#121 Added mongo injection protection
parent
50061c370c
commit
04e2b9e437
|
@ -7,6 +7,7 @@ const TwitterStrategy = require('passport-twitter').Strategy
|
||||||
const GoogleTokenStrategy = require('passport-google-id-token')
|
const GoogleTokenStrategy = require('passport-google-id-token')
|
||||||
const FacebookTokenStrategy = require('passport-facebook-token')
|
const FacebookTokenStrategy = require('passport-facebook-token')
|
||||||
const TwitterTokenStrategy = require('passport-twitter-token')
|
const TwitterTokenStrategy = require('passport-twitter-token')
|
||||||
|
const sanitize = require('mongo-sanitize')
|
||||||
const debug = require('debug')('tracman-passport')
|
const debug = require('debug')('tracman-passport')
|
||||||
const env = require('./env/env.js')
|
const env = require('./env/env.js')
|
||||||
const mw = require('./middleware.js')
|
const mw = require('./middleware.js')
|
||||||
|
@ -33,7 +34,7 @@ module.exports = (passport) => {
|
||||||
}, async (req, email, password, done) => {
|
}, async (req, email, password, done) => {
|
||||||
debug(`Perfoming local login for ${email}`)
|
debug(`Perfoming local login for ${email}`)
|
||||||
try {
|
try {
|
||||||
let user = await User.findOne({'email': email})
|
let user = await User.findOne({'email': sanitize(email)})
|
||||||
|
|
||||||
// No user with that email
|
// No user with that email
|
||||||
if (!user) {
|
if (!user) {
|
||||||
|
@ -143,11 +144,11 @@ module.exports = (passport) => {
|
||||||
// Check for unique profileId
|
// Check for unique profileId
|
||||||
debug(`Checking for unique account with query ${query}...`)
|
debug(`Checking for unique account with query ${query}...`)
|
||||||
try {
|
try {
|
||||||
let user = await User.findOne(query)
|
let existing_user = await User.findOne(query)
|
||||||
|
|
||||||
// Social account already in use
|
// Social account already in use
|
||||||
if (existingUser) {
|
if (existing_user) {
|
||||||
debug(`${service} account already in use with user ${existingUser.id}`)
|
debug(`${service} account already in use with user ${existing_user.id}`)
|
||||||
req.session.flashType = 'warning'
|
req.session.flashType = 'warning'
|
||||||
req.session.flashMessage = `Another user is already connected to that ${service} account. `
|
req.session.flashMessage = `Another user is already connected to that ${service} account. `
|
||||||
return done()
|
return done()
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
'use strict'
|
'use strict'
|
||||||
|
|
||||||
const mw = require('../middleware.js')
|
const mw = require('../middleware.js')
|
||||||
|
const sanitize = require('mongo-sanitize')
|
||||||
const User = require('../models.js').user
|
const User = require('../models.js').user
|
||||||
const mail = require('../mail.js')
|
const mail = require('../mail.js')
|
||||||
const env = require('../env/env.js')
|
const env = require('../env/env.js')
|
||||||
|
@ -100,7 +101,7 @@ router.route('/password/:token')
|
||||||
debug('/account/password/:token .all() called')
|
debug('/account/password/:token .all() called')
|
||||||
try {
|
try {
|
||||||
let user = await User
|
let user = await User
|
||||||
.findOne({'auth.passToken': req.params.token})
|
.findOne({'auth.passToken': sanitize(req.params.token)})
|
||||||
.where('auth.passTokenExpires').gt(Date.now())
|
.where('auth.passTokenExpires').gt(Date.now())
|
||||||
|
|
||||||
if (!user) {
|
if (!user) {
|
||||||
|
|
|
@ -6,6 +6,7 @@ const User = require('../models.js').user
|
||||||
const crypto = require('crypto')
|
const crypto = require('crypto')
|
||||||
const moment = require('moment')
|
const moment = require('moment')
|
||||||
const slugify = require('slug')
|
const slugify = require('slug')
|
||||||
|
const sanitize = require('mongo-sanitize')
