ki9
/
tracman-server
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

#121 Added mongo injection protection

master
Keith Irwin 2018-03-04 20:39:45 +00:00
parent 50061c370c
commit 04e2b9e437
No known key found for this signature in database
GPG Key ID: 378933C743E2BBC0
9 changed files with 42 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
config/passport.js
View File

@ -7,6 +7,7 @@ const TwitterStrategy = require('passport-twitter').Strategy
const GoogleTokenStrategy = require('passport-google-id-token') const GoogleTokenStrategy = require('passport-google-id-token')
const FacebookTokenStrategy = require('passport-facebook-token') const FacebookTokenStrategy = require('passport-facebook-token')
const TwitterTokenStrategy = require('passport-twitter-token') const TwitterTokenStrategy = require('passport-twitter-token')
const sanitize = require('mongo-sanitize')
const debug = require('debug')('tracman-passport') const debug = require('debug')('tracman-passport')
const env = require('./env/env.js') const env = require('./env/env.js')
const mw = require('./middleware.js') const mw = require('./middleware.js')
@ -33,7 +34,7 @@ module.exports = (passport) => {
}, async (req, email, password, done) => { }, async (req, email, password, done) => {
debug(`Perfoming local login for ${email}`) debug(`Perfoming local login for ${email}`)
try { try {
let user = await User.findOne({'email': email}) let user = await User.findOne({'email': sanitize(email)})
// No user with that email // No user with that email
if (!user) { if (!user) {
@ -143,11 +144,11 @@ module.exports = (passport) => {
// Check for unique profileId // Check for unique profileId
debug(`Checking for unique account with query ${query}...`) debug(`Checking for unique account with query ${query}...`)
try { try {
let user = await User.findOne(query) let existing_user = await User.findOne(query)
// Social account already in use // Social account already in use
if (existingUser) { if (existing_user) {
debug(`${service} account already in use with user ${existingUser.id}`) debug(`${service} account already in use with user ${existing_user.id}`)
req.session.flashType = 'warning' req.session.flashType = 'warning'
req.session.flashMessage = `Another user is already connected to that ${service} account. ` req.session.flashMessage = `Another user is already connected to that ${service} account. `
return done() return done()

3
config/routes/account.js
View File

@ -1,6 +1,7 @@
'use strict' 'use strict'
const mw = require('../middleware.js') const mw = require('../middleware.js')
const sanitize = require('mongo-sanitize')
const User = require('../models.js').user const User = require('../models.js').user
const mail = require('../mail.js') const mail = require('../mail.js')
const env = require('../env/env.js') const env = require('../env/env.js')
@ -100,7 +101,7 @@ router.route('/password/:token')
debug('/account/password/:token .all() called') debug('/account/password/:token .all() called')
try { try {
let user = await User let user = await User
.findOne({'auth.passToken': req.params.token}) .findOne({'auth.passToken': sanitize(req.params.token)})
.where('auth.passTokenExpires').gt(Date.now()) .where('auth.passTokenExpires').gt(Date.now())
if (!user) { if (!user) {

9
config/routes/auth.js
View File

@ -6,6 +6,7 @@ const User = require('../models.js').user
const crypto = require('crypto') const crypto = require('crypto')
const moment = require('moment') const moment = require('moment')
const slugify = require('slug') const slugify = require('slug')
const sanitize = require('mongo-sanitize')
const debug = require('debug')('tracman-routes-auth') const debug = require('debug')('tracman-routes-auth')
const env = require('../env/env.js') const env = require('../env/env.js')
@ -145,7 +146,7 @@ module.exports = (app, passport) => {
// Check if somebody already has that email // Check if somebody already has that email
try { try {
debug(`Searching for user with email ${req.body.email}...`) debug(`Searching for user with email ${req.body.email}...`)
let user = await User.findOne({'email': req.body.email}) let user = await User.findOne({'email': sanitize(req.body.email)})
// User already exists // User already exists
if (user && user.auth.password) { if (user && user.auth.password) {
@ -182,7 +183,7 @@ module.exports = (app, passport) => {
(async function checkSlug (s, cb) { (async function checkSlug (s, cb) {
try { try {
debug(`Checking to see if slug ${s} is taken...`) debug(`Checking to see if slug ${s} is taken...`)
let existingUser = await User.findOne({slug: s}) let existingUser = await User.findOne({slug: sanitize(s)})
// Slug in use: generate a random one and retry // Slug in use: generate a random one and retry
if (existingUser) { if (existingUser) {
@ -283,7 +284,7 @@ module.exports = (app, passport) => {
// Check if somebody has that email // Check if somebody has that email
try { try {
let user = await User.findOne({'email': req.body.email}) let user = await User.findOne({'email': sanitize(req.body.email)})
// No user with that email // No user with that email
if (!user) { if (!user) {
@ -298,7 +299,7 @@ module.exports = (app, passport) => {
// User with that email does exist // User with that email does exist
} else { } else {
debug(`User ${user.id} found with that email. Creating reset token...`) debug(`User ${user.id} found with that email. Creating reset token...`)
// Create reset token // Create reset token
try { try {
let [token, expires] = await user.createPassToken() let [token, expires] = await user.createPassToken()

