Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sanitize all owners in router #285

Merged
merged 2 commits into from
Mar 1, 2022
Merged

sanitize all owners in router #285

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cd81006
sanitize all owners in router
suculent Mar 1, 2022
208eaf6
one less useless assignment before merge; needs field testing
suculent Mar 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 37 additions & 39 deletions lib/router.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,9 @@ module.exports = function (app) {
const auth = new Auth(); // constructor must be called to do the job when router is initialized
*/

let Sqreen;

if (Globals.use_sqreen()) {
try {
Sqreen = require('sqreen');
require('sqreen');
} catch (s) {
console.log(s);
}
Expand Down Expand Up @@ -532,7 +530,7 @@ module.exports = function (app) {
// Applies only to post requests!
if (req.method == "POST") {
if (typeof (req.body) !== "undefined") {
let xowner = req.body.owner;
let xowner = sanitka.owner(req.session.owner);
let api_key = req.body.api_key;
if (typeof (xowner) !== "undefined" && typeof (api_key) !== "undefined") {
// Using Owner/API Key
Expand Down Expand Up @@ -570,7 +568,7 @@ module.exports = function (app) {
/* List all devices for user. */
app.get("/api/user/devices", function (req, res) {
if (!(validateSecureGETRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
devices.list(owner, (success, response) => {
respond(res, response);
});
Expand All @@ -581,7 +579,7 @@ module.exports = function (app) {
/* Attach code source to a device. Expects unique device identifier and source alias. */
app.post("/api/device/attach", function (req, res) {
if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
var body = req.body;
devices.attach(owner, body, responder, res);
});
Expand All @@ -597,7 +595,7 @@ module.exports = function (app) {
/* Attach device to a mesh. Expects unique mesh identifier and device id. */
app.post("/api/device/mesh/attach", function (req, res) {
if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
var body = req.body;
if ((typeof (owner) === "undefined") || (owner === null)) {
owner = sanitka.owner(body.owner);
Expand All @@ -608,7 +606,7 @@ module.exports = function (app) {
/* Detach device from a mesh. Expects unique device identifier and unique mesh identifier. */
app.post("/api/device/mesh/detach", function (req, res) {
if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
var body = req.body;
if ((typeof (owner) === "undefined") || (owner === null)) {
owner = body.owner;
Expand Down Expand Up @@ -654,7 +652,7 @@ module.exports = function (app) {
/* Post device data. */
app.post("/api/device/data", function (req, res) {
if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
var udid = sanitka.udid(req.body.udid);

app.messenger.data(owner, udid, responder, res);
Expand All @@ -672,7 +670,7 @@ module.exports = function (app) {

app.post("/api/transformer/run", function (req, res) {
if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
if (typeof (owner) === "undefined" || owner === null) {
respond(res, {
success: false,
Expand Down Expand Up @@ -700,7 +698,7 @@ module.exports = function (app) {

if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;

var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);

if (typeof (req.body.alias) === "undefined") {
respond(res, {
Expand Down Expand Up @@ -738,7 +736,7 @@ module.exports = function (app) {

if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;

var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
var api_key_hashes = [];

if (typeof (req.body.fingerprint) !== "undefined") {
Expand Down Expand Up @@ -769,7 +767,7 @@ module.exports = function (app) {

if (!(validateSecureGETRequest(req) || validateSession(req, res))) return;

var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);

apikey.list(owner, (success, keys) => {
if (success) {
Expand All @@ -795,7 +793,7 @@ module.exports = function (app) {

if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;

var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);

if (typeof (req.body.key) === "undefined") {
respond(res, {
Expand Down Expand Up @@ -838,7 +836,7 @@ module.exports = function (app) {

if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;

var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
var env_var_names;

if (typeof (req.body.name) !== "undefined") {
Expand Down Expand Up @@ -877,7 +875,7 @@ module.exports = function (app) {

if (!(validateSecureGETRequest(req) || validateSession(req, res))) return;

var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);

apienv.list(owner, (success, response) => {
if (success) {
Expand All @@ -900,7 +898,7 @@ module.exports = function (app) {
/* List available sources */
app.get("/api/user/sources/list", function (req, res) {
if (!(validateSecureGETRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
if (typeof (owner) === "undefined") {
res.status(401);
}
Expand Down Expand Up @@ -959,7 +957,7 @@ module.exports = function (app) {
app.post("/api/user/source/revoke", function (req, res) {
if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;

var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
if (typeof (req.body.source_ids) === "undefined") {
respond(res, {
success: false,
Expand All @@ -982,7 +980,7 @@ module.exports = function (app) {

if (!validateSession(req, res)) return;

var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);

rsakey.create(owner, (success, response) => {
respond(res, {
Expand All @@ -997,7 +995,7 @@ module.exports = function (app) {

if (!(validateSecureGETRequest(req) || validateSession(req, res))) return;

var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);

rsakey.list(owner, (success, response) => {
if (success === false) {
Expand All @@ -1023,7 +1021,7 @@ module.exports = function (app) {
var owner;

if (typeof (req.session.owner) !== "undefined") {
owner = req.session.owner;
owner = sanitka.owner(req.session.owner);
} else {
respond(res, {
success: false,
Expand Down Expand Up @@ -1138,7 +1136,7 @@ module.exports = function (app) {

app.post("/api/user/profile", function (req, res) {
if (!(validateSecurePOSTRequest(req) && validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
if (typeof (owner) === "undefined") {
res.status(401); // cannot POST without owner
}
Expand All @@ -1154,7 +1152,7 @@ module.exports = function (app) {
// /user/profile GET
app.get("/api/user/profile", function (req, res) {
if (!(validateSecureGETRequest(req) && validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
if (typeof (owner) === "undefined") {
res.status(401);
}
Expand Down Expand Up @@ -1495,7 +1493,7 @@ module.exports = function (app) {
}

