chore: Merge branch 'dev'

mydearxym · mydearxym · commit a7e2392760c1 · 2019-06-20T17:55:35.000+08:00
diff --git a/lib/groupher_server/cms/job.ex b/lib/groupher_server/cms/job.ex
@@ -16,6 +16,8 @@ defmodule GroupherServer.CMS.Job do
     Tag
   }
 
+  alias Helper.HTML
+
   @timestamps_opts [type: :utc_datetime_usec]
   @required_fields ~w(title company company_logo body digest length)a
   @optional_fields ~w(origial_community_id desc company_link link_addr copy_right salary exp education field finance scale)a
@@ -96,11 +98,6 @@ defmodule GroupherServer.CMS.Job do
     content
     |> validate_length(:title, min: 3, max: 50)
     |> validate_length(:body, min: 3, max: 10_000)
-  end
-
-  @doc false
-  def update_changeset(%Job{} = job, attrs) do
-    job
-    |> cast(attrs, @optional_fields ++ @required_fields)
+    |> HTML.safe_string(:body)
   end
 end
diff --git a/lib/groupher_server/cms/job_comment.ex b/lib/groupher_server/cms/job_comment.ex
@@ -7,6 +7,7 @@ defmodule GroupherServer.CMS.JobComment do
   alias GroupherServer.Accounts
 
   alias GroupherServer.CMS.{Job, JobCommentReply, JobCommentLike, JobCommentDislike}
+  alias Helper.HTML
 
   @required_fields ~w(body author_id job_id floor)a
   @optional_fields ~w(reply_id)a
@@ -46,13 +47,6 @@ defmodule GroupherServer.CMS.JobComment do
     |> foreign_key_constraint(:job_id)
     |> foreign_key_constraint(:author_id)
     |> validate_length(:body, min: 3, max: 2000)
-  end
-
-  @doc false
-  def update_changeset(%JobComment{} = job_comment, attrs) do
-    job_comment
-    |> cast(attrs, @required_fields ++ @optional_fields)
-    |> foreign_key_constraint(:job_id)
-    |> foreign_key_constraint(:author_id)
+    |> HTML.safe_string(:body)
   end
 end
diff --git a/lib/groupher_server/cms/post.ex b/lib/groupher_server/cms/post.ex
@@ -17,6 +17,8 @@ defmodule GroupherServer.CMS.Post do
     Topic
   }
 
+  alias Helper.HTML
+
   @timestamps_opts [type: :utc_datetime_usec]
   @required_fields ~w(title body digest length)a
   @optional_fields ~w(origial_community_id link_addr copy_right link_addr link_icon)a
@@ -104,15 +106,7 @@ defmodule GroupherServer.CMS.Post do
     |> validate_length(:title, min: 3, max: 50)
     |> validate_length(:body, min: 3, max: 10_000)
     |> validate_length(:link_addr, min: 5, max: 400)
-
-    # |> foreign_key_constraint(:posts_tags, name: :posts_tags_tag_id_fkey)
-    # |> foreign_key_constraint(name: :posts_tags_tag_id_fkey)
-  end
-
-  @doc false
-  def update_changeset(%Post{} = post, attrs) do
-    post
-    |> cast(attrs, @optional_fields ++ @required_fields)
+    |> HTML.safe_string(:body)
 
     # |> foreign_key_constraint(:posts_tags, name: :posts_tags_tag_id_fkey)
     # |> foreign_key_constraint(name: :posts_tags_tag_id_fkey)
diff --git a/lib/groupher_server/cms/post_comment.ex b/lib/groupher_server/cms/post_comment.ex
@@ -13,6 +13,8 @@ defmodule GroupherServer.CMS.PostComment do
     PostCommentReply
   }
 
+  alias Helper.HTML
+
   @required_fields ~w(body author_id post_id floor)a
   @optional_fields ~w(reply_id)a
 
