From abfb36bcdb25ba11bda9892ec473970fc29506bb Mon Sep 17 00:00:00 2001 From: syuilo Date: Wed, 22 Feb 2017 19:39:34 +0900 Subject: [PATCH] Fix bug --- src/api/models/user.ts | 9 +++++++-- src/api/private/signin.ts | 10 ++++++++++ src/api/private/signup.ts | 4 ++-- test/api.js | 13 +++++++++++++ 4 files changed, 32 insertions(+), 4 deletions(-) diff --git a/src/api/models/user.ts b/src/api/models/user.ts index 30805e4b63..c8c187c509 100644 --- a/src/api/models/user.ts +++ b/src/api/models/user.ts @@ -8,9 +8,14 @@ const collection = db.get('users'); export default collection as any; // fuck type definition export function validateUsername(username: string): boolean { - return /^[a-zA-Z0-9\-]{3,20}$/.test(username); + return typeof username == 'string' && /^[a-zA-Z0-9\-]{3,20}$/.test(username); +} + +export function validatePassword(password: string): boolean { + return typeof password == 'string' && password != ''; } export function isValidBirthday(birthday: string): boolean { - return /^([0-9]{4})\-([0-9]{2})-([0-9]{2})$/.test(birthday); + return typeof birthday == 'string' && /^([0-9]{4})\-([0-9]{2})-([0-9]{2})$/.test(birthday); +} } diff --git a/src/api/private/signin.ts b/src/api/private/signin.ts index 14dd1c7058..fe3b5f7084 100644 --- a/src/api/private/signin.ts +++ b/src/api/private/signin.ts @@ -12,6 +12,16 @@ export default async (req: express.Request, res: express.Response) => { const username = req.body['username']; const password = req.body['password']; + if (typeof username != 'string') { + res.sendStatus(400); + return; + } + + if (typeof password != 'string') { + res.sendStatus(400); + return; + } + // Fetch user const user = await User.findOne({ username_lower: username.toLowerCase() diff --git a/src/api/private/signup.ts b/src/api/private/signup.ts index 73e04f8b37..bd2a7ef02a 100644 --- a/src/api/private/signup.ts +++ b/src/api/private/signup.ts @@ -3,7 +3,7 @@ import * as bcrypt from 'bcryptjs'; import rndstr from 'rndstr'; import recaptcha = require('recaptcha-promise'); import User from '../models/user'; -import { validateUsername } from '../models/user'; +import { validateUsername, validatePassword } from '../models/user'; import serialize from '../serializers/user'; import config from '../../conf'; @@ -34,7 +34,7 @@ export default async (req: express.Request, res: express.Response) => { } // Validate password - if (password == '') { + if (!validatePassword(password)) { res.sendStatus(400); return; } diff --git a/test/api.js b/test/api.js index 40dbdf201b..6b1cbe1c4d 100644 --- a/test/api.js +++ b/test/api.js @@ -120,6 +120,19 @@ describe('API', () => { }); })); + it('クエリをインジェクションできない', () => new Promise(async (done) => { + const me = await insertSakurako(); + request('/signin', { + username: me.username, + password: { + $gt: '' + } + }).then(res => { + res.should.have.status(400); + done(); + }); + })); + it('正しい情報でサインインできる', () => new Promise(async (done) => { const me = await insertSakurako(); request('/signin', {