mirror of
https://github.com/node-red/node-red.git
synced 2023-10-10 13:36:53 +02:00
Filter req.user in /settings to prevent leaking info
This commit is contained in:
parent
d572356642
commit
7584820987
@ -28,8 +28,16 @@ module.exports = {
|
||||
runtimeSettings: function(req,res) {
|
||||
var safeSettings = {
|
||||
httpNodeRoot: settings.httpNodeRoot||"/",
|
||||
version: settings.version,
|
||||
user: req.user
|
||||
version: settings.version
|
||||
}
|
||||
if (req.user) {
|
||||
safeSettings.user = {}
|
||||
var props = ["anonymous","username","image","permissions"];
|
||||
props.forEach(prop => {
|
||||
if (req.user.hasOwnProperty(prop)) {
|
||||
safeSettings.user[prop] = req.user[prop];
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
var themeSettings = theme.settings();
|
||||
|
@ -30,6 +30,16 @@ describe("api/editor/settings", function() {
|
||||
sinon.stub(theme,"settings",function() { return { test: 456 };});
|
||||
app = express();
|
||||
app.get("/settings",info.runtimeSettings);
|
||||
app.get("/settingsWithUser",function(req,res,next) {
|
||||
req.user = {
|
||||
username: "nick",
|
||||
permissions: "*",
|
||||
image: "http://example.com",
|
||||
anonymous: false,
|
||||
private: "secret"
|
||||
}
|
||||
next();
|
||||
},info.runtimeSettings);
|
||||
});
|
||||
|
||||
after(function() {
|
||||
@ -68,6 +78,42 @@ describe("api/editor/settings", function() {
|
||||
res.body.should.have.property("testNodeSetting","helloWorld");
|
||||
res.body.should.not.have.property("foo",123);
|
||||
res.body.should.have.property("flowEncryptionType","test-key-type");
|
||||
res.body.should.not.have.property("user");
|
||||
done();
|
||||
});
|
||||
});
|
||||
it('returns the filtered user in settings', function(done) {
|
||||
info.init({
|
||||
settings: {
|
||||
foo: 123,
|
||||
httpNodeRoot: "testHttpNodeRoot",
|
||||
version: "testVersion",
|
||||
paletteCategories :["red","blue","green"],
|
||||
exportNodeSettings: function(obj) {
|
||||
obj.testNodeSetting = "helloWorld";
|
||||
}
|
||||
},
|
||||
nodes: {
|
||||
paletteEditorEnabled: function() { return true; },
|
||||
getCredentialKeyType: function() { return "test-key-type"}
|
||||
},
|
||||
log: { error: console.error },
|
||||
storage: {}
|
||||
});
|
||||
request(app)
|
||||
.get("/settingsWithUser")
|
||||
.expect(200)
|
||||
.end(function(err,res) {
|
||||
if (err) {
|
||||
return done(err);
|
||||
}
|
||||
res.body.should.have.property("user");
|
||||
res.body.user.should.have.property("username","nick");
|
||||
res.body.user.should.have.property("permissions","*");
|
||||
res.body.user.should.have.property("image","http://example.com");
|
||||
res.body.user.should.have.property("anonymous",false);
|
||||
res.body.user.should.not.have.property("private");
|
||||
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
Loading…
Reference in New Issue
Block a user