@@ -51,13 +53,14 @@ defmodule GroupherServer.CMS.PostComment do
     |> foreign_key_constraint(:post_id)
     |> foreign_key_constraint(:author_id)
     |> validate_length(:body, min: 3, max: 2000)
+    |> HTML.safe_string(:body)
   end
 
-  @doc false
-  def update_changeset(%PostComment{} = post_comment, attrs) do
-    post_comment
-    |> cast(attrs, @required_fields ++ @optional_fields)
-    |> foreign_key_constraint(:post_id)
-    |> foreign_key_constraint(:author_id)
-  end
+  # @doc false
+  # def update_changeset(%PostComment{} = post_comment, attrs) do
+  # post_comment
+  # |> cast(attrs, @required_fields ++ @optional_fields)
+  # |> foreign_key_constraint(:post_id)
+  # |> foreign_key_constraint(:author_id)
+  # end
 end
diff --git a/lib/groupher_server/cms/repo.ex b/lib/groupher_server/cms/repo.ex
@@ -17,6 +17,8 @@ defmodule GroupherServer.CMS.Repo do
     Tag
   }
 
+  alias Helper.HTML
+
   @timestamps_opts [type: :utc_datetime_usec]
   @required_fields ~w(title owner_name owner_url repo_url desc readme star_count issues_count prs_count fork_count watch_count)a
   @optional_fields ~w(origial_community_id last_sync homepage_url release_tag license)a
@@ -100,13 +102,6 @@ defmodule GroupherServer.CMS.Repo do
     |> validate_length(:title, min: 1, max: 80)
     |> cast_embed(:contributors, with: &RepoContributor.changeset/2)
     |> cast_embed(:primary_language, with: &RepoLang.changeset/2)
-  end
-
-  @doc false
-  def update_changeset(%Repo{} = repo, attrs) do
-    repo
-    |> cast(attrs, @optional_fields ++ @required_fields)
-    |> cast_embed(:contributors, with: &RepoContributor.changeset/2)
-    |> cast_embed(:primary_language, with: &RepoLang.changeset/2)
+    |> HTML.safe_string(:readme)
   end
 end
diff --git a/lib/groupher_server/cms/repo_comment.ex b/lib/groupher_server/cms/repo_comment.ex
@@ -13,6 +13,8 @@ defmodule GroupherServer.CMS.RepoComment do
     RepoCommentReply
   }
 
+  alias Helper.HTML
+
   @required_fields ~w(body author_id repo_id floor)a
   @optional_fields ~w(reply_id)a
 
@@ -51,14 +53,6 @@ defmodule GroupherServer.CMS.RepoComment do
     |> foreign_key_constraint(:repo_id)
     |> foreign_key_constraint(:author_id)
     |> validate_length(:body, min: 3, max: 2000)
-  end
-
-  @doc false
-  def update_changeset(%RepoComment{} = repo_comment, attrs) do
-    repo_comment
-    |> cast(attrs, @required_fields ++ @optional_fields)
-    |> validate_length(:body, min: 1)
-    |> foreign_key_constraint(:repo_id)
-    |> foreign_key_constraint(:author_id)
+    |> HTML.safe_string(:body)
   end
 end
diff --git a/lib/groupher_server/cms/video.ex b/lib/groupher_server/cms/video.ex
@@ -93,10 +93,4 @@ defmodule GroupherServer.CMS.Video do
     |> validate_length(:original_author_link, min: 5, max: 200)
     |> validate_length(:link, min: 5, max: 200)
   end
-
-  def update_changeset(%Video{} = video, attrs) do
-    video
-    |> cast(attrs, @optional_fields)
-    |> validate_length(:original_author, min: 3, max: 30)
-  end
 end
diff --git a/lib/groupher_server/cms/video_comment.ex b/lib/groupher_server/cms/video_comment.ex
@@ -13,6 +13,8 @@ defmodule GroupherServer.CMS.VideoComment do
     VideoCommentReply
   }
 
+  alias Helper.HTML
+
   @required_fields ~w(body author_id video_id floor)a
   @optional_fields ~w(reply_id)a
 
