Filter the rich format on API output

vanilla · Nov 16, 2019 · 6a55f7c · 6a55f7c
1 parent efcad8a
commit 6a55f7c
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 2 deletions.
diff --git a/applications/vanilla/controllers/api/CommentsApiController.php b/applications/vanilla/controllers/api/CommentsApiController.php
@@ -255,7 +255,9 @@ public function get_edit($id) {
             'discussionID',
             'body',
             'format:s' => 'The input format of the comment.',
-        ])->add($this->fullSchema()), 'out');
+        ])
+            ->add($this->fullSchema()), 'out')
+            ->addFilter('', [\Vanilla\Formatting\Formats\RichFormat::class, 'editBodyFilter']);
 
         $comment = $this->commentByID($id);
         $comment['Url'] = commentUrl($comment);

diff --git a/applications/vanilla/controllers/api/DiscussionsApiController.php b/applications/vanilla/controllers/api/DiscussionsApiController.php
@@ -430,7 +430,8 @@ public function get_edit($id) {
                 'pinned',
                 'pinLocation',
             ])->add($this->fullSchema()
-        ), ['DiscussionGetEdit', 'out']);
+        ), ['DiscussionGetEdit', 'out'])
+            ->addFilter('', [\Vanilla\Formatting\Formats\RichFormat::class, 'editBodyFilter']);
 
         $row = $this->discussionByID($id);
         $row['Url'] = discussionUrl($row);

diff --git a/library/Vanilla/Formatting/Formats/RichFormat.php b/library/Vanilla/Formatting/Formats/RichFormat.php
@@ -271,4 +271,53 @@ private function logBadInput(string $input) {
             E_USER_WARNING
         );
     }
+
+    /**
+     * Filter a rich body to remove sensitive information.
+     *
+     * @param array $row The row to filter.
+     * @return array Returns the filtered row.
+     */
+    public static function editBodyFilter($row) {
+        if (!is_array($row) || strcasecmp($row['format'] ?? $row['Format'] ?? '', 'rich') !== 0) {
+            return $row;
+        }
+
+        $key = array_key_exists('Body', $row) ? 'Body' : 'body';
+        $row[$key] = self::stripSensitiveInfoRich($row[$key]);
+
+        return $row;
+    }
+
+    /**
+     * Strip sensitive user info from a rich string and rewrite it.
+     *
+     * @param string $input The rich text input.
+     * @return string The string.
+     */
+    private static function stripSensitiveInfoRich(string $input): string {
+        if (strpos($input, "password") === false) {
+            return $input; // Bailout because it doesn't actually have user record.
+        }
+        $operations = json_decode($input, true);
+        if (json_last_error() !== JSON_ERROR_NONE || !is_array($operations)) {
+            return $input;
+        }
+        foreach ($operations as &$op) {
+            $insertUser = $op['insert']['embed-external']['data']['insertUser'] ?? null;
+            if (!$insertUser) {
+                // No user.
+                continue;
+            }
+            $op['insert']['embed-external']['data']['insertUser'] = [
+                'userID' => $insertUser['userID'],
+                'name' => $insertUser['name'],
+                'photoUrl' => $insertUser['photoUrl'],
+                'dateLastActive' => $insertUser['dateLastActive'],
+                'label' => $insertUser['label'],
+            ];
+        }
+        $output = json_encode($operations, JSON_UNESCAPED_UNICODE);
+        return $output;
+    }
 }