mirror of
https://github.com/node-red/node-red.git
synced 2023-10-10 13:36:53 +02:00
Filter req.user in /settings to prevent leaking info
This commit is contained in:
parent
d572356642
commit
7584820987
@ -28,8 +28,16 @@ module.exports = {
|
|||||||
runtimeSettings: function(req,res) {
|
runtimeSettings: function(req,res) {
|
||||||
var safeSettings = {
|
var safeSettings = {
|
||||||
httpNodeRoot: settings.httpNodeRoot||"/",
|
httpNodeRoot: settings.httpNodeRoot||"/",
|
||||||
version: settings.version,
|
version: settings.version
|
||||||
user: req.user
|
}
|
||||||
|
if (req.user) {
|
||||||
|
safeSettings.user = {}
|
||||||
|
var props = ["anonymous","username","image","permissions"];
|
||||||
|
props.forEach(prop => {
|
||||||
|
if (req.user.hasOwnProperty(prop)) {
|
||||||
|
safeSettings.user[prop] = req.user[prop];
|
||||||
|
}
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
var themeSettings = theme.settings();
|
var themeSettings = theme.settings();
|
||||||
|
@ -30,6 +30,16 @@ describe("api/editor/settings", function() {
|
|||||||
sinon.stub(theme,"settings",function() { return { test: 456 };});
|
sinon.stub(theme,"settings",function() { return { test: 456 };});
|
||||||
app = express();
|
app = express();
|
||||||
app.get("/settings",info.runtimeSettings);
|
app.get("/settings",info.runtimeSettings);
|
||||||
|
app.get("/settingsWithUser",function(req,res,next) {
|
||||||
|
req.user = {
|
||||||
|
username: "nick",
|
||||||
|
permissions: "*",
|
||||||
|
image: "http://example.com",
|
||||||
|
anonymous: false,
|
||||||
|
private: "secret"
|
||||||
|
}
|
||||||
|
next();
|
||||||
|
},info.runtimeSettings);
|
||||||
});
|
});
|
||||||
|
|
||||||
after(function() {
|
after(function() {
|
||||||
@ -68,6 +78,42 @@ describe("api/editor/settings", function() {
|
|||||||
res.body.should.have.property("testNodeSetting","helloWorld");
|
res.body.should.have.property("testNodeSetting","helloWorld");
|
||||||
res.body.should.not.have.property("foo",123);
|
res.body.should.not.have.property("foo",123);
|
||||||
res.body.should.have.property("flowEncryptionType","test-key-type");
|
res.body.should.have.property("flowEncryptionType","test-key-type");
|
||||||
|
res.body.should.not.have.property("user");
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
it('returns the filtered user in settings', function(done) {
|
||||||
|
info.init({
|
||||||
|
settings: {
|
||||||
|
foo: 123,
|
||||||
|
httpNodeRoot: "testHttpNodeRoot",
|
||||||
|
version: "testVersion",
|
||||||
|
paletteCategories :["red","blue","green"],
|
||||||
|
exportNodeSettings: function(obj) {
|
||||||
|
obj.testNodeSetting = "helloWorld";
|
||||||
|
}
|
||||||
|
},
|
||||||
|
nodes: {
|
||||||
|
paletteEditorEnabled: function() { return true; },
|
||||||
|
getCredentialKeyType: function() { return "test-key-type"}
|
||||||
|
},
|
||||||
|
log: { error: console.error },
|
||||||
|
storage: {}
|
||||||
|
});
|
||||||
|
request(app)
|
||||||
|
.get("/settingsWithUser")
|
||||||
|
.expect(200)
|
||||||
|
.end(function(err,res) {
|
||||||
|
if (err) {
|
||||||
|
return done(err);
|
||||||
|
}
|
||||||
|
res.body.should.have.property("user");
|
||||||
|
res.body.user.should.have.property("username","nick");
|
||||||
|
res.body.user.should.have.property("permissions","*");
|
||||||
|
res.body.user.should.have.property("image","http://example.com");
|
||||||
|
res.body.user.should.have.property("anonymous",false);
|
||||||
|
res.body.user.should.not.have.property("private");
|
||||||
|
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
Loading…
Reference in New Issue
Block a user