@@ -51,14 +53,6 @@ defmodule GroupherServer.CMS.VideoComment do
     |> foreign_key_constraint(:video_id)
     |> foreign_key_constraint(:author_id)
     |> validate_length(:body, min: 3, max: 2000)
-  end
-
-  @doc false
-  def update_changeset(%VideoComment{} = video_comment, attrs) do
-    video_comment
-    |> cast(attrs, @required_fields ++ @optional_fields)
-    |> validate_length(:body, min: 1)
-    |> foreign_key_constraint(:video_id)
-    |> foreign_key_constraint(:author_id)
+    |> HTML.safe_string(:body)
   end
 end
diff --git a/lib/helper/html.ex b/lib/helper/html.ex
@@ -0,0 +1,34 @@
+defmodule Helper.HTML do
+  @moduledoc """
+  escape unsafe inputs, especially for the markdown contents
+  """
+
+  import Ecto.Changeset
+  alias Phoenix.HTML
+
+  def safe_string(%Ecto.Changeset{valid?: true, changes: changes} = changeset, field) do
+    case Map.has_key?(changes, field) do
+      true ->
+        changeset
+        |> put_change(field, escape_to_safe_string(changes[field]))
+
+      _ ->
+        changeset
+    end
+  end
+
+  def safe_string(%Ecto.Changeset{} = changeset, _field), do: changeset
+
+  # def safe_string(%Ecto.Changeset{} = changeset, field) do
+  # case changeset do
+  # %Ecto.Changeset{valid?: true, changes: changes} ->
+  # changeset
+  # |> put_change(field, escape_to_safe_string(changes[field]))
+
+  # _ ->
+  # changeset
+  # end
+  # end
+
+  defp escape_to_safe_string(v), do: v |> HTML.html_escape() |> HTML.safe_to_string()
+end
diff --git a/mix.exs b/mix.exs
@@ -53,6 +53,7 @@ defmodule GroupherServer.Mixfile do
     [
       {:phoenix, "~> 1.4.1"},
       {:phoenix_pubsub, "~> 1.1.1"},
+      {:phoenix_html, "~> 2.13.3"},
       {:ecto_sql, "~> 3.1.2"},
       {:phoenix_ecto, "~> 4.0"},
       {:postgrex, ">= 0.14.1"},
diff --git a/mix.lock b/mix.lock
@@ -43,6 +43,7 @@
   "parse_trans": {:hex, :parse_trans, "3.3.0", "09765507a3c7590a784615cfd421d101aec25098d50b89d7aa1d66646bc571c1", [:rebar3], [], "hexpm"},
   "phoenix": {:hex, :phoenix, "1.4.8", "c72dc3adeb49c70eb963a0ea24f7a064ec1588e651e84e1b7ad5ed8253c0b4a2", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix_pubsub, "~> 1.1", [hex: :phoenix_pubsub, repo: "hexpm", optional: false]}, {:plug, "~> 1.8.1 or ~> 1.9", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 1.0 or ~> 2.0", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm"},
   "phoenix_ecto": {:hex, :phoenix_ecto, "4.0.0", "c43117a136e7399ea04ecaac73f8f23ee0ffe3e07acfcb8062fe5f4c9f0f6531", [:mix], [{:ecto, "~> 3.0", [hex: :ecto, repo: "hexpm", optional: false]}, {:phoenix_html, "~> 2.9", [hex: :phoenix_html, repo: "hexpm", optional: true]}, {:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm"},
+  "phoenix_html": {:hex, :phoenix_html, "2.13.3", "850e292ff6e204257f5f9c4c54a8cb1f6fbc16ed53d360c2b780a3d0ba333867", [:mix], [{:plug, "~> 1.5", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm"},
   "phoenix_pubsub": {:hex, :phoenix_pubsub, "1.1.2", "496c303bdf1b2e98a9d26e89af5bba3ab487ba3a3735f74bf1f4064d2a845a3e", [:mix], [], "hexpm"},
   "plug": {:hex, :plug, "1.8.2", "0bcce1daa420f189a6491f3940cc77ea7fb1919761175c9c3b59800d897440fc", [:mix], [{:mime, "~> 1.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.0", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: true]}], "hexpm"},
   "plug_canonical_host": {:hex, :plug_canonical_host, "0.3.1", "0c279b7631ccb6ddb53bf58bdfa015ca69109f52a1fd4cc30909f92313d969e0", [:mix], [{:plug, " ~> 1.0", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm"},
diff --git a/test/groupher_server_web/mutation/cms/job_test.exs b/test/groupher_server_web/mutation/cms/job_test.exs
@@ -92,6 +92,21 @@ defmodule GroupherServer.Test.Mutation.Job do
       assert created["id"] == to_string(found.id)
     end
 
