Display an error when an invalid hash in used

2019-02-06 15:35:27 +01:00 · 2019-02-06 15:35:27 +01:00 · 6c1da07c60
parent 2815c96ce8
commit 6c1da07c60
3 changed files with 40 additions and 9 deletions
--- a/www/common/common-hash.js
+++ b/www/common/common-hash.js
@ -500,5 +500,27 @@ Version 1
        return name;
    };

+    Hash.isValidHref = function (href) {
+        // Non-empty href?
+        if (!href) { return; }
+        var parsed = Hash.parsePadUrl(href);
+        // Can be parsed?
+        if (!parsed) { return; }
+        // Link to a CryptPad app?
+        if (!parsed.type) { return; }
+        // Valid hash?
+        if (parsed.hash) {
+            if (!parsed.hashData) { return; }
+            // Version should be a number
+            if (typeof(parsed.hashData.version) === "undefined") { return; }
+            // pads and files should have a base64 (or hex) key
+            if (parsed.hashData.type === 'pad' || parsed.hashData.type === 'file') {
+                if (!parsed.hashData.key) { return; }
+                if (!/^[a-zA-Z0-9+-/]+$/.test(parsed.hashData.key)) { return; }
+            }
+        }
+        return true;
+    };
+
    return Hash;
 });
--- a/www/common/sframe-common-outer.js
+++ b/www/common/sframe-common-outer.js
@ -134,6 +134,11 @@ define([
                });
            }));
        }).nThen(function (waitFor) {
+            if (!Utils.Hash.isValidHref(window.location.href)) {
+                waitFor.abort();
+                return void sframeChan.event('EV_LOADING_ERROR', 'INVALID_HASH');
+            }
+
            $('#sbox-iframe').focus();

            sframeChan.on('EV_CACHE_PUT', function (x) {
--- a/www/common/sframe-common.js
+++ b/www/common/sframe-common.js
@ -557,6 +557,19 @@ define([
                UIElements.displayStorePadPopup(funcs, data);
            });

+            ctx.sframeChan.on('EV_LOADING_ERROR', function (err) {
+                var msg = err;
+                if (err === 'DELETED') {
+                    msg = Messages.deletedError + '<br>' + Messages.errorRedirectToHome;
+                }
+                if (err === "INVALID_HASH") {
+                    msg = Messages.invalidHashError; // XXX
+                }
+                UI.errorLoadingScreen(msg, false, function () {
+                    funcs.gotoURL('/drive/');
+                });
+            });
+
            ctx.metadataMgr.onReady(waitFor());

            funcs.addShortcuts();
@ -591,15 +604,6 @@ define([
                window.CP_DEV_MODE = ctx.metadataMgr.getPrivateData().devMode;
            } catch (e) {}

-            ctx.sframeChan.on('EV_LOADING_ERROR', function (err) {
-                if (err === 'DELETED') {
-                    var msg = Messages.deletedError + '<br>' + Messages.errorRedirectToHome;
-                    UI.errorLoadingScreen(msg, false, function () {
-                        funcs.gotoURL('/drive/');
-                    });
-                }
-            });
-
            ctx.sframeChan.on('EV_LOGOUT', function () {
                $(window).on('keyup', function (e) {
                    if (e.keyCode === 27) {