From ee4dbebdedd12cfce650590e26a560239008a7c6 Mon Sep 17 00:00:00 2001 From: missinglink Date: Fri, 15 Mar 2019 12:05:25 +0100 Subject: [PATCH] feat(reject_urls): do not allow urls in name and address fields --- Document.js | 4 ++++ test/document/address.js | 12 ++++++++++++ test/document/name.js | 12 ++++++++++++ test/util/valid.js | 8 ++++++++ util/valid.js | 10 ++++++++++ 5 files changed, 46 insertions(+) diff --git a/Document.js b/Document.js index 62c5a1b..f6afdcc 100644 --- a/Document.js +++ b/Document.js @@ -255,6 +255,7 @@ Document.prototype.setName = function( prop, value ){ validate.type('string', value); validate.truthy(value); + validate.regex.nomatch(value, /https?:\/\//); // must copy name to 'phrase' index if( Array.isArray( this.name[ prop ] ) ){ @@ -272,6 +273,7 @@ Document.prototype.setNameAlias = function( prop, value ){ validate.type('string', value); validate.truthy(value); + validate.regex.nomatch(value, /https?:\/\//); // is this the first time setting this prop? ensure it's an array if( !this.hasName( prop ) ){ @@ -413,6 +415,7 @@ Document.prototype.setAddress = function( prop, value ){ validate.type('string', value); validate.truthy(value); validate.property(addressFields, prop); + validate.regex.nomatch(value, /https?:\/\//); if( Array.isArray( this.address_parts[ prop ] ) ){ this.address_parts[ prop ][ 0 ] = value; @@ -428,6 +431,7 @@ Document.prototype.setAddressAlias = function( prop, value ){ validate.type('string', value); validate.truthy(value); validate.property(addressFields, prop); + validate.regex.nomatch(value, /https?:\/\//); // is this the first time setting this prop? ensure it's an array if( !this.hasAddress( prop ) ){ diff --git a/test/document/address.js b/test/document/address.js index 197e893..2f10d91 100644 --- a/test/document/address.js +++ b/test/document/address.js @@ -49,6 +49,12 @@ module.exports.tests.setAddress = function(test) { t.equal(doc.getAddress('test'), undefined, 'property not set'); t.end(); }); + test('setAddress - http regex', function (t) { + var doc = new Document('mysource', 'mylayer', 'myid'); + t.throws(doc.setAddress.bind(doc, 'number', 'http://www.pelias.io'), /invalid regex/, 'regex failure'); + t.throws(doc.setAddress.bind(doc, 'number', 'AAhttp://www.pelias.ioBB'), /invalid regex/, 'regex failure'); + t.end(); + }); }; module.exports.tests.getAddressAliases = function(test) { @@ -108,6 +114,12 @@ module.exports.tests.setAddressAlias = function(test) { t.deepEqual(doc.getAddressAliases('test'), [], 'property not set'); t.end(); }); + test('setAddressAlias - http regex', function (t) { + var doc = new Document('mysource', 'mylayer', 'myid'); + t.throws(doc.setAddressAlias.bind(doc, 'number', 'http://www.pelias.io'), /invalid regex/, 'regex failure'); + t.throws(doc.setAddressAlias.bind(doc, 'number', 'AAhttp://www.pelias.ioBB'), /invalid regex/, 'regex failure'); + t.end(); + }); }; module.exports.tests.hasAddress = function(test) { diff --git a/test/document/name.js b/test/document/name.js index 1bea38a..71585a3 100644 --- a/test/document/name.js +++ b/test/document/name.js @@ -40,6 +40,12 @@ module.exports.tests.setName = function(test) { t.equal(doc.getName('test'), undefined, 'property not set'); t.end(); }); + test('setName - http regex', function (t) { + var doc = new Document('mysource', 'mylayer', 'myid'); + t.throws(doc.setName.bind(doc, 'default', 'http://www.pelias.io'), /invalid regex/, 'regex failure'); + t.throws(doc.setName.bind(doc, 'default', 'AAhttp://www.pelias.ioBB'), /invalid regex/, 'regex failure'); + t.end(); + }); }; module.exports.tests.getNameAliases = function(test) { @@ -105,6 +111,12 @@ module.exports.tests.setNameAlias = function(test) { t.deepEqual(doc.getNameAliases('test'), [], 'property not set'); t.end(); }); + test('setNameAlias - http regex', function (t) { + var doc = new Document('mysource', 'mylayer', 'myid'); + t.throws(doc.setNameAlias.bind(doc, 'default', 'http://www.pelias.io'), /invalid regex/, 'regex failure'); + t.throws(doc.setNameAlias.bind(doc, 'default', 'AAhttp://www.pelias.ioBB'), /invalid regex/, 'regex failure'); + t.end(); + }); }; module.exports.tests.hasName = function(test) { diff --git a/test/util/valid.js b/test/util/valid.js index 4a52bd8..ec88ad4 100644 --- a/test/util/valid.js +++ b/test/util/valid.js @@ -20,6 +20,14 @@ module.exports.tests.nonnegative = (test) => { }; +module.exports.tests.regex = (test) => { + test('regex nomatch', (t) => { + t.throws(valid.regex.nomatch.bind(null, 'hello', /he/), /invalid regex/); + t.doesNotThrow(valid.regex.nomatch.bind(null, 'hello', /bye/), /invalid regex/); + t.end(); + }); +}; + module.exports.all = (tape, common) => { function test(name, testFunction) { diff --git a/util/valid.js b/util/valid.js index e753a3f..3bc20bf 100644 --- a/util/valid.js +++ b/util/valid.js @@ -110,3 +110,13 @@ module.exports.boundingBox = function( val ) { return this; }; + +module.exports.regex = { + nomatch: function(val, regex) { + if( regex.test(val) ){ + throw new PeliasModelError(`invalid regex test, ${val} should not match ${regex}`); + } + + return module.exports; + } +}; \ No newline at end of file