+    @tag :wip
+    test "create job should excape xss attracts" do
+      {:ok, user} = db_insert(:user)
+      user_conn = simu_conn(:user, user)
+
+      {:ok, community} = db_insert(:community)
+      job_attr = mock_attrs(:job, %{body: assert_v(:xss_string)})
+
+      variables = job_attr |> Map.merge(%{communityId: community.id}) |> camelize_map_key
+      created = user_conn |> mutation_result(@create_job_query, variables, "createJob")
+      {:ok, job} = ORM.find(CMS.Job, created["id"])
+
+      assert job.body == assert_v(:xss_safe_string)
+    end
+
     test "can create job with tags" do
       {:ok, user} = db_insert(:user)
       user_conn = simu_conn(:user, user)
diff --git a/test/groupher_server_web/mutation/cms/post_comment_test.exs b/test/groupher_server_web/mutation/cms/post_comment_test.exs
@@ -48,6 +48,23 @@ defmodule GroupherServer.Test.Mutation.PostComment do
       assert created["id"] == to_string(found.id)
     end
 
+    @tag :wip
+    test "xss comment should be escaped", ~m(user_conn community post)a do
+      variables = %{
+        community: community.raw,
+        thread: "POST",
+        id: post.id,
+        body: assert_v(:xss_string)
+      }
+
+      created = user_conn |> mutation_result(@create_comment_query, variables, "createComment")
+
+      {:ok, found} = ORM.find(CMS.PostComment, created["id"])
+
+      assert created["id"] == to_string(found.id)
+      assert created["body"] == assert_v(:xss_safe_string)
+    end
+
     test "guest user create comment fails", ~m(guest_conn post community)a do
       variables = %{community: community.raw, thread: "POST", id: post.id, body: "this a comment"}
 
diff --git a/test/groupher_server_web/mutation/cms/post_test.exs b/test/groupher_server_web/mutation/cms/post_test.exs
@@ -63,6 +63,21 @@ defmodule GroupherServer.Test.Mutation.Post do
       assert {:ok, _} = ORM.find_by(CMS.Author, user_id: user.id)
     end
 
+    @tag :wip
+    test "create post should excape xss attracts" do
+      {:ok, user} = db_insert(:user)
+      user_conn = simu_conn(:user, user)
+
+      {:ok, community} = db_insert(:community)
+      post_attr = mock_attrs(:post, %{body: assert_v(:xss_string)})
+
+      variables = post_attr |> Map.merge(%{communityId: community.id})
+      created = user_conn |> mutation_result(@create_post_query, variables, "createPost")
+      {:ok, post} = ORM.find(CMS.Post, created["id"])
+
+      assert post.body == assert_v(:xss_safe_string)
+    end
+
     # NOTE: this test is IMPORTANT, cause json_codec: Jason in router will cause
     # server crash when GraphQL parse error
     test "create post with missing non_null field should get 200 error" do
diff --git a/test/groupher_server_web/mutation/cms/repo_test.exs b/test/groupher_server_web/mutation/cms/repo_test.exs
@@ -154,6 +154,21 @@ defmodule GroupherServer.Test.Mutation.Repo do
       assert updated["readme"] == "new readme"
     end
 
