normalize user input.

AnalogJ · Aug 5, 2017 · 4343270 · 4343270
1 parent 2ff95dc
commit 4343270
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 8 deletions.
diff --git a/src/bundle.js b/src/bundle.js
@@ -4,6 +4,7 @@ var nconf = require('./common/nconf')
 var AWS = require('aws-sdk');
 var s3 = new AWS.S3({apiVersion: '2006-03-01'});
 var constants = require('./common/constants');
+var utils = require('./common/utils');
 var crypto = require('crypto');
 
 //this function generates a signed url for the upload bucket, which can be used by curl (calibre, web) to upload git bundle files to s3
@@ -19,14 +20,19 @@ module.exports.handler = (event, context, callback) => {
 
     var id = crypto.randomBytes(20).toString('hex');
 
+    var scm = utils.normalizeInput(event.pathParameters.scm);
+    var org = utils.normalizeInput(event.pathParameters.org);
+    var repo = utils.normalizeInput(event.pathParameters.repo);
+    var branch = utils.normalizeInput(event.pathParameters.branch)
+
     const response = {
         statusCode: 307,
         headers: {
             "Location": s3.getSignedUrl('putObject', {
                 Bucket: constants.buckets.upload,
-                Key: `${event.pathParameters.scm}/${event.pathParameters.org}/${event.pathParameters.repo}/${event.pathParameters.branch}/${id}.git.bundle`,
-                Expires: 60
-            }) // "https://requestb.in/yzm8fbyz"
+                Key: `${scm}/${org}/${repo}/${branch}/${id}.git.bundle`,
+                Expires: 60 //seconds
+            })
         },
         body: ""
     };

diff --git a/src/common/utils.js b/src/common/utils.js
@@ -0,0 +1,3 @@
+module.exports.normalizeInput = function (str){
+    return str.replace(/[^a-z0-9\-]+/gi, '');
+}
diff --git a/src/process.js b/src/process.js
@@ -4,6 +4,7 @@ var nconf = require('./common/nconf')
 var q = require("q");  // npm install q
 var fs = require('fs');
 var crypto = require('crypto');
+var utils = require('/common/utils');
 
 var AWS = require('aws-sdk');
 var s3 = new AWS.S3({apiVersion: '2006-03-01'});
@@ -39,11 +40,11 @@ module.exports.handler = (event, context, callback) => {
     var upload_bucket = event.Records[0].s3.bucket.name;
     var upload_key_parts = upload_key.split('/');
     //ignore the userhash.h
-    var scm = upload_key_parts[0];
-    var org = upload_key_parts[1];
-    var repo = upload_key_parts[2];
-    var branch = upload_key_parts[3];
-    var bundle_id = upload_key_parts[4];
+    var scm = utils.normalizeInput(upload_key_parts[0]);
+    var org = utils.normalizeInput(upload_key_parts[1]);
+    var repo = utils.normalizeInput(upload_key_parts[2])
+    var branch = utils.normalizeInput(upload_key_parts[3])
+    var bundle_id = upload_key_parts[4]; //we control this part (and includes a '.' so dont normalize)
 
     var bundlePath = `/tmp/${bundle_id}`;
     var bundleLocalBranchName = `gitmask-bundle`; //this is the name of the branch containing all the commits before squashing.