[misc] wordcount: restrict image to an allow list and add tests

2020-06-26 13:17:45 +01:00
parent 5ed09d1a98
commit 6edb458910
4 changed files with 86 additions and 2 deletions
--- a/app/js/CompileController.js
+++ b/app/js/CompileController.js
@@ -218,6 +218,13 @@ module.exports = CompileController = {
    const { project_id } = req.params
    const { user_id } = req.params
    const { image } = req.query
+    if (
+      image &&
+      Settings.allowedImageNamesFlat &&
+      Settings.allowedImageNamesFlat.indexOf(image) === -1
+    ) {
+      return res.status(400).send('invalid image')
+    }
    logger.log({ image, file, project_id }, 'word count request')

    return CompileManager.wordcount(project_id, user_id, file, image, function(