|
||||||
const debug = require('debug')('tracman-routes-auth')
|
const debug = require('debug')('tracman-routes-auth')
|
||||||
const env = require('../env/env.js')
|
const env = require('../env/env.js')
|
||||||
|
|
||||||
|
@ -145,7 +146,7 @@ module.exports = (app, passport) => {
|
||||||
// Check if somebody already has that email
|
// Check if somebody already has that email
|
||||||
try {
|
try {
|
||||||
debug(`Searching for user with email ${req.body.email}...`)
|
debug(`Searching for user with email ${req.body.email}...`)
|
||||||
let user = await User.findOne({'email': req.body.email})
|
let user = await User.findOne({'email': sanitize(req.body.email)})
|
||||||
|
|
||||||
// User already exists
|
// User already exists
|
||||||
if (user && user.auth.password) {
|
if (user && user.auth.password) {
|
||||||
|
@ -182,7 +183,7 @@ module.exports = (app, passport) => {
|
||||||
(async function checkSlug (s, cb) {
|
(async function checkSlug (s, cb) {
|
||||||
try {
|
try {
|
||||||
debug(`Checking to see if slug ${s} is taken...`)
|
debug(`Checking to see if slug ${s} is taken...`)
|
||||||
let existingUser = await User.findOne({slug: s})
|
let existingUser = await User.findOne({slug: sanitize(s)})
|
||||||
|
|
||||||
// Slug in use: generate a random one and retry
|
// Slug in use: generate a random one and retry
|
||||||
if (existingUser) {
|
if (existingUser) {
|
||||||
|
@ -283,7 +284,7 @@ module.exports = (app, passport) => {
|
||||||
|
|
||||||
// Check if somebody has that email
|
// Check if somebody has that email
|
||||||
try {
|
try {
|
||||||
let user = await User.findOne({'email': req.body.email})
|
let user = await User.findOne({'email': sanitize(req.body.email)})
|
||||||
|
|
||||||
// No user with that email
|
// No user with that email
|
||||||
if (!user) {
|
if (!user) {
|
||||||
|
@ -298,7 +299,7 @@ module.exports = (app, passport) => {
|
||||||
// User with that email does exist
|
// User with that email does exist
|
||||||
} else {
|
} else {
|
||||||
debug(`User ${user.id} found with that email. Creating reset token...`)
|
debug(`User ${user.id} found with that email. Creating reset token...`)
|
||||||
|
|
||||||
// Create reset token
|
// Create reset token
|
||||||
try {
|
try {
|
||||||
let [token, expires] = await user.createPassToken()
|
let [token, expires] = await user.createPassToken()
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
const router = require('express').Router()
|
const router = require('express').Router()
|
||||||
const mw = require('../middleware.js')
|
const mw = require('../middleware.js')
|
||||||
const env = require('../env/env.js')
|
const env = require('../env/env.js')
|
||||||
|
const sanitize = require('mongo-sanitize')
|
||||||
const User = require('../models.js').user
|
const User = require('../models.js').user
|
||||||
|
|
||||||
// Redirect to real slug
|
// Redirect to real slug
|
||||||
|
@ -47,21 +48,25 @@ router.get('/demo', (req, res, next) => {
|
||||||
// Show map
|
// Show map
|
||||||
router.get('/:slug?', async (req, res, next) => {
|
router.get('/:slug?', async (req, res, next) => {
|
||||||
try {
|
try {
|
||||||
let map_user = await User.findOne({slug: req.params.slug})
|
if (req.params.slug != sanitize(req.params.slug)) {
|
||||||
if (!map_user) next() // 404
|
throw new Error(`Possible injection attempt with slug: ${req.params.slug}`)
|
||||||
else {
|
} else {
|
||||||
var active = '' // For header nav
|
let map_user = await User.findOne({slug: req.params.slug})
|
||||||
if (req.user && req.user.id === map_user.id) active = 'map'
|
if (!map_user) next() // 404
|
||||||
res.render('map', {
|
else {
|
||||||
active: active,
|
var active = '' // For header nav
|
||||||
mapuser: map_user,
|
