-
-
Notifications
You must be signed in to change notification settings - Fork 7.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com>
- Loading branch information
1 parent
7120bb2
commit ccb428e
Showing
6 changed files
with
79 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
28 changes: 28 additions & 0 deletions
28
...s/strapi-plugin-users-permissions/controllers/validation/__tests__/email-template.test.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
'use strict'; | ||
|
||
const { isValidEmailTemplate } = require('../email-template'); | ||
|
||
describe('isValidEmailTemplate', () => { | ||
test('Accepts one valid pattern', () => { | ||
expect(isValidEmailTemplate('<%= CODE %>')).toBe(true); | ||
expect(isValidEmailTemplate('<%=CODE%>')).toBe(true); | ||
}); | ||
|
||
test('Refuses invalid patterns', () => { | ||
expect(isValidEmailTemplate('<%- CODE %>')).toBe(false); | ||
expect(isValidEmailTemplate('<% CODE %>')).toBe(false); | ||
expect(isValidEmailTemplate('<%= <% CODE %> %>')).toBe(false); | ||
expect(isValidEmailTemplate('<%- <% CODE %> %>')).toBe(false); | ||
expect(isValidEmailTemplate('${ <% CODE %> }')).toBe(false); | ||
expect(isValidEmailTemplate('<%CODE%>')).toBe(false); | ||
expect(isValidEmailTemplate('${CODE}')).toBe(false); | ||
expect(isValidEmailTemplate('${ CODE }')).toBe(false); | ||
}); | ||
|
||
test('Fails on non authorized keys', () => { | ||
expect(isValidEmailTemplate('<% random expression %>')).toBe(false); | ||
expect(isValidEmailTemplate('<% random expression }%>')).toBe(false); | ||
expect(isValidEmailTemplate('<% some.var.azdazd %>')).toBe(false); | ||
expect(isValidEmailTemplate('<% function() %>')).toBe(false); | ||
}); | ||
}); |
30 changes: 30 additions & 0 deletions
30
packages/strapi-plugin-users-permissions/controllers/validation/email-template.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
'use strict'; | ||
|
||
const _ = require('lodash'); | ||
|
||
const invalidPatternsRegexes = [/<%[^=]([^<>%]*)%>/m, /\${([^{}]*)}/m]; | ||
const authorizedKeys = ['URL', 'CODE', 'USER', 'USER.email', 'USER.username', 'TOKEN']; | ||
|
||
const isValidEmailTemplate = template => { | ||
for (let reg of invalidPatternsRegexes) { | ||
if (reg.test(template)) { | ||
return false; | ||
} | ||
} | ||
|
||
const matches = Array.from(template.matchAll(/<%=([^<>%=]*)%>/g)); | ||
for (let match of matches) { | ||
const [, group] = match; | ||
const trimGroup = _.trim(group); | ||
|
||
if (!authorizedKeys.includes(trimGroup)) { | ||
return false; | ||
} | ||
} | ||
|
||
return true; | ||
}; | ||
|
||
module.exports = { | ||
isValidEmailTemplate, | ||
}; |