35
config/routes/map.js
View File

@ -3,6 +3,7 @@
const router = require('express').Router() const router = require('express').Router()
const mw = require('../middleware.js') const mw = require('../middleware.js')
const env = require('../env/env.js') const env = require('../env/env.js')
const sanitize = require('mongo-sanitize')
const User = require('../models.js').user const User = require('../models.js').user
// Redirect to real slug // Redirect to real slug
@ -47,21 +48,25 @@ router.get('/demo', (req, res, next) => {
// Show map // Show map
router.get('/:slug?', async (req, res, next) => { router.get('/:slug?', async (req, res, next) => {
try { try {
let map_user = await User.findOne({slug: req.params.slug}) if (req.params.slug != sanitize(req.params.slug)) {
if (!map_user) next() // 404 throw new Error(`Possible injection attempt with slug: ${req.params.slug}`)
else { } else {
var active = '' // For header nav let map_user = await User.findOne({slug: req.params.slug})
if (req.user && req.user.id === map_user.id) active = 'map' if (!map_user) next() // 404
res.render('map', { else {
active: active, var active = '' // For header nav
mapuser: map_user, if (req.user && req.user.id === map_user.id) active = 'map'
mapApi: env.googleMapsAPI, res.render('map', {
user: req.user, active: active,
noFooter: '1', mapuser: map_user,
noHeader: (req.query.noheader) ? req.query.noheader.match(/\d/)[0] : 0, mapApi: env.googleMapsAPI,
disp: (req.query.disp) ? req.query.disp.match(/\d/)[0] : 2, // 0=map, 1=streetview, 2=both user: req.user,
newuserurl: (req.query.new) ? env.url + '/map/' + req.params.slug : '' noFooter: '1',
}) noHeader: (req.query.noheader) ? req.query.noheader.match(/\d/)[0] : 0,
disp: (req.query.disp) ? req.query.disp.match(/\d/)[0] : 2, // 0=map, 1=streetview, 2=both
newuserurl: (req.query.new) ? env.url + '/map/' + req.params.slug : ''
})
}
} }
} catch (err) { mw.throwErr(err, req) } } catch (err) { mw.throwErr(err, req) }
}) })

1
config/routes/settings.js
View File

@ -6,6 +6,7 @@ const mw = require('../middleware.js')
const User = require('../models.js').user const User = require('../models.js').user
const mail = require('../mail.js') const mail = require('../mail.js')
const env = require('../env/env.js') const env = require('../env/env.js')
const sanitize = require('mongo-sanitize')
const debug = require('debug')('tracman-routes-settings') const debug = require('debug')('tracman-routes-settings')
const router = require('express').Router() const router = require('express').Router()

3
config/sockets.js
View File

@ -2,6 +2,7 @@
// Imports // Imports
const debug = require('debug')('tracman-sockets') const debug = require('debug')('tracman-sockets')
const sanitize = require('mongo-sanitize')
const User = require('./models.js').user const User = require('./models.js').user
// Check for tracking clients // Check for tracking clients
@ -82,7 +83,7 @@ module.exports = {
} else { } else {
try { try {
// Get loc.usr // Get loc.usr
let user = await User.findById(loc.usr) let user = await User.findById(sanitize(loc.usr))
.where('sk32').equals(loc.tok) .where('sk32').equals(loc.tok)
if (!user) { if (!user) {

5
package-lock.json generated
View File

@ -4499,6 +4499,11 @@
"resolved": "https://registry.npmjs.org/moment/-/moment-2.20.1.tgz", "resolved": "https://registry.npmjs.org/moment/-/moment-2.20.1.tgz",
"integrity": "sha512-Yh9y73JRljxW5QxN08Fner68eFLxM5ynNOAw2LbIB1YAGeQzZT8QFSUvkAz609Zf+IHhhaUxqZK8dG3W/+HEvg==" "integrity": "sha512-Yh9y73JRljxW5QxN08Fner68eFLxM5ynNOAw2LbIB1YAGeQzZT8QFSUvkAz609Zf+IHhhaUxqZK8dG3W/+HEvg=="
}, },
"mongo-sanitize": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/mongo-sanitize/-/mongo-sanitize-1.0.0.tgz",
"integrity": "sha1-FeMRMEivvz50RkxOgVaCG4/6wdw="
},
"mongodb": { "mongodb": {
"version": "2.2.33", "version": "2.2.33",
"resolved": "https://registry.npmjs.org/mongodb/-/mongodb-2.2.33.tgz", "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-2.2.33.tgz",

1
package.json
View File

@ -19,6 +19,7 @@
"load-google-maps-api": "^1.0.0", "load-google-maps-api": "^1.0.0",
"minifier": "^0.8.1", "minifier": "^0.8.1",
"moment": "^2.18.1", "moment": "^2.18.1",
"mongo-sanitize": "^1.0.0",
"mongoose": "^4.11.13", "mongoose": "^4.11.13",
"mongoose-unique-validator": "^1.0.6", "mongoose-unique-validator": "^1.0.6",
"nodemailer": "^4.1.1", "nodemailer": "^4.1.1",

2
server.js
View File

@ -169,7 +169,7 @@ let ready_promise_list = []
} }
} }
// CSRF Protection // CSRF Protection (keep after routes)
app.use(csurf({ app.use(csurf({
cookie: true, cookie: true,
})) }))