if (req.user && req.user.id === map_user.id) active = 'map'
|
||||||
mapApi: env.googleMapsAPI,
|
res.render('map', {
|
||||||
user: req.user,
|
active: active,
|
||||||
noFooter: '1',
|
mapuser: map_user,
|
||||||
noHeader: (req.query.noheader) ? req.query.noheader.match(/\d/)[0] : 0,
|
mapApi: env.googleMapsAPI,
|
||||||
disp: (req.query.disp) ? req.query.disp.match(/\d/)[0] : 2, // 0=map, 1=streetview, 2=both
|
user: req.user,
|
||||||
newuserurl: (req.query.new) ? env.url + '/map/' + req.params.slug : ''
|
noFooter: '1',
|
||||||
})
|
noHeader: (req.query.noheader) ? req.query.noheader.match(/\d/)[0] : 0,
|
||||||
|
disp: (req.query.disp) ? req.query.disp.match(/\d/)[0] : 2, // 0=map, 1=streetview, 2=both
|
||||||
|
newuserurl: (req.query.new) ? env.url + '/map/' + req.params.slug : ''
|
||||||
|
})
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} catch (err) { mw.throwErr(err, req) }
|
} catch (err) { mw.throwErr(err, req) }
|
||||||
})
|
})
|
||||||
|
|
|
@ -6,6 +6,7 @@ const mw = require('../middleware.js')
|
||||||
const User = require('../models.js').user
|
const User = require('../models.js').user
|
||||||
const mail = require('../mail.js')
|
const mail = require('../mail.js')
|
||||||
const env = require('../env/env.js')
|
const env = require('../env/env.js')
|
||||||
|
const sanitize = require('mongo-sanitize')
|
||||||
const debug = require('debug')('tracman-routes-settings')
|
const debug = require('debug')('tracman-routes-settings')
|
||||||
const router = require('express').Router()
|
const router = require('express').Router()
|
||||||
|
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
// Imports
|
// Imports
|
||||||
const debug = require('debug')('tracman-sockets')
|
const debug = require('debug')('tracman-sockets')
|
||||||
|
const sanitize = require('mongo-sanitize')
|
||||||
const User = require('./models.js').user
|
const User = require('./models.js').user
|
||||||
|
|
||||||
// Check for tracking clients
|
// Check for tracking clients
|
||||||
|
@ -82,7 +83,7 @@ module.exports = {
|
||||||
} else {
|
} else {
|
||||||
try {
|
try {
|
||||||
// Get loc.usr
|
// Get loc.usr
|
||||||
let user = await User.findById(loc.usr)
|
let user = await User.findById(sanitize(loc.usr))
|
||||||
.where('sk32').equals(loc.tok)
|
.where('sk32').equals(loc.tok)
|
||||||
|
|
||||||
if (!user) {
|
if (!user) {
|
||||||
|
|
|
@ -4499,6 +4499,11 @@
|
||||||
"resolved": "https://registry.npmjs.org/moment/-/moment-2.20.1.tgz",
|
"resolved": "https://registry.npmjs.org/moment/-/moment-2.20.1.tgz",
|
||||||
"integrity": "sha512-Yh9y73JRljxW5QxN08Fner68eFLxM5ynNOAw2LbIB1YAGeQzZT8QFSUvkAz609Zf+IHhhaUxqZK8dG3W/+HEvg=="
|
"integrity": "sha512-Yh9y73JRljxW5QxN08Fner68eFLxM5ynNOAw2LbIB1YAGeQzZT8QFSUvkAz609Zf+IHhhaUxqZK8dG3W/+HEvg=="
|
||||||
},
|
},
|
||||||
|
"mongo-sanitize": {
|
||||||
|
"version": "1.0.0",
|
||||||
|
"resolved": "https://registry.npmjs.org/mongo-sanitize/-/mongo-sanitize-1.0.0.tgz",
|
||||||
|
"integrity": "sha1-FeMRMEivvz50RkxOgVaCG4/6wdw="
|
||||||
|
},
|
||||||
"mongodb": {
|
"mongodb": {
|
||||||
"version": "2.2.33",
|
"version": "2.2.33",
|
||||||
"resolved": "https://registry.npmjs.org/mongodb/-/mongodb-2.2.33.tgz",
|
"resolved": "https://registry.npmjs.org/mongodb/-/mongodb-2.2.33.tgz",
|
||||||
|
|
|
@ -19,6 +19,7 @@
|
||||||
"load-google-maps-api": "^1.0.0",
|
"load-google-maps-api": "^1.0.0",
|
||||||
"minifier": "^0.8.1",
|
"minifier": "^0.8.1",
|
||||||
"moment": "^2.18.1",
|
"moment": "^2.18.1",
|
||||||
|
"mongo-sanitize": "^1.0.0",
|
||||||
"mongoose": "^4.11.13",
|
"mongoose": "^4.11.13",
|
||||||
"mongoose-unique-validator": "^1.0.6",
|
"mongoose-unique-validator": "^1.0.6",
|
||||||
"nodemailer": "^4.1.1",
|
"nodemailer": "^4.1.1",
|
||||||
|
|
Loading…
Reference in New Issue