1
0
mirror of https://github.com/node-red/node-red.git synced 2023-10-10 13:36:53 +02:00

Filter req.user in /settings to prevent leaking info

This commit is contained in:
Nick O'Leary 2018-05-09 10:03:22 +01:00
parent d572356642
commit 7584820987
No known key found for this signature in database
GPG Key ID: 4F2157149161A6C9
2 changed files with 56 additions and 2 deletions

View File

@ -28,8 +28,16 @@ module.exports = {
runtimeSettings: function(req,res) { runtimeSettings: function(req,res) {
var safeSettings = { var safeSettings = {
httpNodeRoot: settings.httpNodeRoot||"/", httpNodeRoot: settings.httpNodeRoot||"/",
version: settings.version, version: settings.version
user: req.user }
if (req.user) {
safeSettings.user = {}
var props = ["anonymous","username","image","permissions"];
props.forEach(prop => {
if (req.user.hasOwnProperty(prop)) {
safeSettings.user[prop] = req.user[prop];
}
})
} }
var themeSettings = theme.settings(); var themeSettings = theme.settings();

View File

@ -30,6 +30,16 @@ describe("api/editor/settings", function() {
sinon.stub(theme,"settings",function() { return { test: 456 };}); sinon.stub(theme,"settings",function() { return { test: 456 };});
app = express(); app = express();
app.get("/settings",info.runtimeSettings); app.get("/settings",info.runtimeSettings);
app.get("/settingsWithUser",function(req,res,next) {
req.user = {
username: "nick",
permissions: "*",
image: "http://example.com",
anonymous: false,
private: "secret"
}
next();
},info.runtimeSettings);
}); });
after(function() { after(function() {
@ -68,6 +78,42 @@ describe("api/editor/settings", function() {
res.body.should.have.property("testNodeSetting","helloWorld"); res.body.should.have.property("testNodeSetting","helloWorld");
res.body.should.not.have.property("foo",123); res.body.should.not.have.property("foo",123);
res.body.should.have.property("flowEncryptionType","test-key-type"); res.body.should.have.property("flowEncryptionType","test-key-type");
res.body.should.not.have.property("user");
done();
});
});
it('returns the filtered user in settings', function(done) {
info.init({
settings: {
foo: 123,
httpNodeRoot: "testHttpNodeRoot",
version: "testVersion",
paletteCategories :["red","blue","green"],
exportNodeSettings: function(obj) {
obj.testNodeSetting = "helloWorld";
}
},
nodes: {
paletteEditorEnabled: function() { return true; },
getCredentialKeyType: function() { return "test-key-type"}
},
log: { error: console.error },
storage: {}
});
request(app)
.get("/settingsWithUser")
.expect(200)
.end(function(err,res) {
if (err) {
return done(err);
}
res.body.should.have.property("user");
res.body.user.should.have.property("username","nick");
res.body.user.should.have.property("permissions","*");
res.body.user.should.have.property("image","http://example.com");
res.body.user.should.have.property("anonymous",false);
res.body.user.should.not.have.property("private");
done(); done();
}); });
}); });