X-Git-Url: https://git.auder.net/?a=blobdiff_plain;f=server%2Froutes%2Fusers.js;h=abe987cd2e3909d63b43d3553d5ad63ce27751e8;hb=99b7a14c6e01c53a49459c8d4681acf6abe635d8;hp=129cda23b492a99d47d6ade4cd7f962ad285e149;hpb=dac395887d96e2d642b209c6db6aaacc3ffacb34;p=vchess.git

diff --git a/server/routes/users.js b/server/routes/users.js
index 129cda23..abe987cd 100644
--- a/server/routes/users.js
+++ b/server/routes/users.js
@@ -1,11 +1,11 @@
 // AJAX methods to get, create, update or delete a user
 
-var router = require("express").Router();
-var UserModel = require('../models/User');
-var sendEmail = require('../utils/mailer');
-var genToken = require("../utils/tokenGenerator");
-var access = require("../utils/access");
-var params = require("../config/parameters");
+let router = require("express").Router();
+const UserModel = require('../models/User');
+const sendEmail = require('../utils/mailer');
+const genToken = require("../utils/tokenGenerator");
+const access = require("../utils/access");
+const params = require("../config/parameters");
 
 // NOTE: this method is safe because the sessionToken must be guessed
 router.get("/whoami", access.ajax, (req,res) => {
@@ -20,6 +20,8 @@ router.get("/whoami", access.ajax, (req,res) => {
   const anonymous = {name:"", email:"", id:0, notify:false};
   if (!req.cookies.token)
     return callback(anonymous);
+  if (!req.cookies.token.match(/^[a-z0-9]+$/))
+    return res.json({errmsg: "Bad token"});
   UserModel.getOne("sessionToken", req.cookies.token, function(err, user) {
     if (!!err || !user)
       callback(anonymous);
@@ -31,6 +33,8 @@ router.get("/whoami", access.ajax, (req,res) => {
 // NOTE: this method is safe because only IDs and names are returned
 router.get("/users", access.ajax, (req,res) => {
   const ids = req.query["ids"];
+  if (!ids.match(/^([0-9]+,?)+$/)) //NOTE: slightly too permissive
+    return res.json({errmsg: "Bad IDs array"});
   UserModel.getByIds(ids, (err,users) => {
     if (!!err)
       return res.json({errmsg: err.toString()});
@@ -90,6 +94,8 @@ router.get('/sendtoken', access.unlogged, access.ajax, (req,res) => {
 });
 
 router.get('/authenticate', access.unlogged, access.ajax, (req,res) => {
+  if (!req.query.token.match(/^[a-z0-9]+$/))
+    return res.json({errmsg: "Bad token"});
   UserModel.getOne("loginToken", req.query.token, (err,user) => {
     access.checkRequest(res, err, user, "Invalid token", () => {
       // If token older than params.tokenExpire, do nothing