mirror of
https://github.com/yu-i-i/overleaf-cep.git
synced 2026-05-23 17:19:37 +02:00
3980b9e580
* Fix IDOR in exports by adding token verification Implement jdleesmiller's suggested fix for Issue #31637: - V1: Return export token in create response - V1: Verify token in get_export using secure_compare - Web: Pass token through fetchExport and fetchDownload - Web: Return token from exportProject to frontend - Frontend: Pass token as query param on status/download requests - Add tests for both services Agent-Logs-Url: https://github.com/overleaf/internal/sessions/7ba5f535-fba2-49a8-91d4-c87bd332d3a0 Co-authored-by: briangough <7457354+briangough@users.noreply.github.com> Fix window.location.pathname to .href to preserve query params Code review correctly identified that window.location.pathname strips query parameters. Switch to window.location.href so the token query parameter is preserved in download URLs. Agent-Logs-Url: https://github.com/overleaf/internal/sessions/7ba5f535-fba2-49a8-91d4-c87bd332d3a0 Co-authored-by: briangough <7457354+briangough@users.noreply.github.com> Fix test mocks to include token in POST responses Agent-Logs-Url: https://github.com/overleaf/internal/sessions/0350c6ef-0fff-4e98-8464-812cd92c523f Co-authored-by: briangough <7457354+briangough@users.noreply.github.com> fix formatting Fix token assignment in initiateExport to use pollResponse token if available Add requireExportToken config setting and tests for invalid/missing token cases Agent-Logs-Url: https://github.com/overleaf/internal/sessions/059bdba2-4f7a-4407-a5a5-cfcffd888739 Co-authored-by: briangough <7457354+briangough@users.noreply.github.com> fix formatting Add tests for export status and token validation in ExportsController and MockV1Api Co-authored-by: Copilot <copilot@github.com> * Update services/v1/main/app/controllers/api/v1/overleaf/exports_controller.rb Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix linting * fix fetchString response handling in ExportsHandler tests --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot <copilot@github.com> Co-authored-by: Brian Gough <briangough@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Brian Gough <brian.gough@overleaf.com> GitOrigin-RevId: 399aef8eaa15ab3655f0905482f3a31fe94e2251