent'] || '').toLowerCase()
+      const isKnownOtherFrontend = agent.includes('node-fetch')
+      logger.warn(
+        { isKnownOtherFrontend, req, projectId, userId, options },
+        'rootResourcePath is missing in request body'
+      )
+      if (isKnownOtherFrontend) {
+        // Reject malformed compile request from "known" other frontend.
+        res.status(400).json({
+          error: 'rootResourcePath is missing in request body',
+        })
+        return
+      }
+      // All others: Log for now and fall back to old compile mode.
+      options.compileFromHistory = false
+    }
+
    const {
      status,
      outputFiles,
--- a/services/web/frontend/js/features/pdf-preview/util/compiler.ts
+++ b/services/web/frontend/js/features/pdf-preview/util/compiler.ts
@@ -136,18 +136,12 @@ export default class DocumentCompiler {

      const t0 = performance.now()

-      let rootDocIdOverride = this.getRootDocOverrideId()
-      let rootResourcePath
-      try {
-        // Only required for compile-from-history
-        rootDocIdOverride = rootDocIdOverride || this.projectRootDocId
-        rootResourcePath = rootDocIdOverride
-          ? this.pathInFolder(rootDocIdOverride)
-          : 'main.tex'
-      } catch {}
+      const rootDocId = this.getRootDocOverrideId() || this.projectRootDocId
+      const rootResourcePath =
+        (rootDocId && this.pathInFolder(rootDocId)) || 'main.tex'

      const body = {
-        rootDoc_id: rootDocIdOverride,
+        rootDoc_id: rootDocId,
        rootResourcePath,
        draft: options.draft,
        check: 'silent', // NOTE: 'error' and 'validate' are possible, but unused
@@ -176,7 +170,7 @@ export default class DocumentCompiler {
      this.setError(undefined)

      data.options = options
-      data.rootDocId = rootDocIdOverride
+      data.rootDocId = rootDocId
      if (data.clsiServerId) {
        this.clsiServerId = data.clsiServerId
      }