+    @tag :wip
+    test "create repo should excape xss attracts" do
+      {:ok, user} = db_insert(:user)
+      user_conn = simu_conn(:user, user)
+
+      {:ok, community} = db_insert(:community)
+      repo_attr = mock_attrs(:repo, %{readme: assert_v(:xss_string)})
+
+      variables = repo_attr |> Map.merge(%{communityId: community.id}) |> camelize_map_key
+      created = user_conn |> mutation_result(@create_repo_query, variables, "createRepo")
+      {:ok, repo} = ORM.find(CMS.Repo, created["id"])
+
+      assert repo.readme == assert_v(:xss_safe_string)
+    end
+
     test "unauth user update git-repo fails", ~m(user_conn guest_conn repo)a do
       unique_num = System.unique_integer([:positive, :monotonic])
 
diff --git a/test/groupher_server_web/query/accounts/account_test.exs b/test/groupher_server_web/query/accounts/account_test.exs
@@ -186,7 +186,7 @@ defmodule GroupherServer.Test.Query.Account.Basic do
     """
     test "guest user can get subscrubed communities list and count", ~m(guest_conn user)a do
       variables = %{login: user.login}
-      {:ok, communities} = db_insert_multi(:community, page_size())
+      {:ok, communities} = db_insert_multi(:community, assert_v(:page_size))
 
       Enum.each(
         communities,
@@ -205,12 +205,12 @@ defmodule GroupherServer.Test.Query.Account.Basic do
       assert subscribed_communities |> Enum.any?(&(&1["id"] == to_string(community_2.id)))
       assert subscribed_communities |> Enum.any?(&(&1["id"] == to_string(community_3.id)))
       assert subscribed_communities |> Enum.any?(&(&1["id"] == to_string(community_x.id)))
-      assert subscribed_communities_count == page_size()
+      assert subscribed_communities_count == assert_v(:page_size)
     end
 
     test "guest user can get subscrubed community list by index", ~m(guest_conn user)a do
       variables = %{login: user.login}
-      {:ok, communities} = db_insert_multi(:community, page_size())
+      {:ok, communities} = db_insert_multi(:community, assert_v(:page_size))
 
       Enum.each(
         communities,
@@ -247,7 +247,7 @@ defmodule GroupherServer.Test.Query.Account.Basic do
 
     test "guest user can get subscrubed communities count of 20 at most", ~m(guest_conn user)a do
       variables = %{login: user.login}
-      {:ok, communities} = db_insert_multi(:community, page_size() + 1)
+      {:ok, communities} = db_insert_multi(:community, assert_v(:page_size) + 1)
 
       Enum.each(
         communities,
@@ -257,8 +257,8 @@ defmodule GroupherServer.Test.Query.Account.Basic do
       results = guest_conn |> query_result(@query, variables, "user")
       subscribed_communities = results["subscribedCommunities"]
 
-      assert subscribed_communities["totalCount"] == page_size() + 1
-      assert subscribed_communities["pageSize"] == page_size()
+      assert subscribed_communities["totalCount"] == assert_v(:page_size) + 1
+      assert subscribed_communities["pageSize"] == assert_v(:page_size)
     end
 
     @query """
diff --git a/test/groupher_server_web/query/cms/cms_test.exs b/test/groupher_server_web/query/cms/cms_test.exs
diff --git a/test/support/assert_helper.ex b/test/support/assert_helper.ex

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@ defmodule GroupherServer.Mixfile do`
`53`	`53`	`[`
`54`	`54`	`{:phoenix, "~> 1.4.1"},`
`55`	`55`	`{:phoenix_pubsub, "~> 1.1.1"},`
	`56`	`+ {:phoenix_html, "~> 2.13.3"},`
`56`	`57`	`{:ecto_sql, "~> 3.1.2"},`
`57`	`58`	`{:phoenix_ecto, "~> 4.0"},`
`58`	`59`	`{:postgrex, ">= 0.14.1"},`