Merge pull request #10 from pusher/validate_socket_id

Validate all the things

Author: WillSewell

lib/pusher.js

@@ -10,6 +10,21 @@ var Config = require('./config');
 var Token = require('./token');
 var WebHook = require('./webhook');
 
+var validateChannel = function(channel) {
+  if (typeof channel !== "string" || channel === "" || channel.match(/[^A-Za-z0-9_\-=@,.;]/)) {
+    throw new Error("Invalid channel name: '" + channel + "'");
+  }
+  if (channel.length > 200) {
+    throw new Error("Channel name too long: '" + channel + "'");
+  }
+}
+
+var validateSocketId = function(socketId) {
+  if (typeof socketId !== "string" || socketId === "" || !socketId.match(/^\d+\.\d+$/)) {
+    throw new Error("Invalid socket id: '" + socketId + "'");
+  }
+}
+
 /** Callback passed to all REST API methods.
  *
  * @callback requestCallback
@@ -79,12 +94,9 @@ Pusher.forCluster = function(cluster, options) {
  * @returns {String} authentication signature
  */
 Pusher.prototype.authenticate = function(socketId, channel, data) {
-  if (typeof socketId !== "string" || socketId === "") {
-    throw new Error("Invalid socket id: '" + socketId + "'");
-  }
-  if (typeof channel !== "string" || channel === "") {
-    throw new Error("Invalid channel name: '" + channel + "'");
-  }
+  validateSocketId(socketId);
+  validateChannel(channel);
+
   return auth.getSocketSignature(this.config.token, channel, socketId, data);
 };
 
@@ -107,6 +119,9 @@ Pusher.prototype.authenticate = function(socketId, channel, data) {
  * @see RequestError
  */
 Pusher.prototype.trigger = function(channels, event, data, socketId, callback) {
+  if (socketId) {
+    validateSocketId(socketId);
+  }
   if (!(channels instanceof Array)) {
     // add single channel to array for multi trigger compatibility
     channels = [channels];
@@ -118,12 +133,7 @@ Pusher.prototype.trigger = function(channels, event, data, socketId, callback) {
     throw new Error("Can't trigger a message to more than 10 channels");
   }
   for (var i = 0; i < channels.length; i++) {
-    if (channels[i].length > 200) {
-      throw new Error("Too long channel name: '" + channels[i] + "'");
-    }
-    if (!channels[i].match(/^[a-zA-Z0-9_\-=@,.;]+$/)) {
-      throw new Error("Invalid channel name: '" + channels[i] + "'");
-    }
+    validateChannel(channels[i])
   }
   events.trigger(this, channels, event, data, socketId, callback);
 };

tests/integration/pusher/authenticate.js

@@ -92,6 +92,21 @@ describe("Pusher", function() {
       }).to.throwException(/^Invalid socket id: ''$/);
     });
 
+    it("should raise an exception if socket id is invalid", function() {
+      expect(function() {
+        pusher.authenticate("1.1:", "test")
+      }).to.throwException(/^Invalid socket id/);
+      expect(function() {
+        pusher.authenticate(":1.1", "test")
+      }).to.throwException(/^Invalid socket id/);
+      expect(function() {
+        pusher.authenticate(":\n1.1", "test")
+      }).to.throwException(/^Invalid socket id/);
+      expect(function() {
+        pusher.authenticate("1.1\n:", "test")
+      }).to.throwException(/^Invalid socket id/);
+    });
+
     it("should raise an exception if channel name is not a string", function() {
       expect(function() {
         pusher.authenticate("111.222", undefined)

tests/integration/pusher/trigger.js

@@ -220,7 +220,7 @@ describe("Pusher", function() {
         pusher.trigger(channel, "test");
       }).to.throwError(function(e) {
         expect(e).to.be.an(Error);
-        expect(e.message).to.equal("Too long channel name: '" + channel + "'");
+        expect(e.message).to.equal("Channel name too long: '" + channel + "'");
       });
     });