// Hybrid Cookie/APIKey authentication (could be global middleware... of values exist, shall be validated, then this becomes duplicate op in chain)
let owner = req.body.owner;
let owner = sanitka.owner(req.session.owner);
let api_key = req.body.apikey;
if (typeof (owner) !== "undefined" && typeof (api_key) !== "undefined") {
// Using Owner/API Key
Expand All @@ -1513,7 +1511,7 @@ module.exports = function (app) {
} else {
// Using cookies
if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;
owner = req.session.owner;
owner = sanitka.owner(req.session.owner);
implementation(owner, req.body.changes, res);
}
});
Expand All @@ -1531,7 +1529,7 @@ module.exports = function (app) {
let socket = null;
if (typeof (existing_sockets) !== "undefined") {
console.log("app._ws owner:", req.session.owner);
let sowner = req.session.owner;
let sowner = sanitka.owner(req.session.owner);
if (typeof (sowner) !== "undefined") {
let xocket = existing_sockets[sowner];
if ((typeof (xocket) !== "undefined")) {
Expand All @@ -1549,7 +1547,7 @@ module.exports = function (app) {

// Input validation
let unsafe_build = req.body.build;
let owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
let udid = sanitka.udid(unsafe_build.udid);
let source_id = sanitka.udid(unsafe_build.source_id);
let dryrun = false;
Expand Down Expand Up @@ -1584,8 +1582,8 @@ module.exports = function (app) {

// should be under /api
app.post("/api/device/envelope", function (req, res) {
let udid = req.body.udid;
let owner = req.session.owner;
let udid = sanitka.udid(req.body.udid);
let owner = sanitka.owner(req.session.owner);
if ((typeof (udid) === "undefined") || (typeof (owner) === "undefined")) {
respond(res, "{}");
} else {
Expand All @@ -1597,7 +1595,7 @@ module.exports = function (app) {
// Get build artifacts
app.post("/api/device/artifacts", function (req, res) {
if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
var udid = sanitka.udid(req.body.udid);
var build_id = sanitka.udid(req.body.build_id);

Expand Down Expand Up @@ -1639,7 +1637,7 @@ module.exports = function (app) {
/* Returns all audit logs per owner */
app.get("/api/user/logs/audit", function (req, res) {
if (!(validateSecureGETRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);

alog.fetch(owner, (err, body) => {

Expand Down Expand Up @@ -1672,7 +1670,7 @@ module.exports = function (app) {

if (!(validateSecureGETRequest(req) || validateSession(req, res))) return;

var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);

if (typeof (owner) === "undefined") {
respond(res, {
Expand Down Expand Up @@ -1768,7 +1766,7 @@ module.exports = function (app) {
/* Returns specific build log for owner */
app.post("/api/user/logs/build", function (req, res) {
if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
if (typeof (req.body.build_id) === "undefined") {
respond(res, {
success: false,
Expand Down Expand Up @@ -1830,7 +1828,7 @@ module.exports = function (app) {
/* Request device transfer */
app.post("/api/transfer/request", function (req, res) {
if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
transfer.request(owner, req.body, function (success, response) {
transferResultRedirect(success, res, response);
});
Expand Down Expand Up @@ -2315,7 +2313,7 @@ module.exports = function (app) {

if (!(validateSecureGETRequest(req) || validateSession(req, res))) return;

var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);

stats.week(owner, (success, body) => {

Expand Down Expand Up @@ -2355,7 +2353,7 @@ module.exports = function (app) {
/* Websocket to Slack chat */
app.post("/api/user/chat", function (req, res) {
if (!validateSecurePOSTRequest(req)) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
var message = req.body.message;
app.messenger.slack(owner, message, function (err, response) {
if (err) {
Expand All @@ -2373,7 +2371,7 @@ module.exports = function (app) {

app.post("/api/user/message", function (req, res) {
if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
var message = req.body.message;
app.messenger.slack(owner, message, function (err, response) {
console.log("Message: '" + message + "' with error " + err);
Expand All @@ -2391,7 +2389,7 @@ module.exports = function (app) {
/* Respond to actionable notification */
app.post("/api/device/push", function (req, res) {
if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
devices.push(owner, req.body, (push_success, push_response) => {
respond(res, {
success: push_success,
Expand All @@ -2407,7 +2405,7 @@ module.exports = function (app) {
/* Respond to actionable notification */
app.post("/api/device/notification", function (req, res) {
if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return;
var owner = req.session.owner;
let owner = sanitka.owner(req.session.owner);
var device_id = Validator.udid(req.body.udid);
var nid = "nid:" + device_id;
var reply = req.body.reply;
Expand Down