From 451af15180ebbbc3fd72363da5290d3d075a47d2 Mon Sep 17 00:00:00 2001 From: Simon Lecoq <22963968+lowlighter@users.noreply.github.com> Date: Sat, 20 Feb 2021 21:07:00 +0100 Subject: [PATCH] Fix CodeQL issues (#150) --- source/app/web/instance.mjs | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/source/app/web/instance.mjs b/source/app/web/instance.mjs index 77a6b279..81d61964 100644 --- a/source/app/web/instance.mjs +++ b/source/app/web/instance.mjs @@ -142,13 +142,18 @@ //Metrics const pending = new Set() - app.get("/:login/:repository", ...middlewares, (req, res) => res.redirect(`/${req.params.login}?template=repository&repo=${req.params.repository}&${Object.entries(req.query).map(([key, value]) => `${key}=${encodeURIComponent(value)}`).join("&")}`)) - app.get("/:login", ...middlewares, async(req, res) => { + app.get("/:login/:repository?", ...middlewares, async(req, res) => { //Request params const login = req.params.login?.replace(/[\n\r]/g, "") + const repository = req.params.repository?.replace(/[\n\r]/g, "") + if (!/^[-\w]+$/i.test(login)) { + console.debug(`metrics/app/${login} > 400 (invalid username)`) + return res.status(400).send("Bad request: username seems invalid") + } + //Allowed list check if ((restricted.length)&&(!restricted.includes(login))) { console.debug(`metrics/app/${login} > 403 (not in allowed users)`) - return res.status(403).send(`Forbidden: "${login}" not in allowed users`) + return res.status(403).send("Forbidden: username not in allowed list") } //Read cached data if possible if ((!debug)&&(cached)&&(cache.get(login))) { @@ -159,14 +164,21 @@ //Maximum simultaneous users if ((maxusers)&&(cache.size()+1 > maxusers)) { console.debug(`metrics/app/${login} > 503 (maximum users reached)`) - return res.status(503).send("Service Unavailable: maximum users reached, only cached metrics are available") + return res.status(503).send("Service Unavailable: maximum number of users reached, only cached metrics are available") } //Prevent multiples requests if (pending.has(login)) { console.debug(`metrics/app/${login} > 409 (multiple requests)`) - return res.status(409).send(`Conflict: a request for "${login}" is being process, retry later`) + return res.status(409).send(`Conflict: a request for "${login}" is already being processed, retry later once previous one is finished`) } pending.add(login) + //Repository alias + if (repository) { + console.debug(`metrics/app/${login} > compute repository metrics`) + if (!req.query.template) + req.query.template = "repository" + req.query.repo = repository + } //Compute rendering try { @@ -191,12 +203,12 @@ //Not found user if ((error instanceof Error)&&(/^user not found$/.test(error.message))) { console.debug(`metrics/app/${login} > 404 (user/organization not found)`) - return res.status(404).send(`Not found: unknown user or organization "${login}"`) + return res.status(404).send("Not found: unknown user or organization") } //Invalid template if ((error instanceof Error)&&(/^unsupported template$/.test(error.message))) { console.debug(`metrics/app/${login} > 400 (bad request)`) - return res.status(400).send(`Bad request: unsupported template "${req.query.template}"`) + return res.status(400).send("Bad request: unsupported template") } //General error console.error(error)