fix(Edit Admin): Add validation for untrusted input in path [#62][#81]

danactive · Jan 1, 2017 · 675c401 · 675c401
1 parent 720c0f3
commit 675c401
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 13 deletions.
diff --git a/lib/validation.js b/lib/validation.js
@@ -0,0 +1,7 @@
+const joi = require('joi');
+
+module.exports = {
+  albumStem: joi.string().regex(/^[a-z0-9_-]{1,25}$/gi).required().example('country2017'),
+  gallery: joi.string().regex(/^[a-z0-9_-]{1,25}$/gi).required().example('vacations'),
+  raw: joi.boolean().truthy('true').falsy('false').default(false),
+};
diff --git a/plugins/album/lib/index.js b/plugins/album/lib/index.js
@@ -1,7 +1,6 @@
 /* global __dirname, require */
-const joi = require('joi');
-
 const json = require('./json');
+const validation = require('../../../lib/validation');
 
 const handler = (request, reply) => {
   const albumStem = request.query.album_stem;
@@ -13,12 +12,6 @@ const handler = (request, reply) => {
     .catch(error => reply(error));
 };
 
-const validation = {
-  albumStem: joi.string().required(),
-  gallery: joi.string().required().example('demo'),
-  raw: joi.boolean().truthy('true').falsy('false').default(false),
-};
-
 exports.register = (server, options, next) => {
   server.route({
     method: 'GET',

diff --git a/plugins/album/lib/json.js b/plugins/album/lib/json.js
@@ -6,6 +6,7 @@ const path = require('path');
 const xml2js = require('xml2js');
 
 const utils = require('../../utils/lib');
+const validation = require('../../../lib/validation');
 
 function title(item) {
   const presentable = (...values) => values.every(value => value !== undefined && value !== '');
@@ -98,15 +99,18 @@ function safeAlbumPath(gallery, albumStem) {
   const restriction = name => `Valid ${name} contains Alpha-Numeric characters, is at least 1 character long but less than 25,
     and may contain any special characters including dash (-) or underscore (_)`;
 
-  if (!/^[a-z0-9_-]{1,25}$/gi.test(albumStem) || !albumStem) {
-    return boom.notAcceptable(restriction('gallery id'));
+  if (validation.albumStem.validate(albumStem).error || !albumStem) {
+    return boom.notAcceptable(restriction('album id'));
   }
 
-  if (!/^[a-z0-9_-]{1,25}$/gi.test(gallery) || !gallery) {
-    return boom.notAcceptable(restriction('album id'));
+  if (validation.gallery.validate(gallery).error || !gallery) {
+    return boom.notAcceptable(restriction('gallery id'));
   }
 
-  return path.join(__dirname, '../../../', `gallery-${gallery}`, 'xml', `album_${albumStem}.xml`);
+  const safeAlbumStem = `album_${albumStem}.xml`;
+  const safeGallery = `gallery-${gallery}`;
+
+  return path.join(__dirname, '../../../', safeGallery, 'xml', safeAlbumStem);
 }
 module.exports.safeAlbumPath = safeAlbumPath;