From 75848209870b269e1b8505745ecb1027d60fb787 Mon Sep 17 00:00:00 2001 From: Nick O'Leary Date: Wed, 9 May 2018 10:03:22 +0100 Subject: [PATCH] Filter req.user in /settings to prevent leaking info --- red/api/editor/settings.js | 12 ++++++-- test/red/api/editor/settings_spec.js | 46 ++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 2 deletions(-) diff --git a/red/api/editor/settings.js b/red/api/editor/settings.js index 8b45d7271..8929f08de 100644 --- a/red/api/editor/settings.js +++ b/red/api/editor/settings.js @@ -28,8 +28,16 @@ module.exports = { runtimeSettings: function(req,res) { var safeSettings = { httpNodeRoot: settings.httpNodeRoot||"/", - version: settings.version, - user: req.user + version: settings.version + } + if (req.user) { + safeSettings.user = {} + var props = ["anonymous","username","image","permissions"]; + props.forEach(prop => { + if (req.user.hasOwnProperty(prop)) { + safeSettings.user[prop] = req.user[prop]; + } + }) } var themeSettings = theme.settings(); diff --git a/test/red/api/editor/settings_spec.js b/test/red/api/editor/settings_spec.js index 6f3089cf9..142d5731a 100644 --- a/test/red/api/editor/settings_spec.js +++ b/test/red/api/editor/settings_spec.js @@ -30,6 +30,16 @@ describe("api/editor/settings", function() { sinon.stub(theme,"settings",function() { return { test: 456 };}); app = express(); app.get("/settings",info.runtimeSettings); + app.get("/settingsWithUser",function(req,res,next) { + req.user = { + username: "nick", + permissions: "*", + image: "http://example.com", + anonymous: false, + private: "secret" + } + next(); + },info.runtimeSettings); }); after(function() { @@ -68,6 +78,42 @@ describe("api/editor/settings", function() { res.body.should.have.property("testNodeSetting","helloWorld"); res.body.should.not.have.property("foo",123); res.body.should.have.property("flowEncryptionType","test-key-type"); + res.body.should.not.have.property("user"); + done(); + }); + }); + it('returns the filtered user in settings', function(done) { + info.init({ + settings: { + foo: 123, + httpNodeRoot: "testHttpNodeRoot", + version: "testVersion", + paletteCategories :["red","blue","green"], + exportNodeSettings: function(obj) { + obj.testNodeSetting = "helloWorld"; + } + }, + nodes: { + paletteEditorEnabled: function() { return true; }, + getCredentialKeyType: function() { return "test-key-type"} + }, + log: { error: console.error }, + storage: {} + }); + request(app) + .get("/settingsWithUser") + .expect(200) + .end(function(err,res) { + if (err) { + return done(err); + } + res.body.should.have.property("user"); + res.body.user.should.have.property("username","nick"); + res.body.user.should.have.property("permissions","*"); + res.body.user.should.have.property("image","http://example.com"); + res.body.user.should.have.property("anonymous",false); + res.body.user.should.not.have.property("private"); + done(); }); });