Skip to content

Validate all the things #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
May 12, 2015
Merged

Validate all the things #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
731c0c8
Validate all the things
danielwaterworth May 11, 2015
39d0c47
Tests for invalid socket ids
danielwaterworth May 11, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 22 additions & 12 deletions lib/pusher.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,21 @@ var Config = require('./config');
var Token = require('./token');
var WebHook = require('./webhook');

var validateChannel = function(channel) {
if (typeof channel !== "string" || channel === "" || channel.match(/[^A-Za-z0-9_\-=@,.;]/)) {
throw new Error("Invalid channel name: '" + channel + "'");
}
if (channel.length > 200) {
throw new Error("Channel name too long: '" + channel + "'");
}
}

var validateSocketId = function(socketId) {
if (typeof socketId !== "string" || socketId === "" || !socketId.match(/^\d+\.\d+$/)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is @zimbatm's comment about the required regexp here relevant?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

\A and \Z aren't valid in JS. ^ and $ work the same, except in multiline mode. I have checked this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

throw new Error("Invalid socket id: '" + socketId + "'");
}
}

/** Callback passed to all REST API methods.
*
* @callback requestCallback
Expand Down Expand Up @@ -79,12 +94,9 @@ Pusher.forCluster = function(cluster, options) {
* @returns {String} authentication signature
*/
Pusher.prototype.authenticate = function(socketId, channel, data) {
if (typeof socketId !== "string" || socketId === "") {
throw new Error("Invalid socket id: '" + socketId + "'");
}
if (typeof channel !== "string" || channel === "") {
throw new Error("Invalid channel name: '" + channel + "'");
}
validateSocketId(socketId);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we please have some test cases for validating the socket_id?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

validateChannel(channel);

return auth.getSocketSignature(this.config.token, channel, socketId, data);
};

Expand All @@ -107,6 +119,9 @@ Pusher.prototype.authenticate = function(socketId, channel, data) {
* @see RequestError
*/
Pusher.prototype.trigger = function(channels, event, data, socketId, callback) {
if (socketId) {
validateSocketId(socketId);
}
if (!(channels instanceof Array)) {
// add single channel to array for multi trigger compatibility
channels = [channels];
Expand All @@ -118,12 +133,7 @@ Pusher.prototype.trigger = function(channels, event, data, socketId, callback) {
throw new Error("Can't trigger a message to more than 10 channels");
}
for (var i = 0; i < channels.length; i++) {
if (channels[i].length > 200) {
throw new Error("Too long channel name: '" + channels[i] + "'");
}
if (!channels[i].match(/^[a-zA-Z0-9_\-=@,.;]+$/)) {
throw new Error("Invalid channel name: '" + channels[i] + "'");
}
validateChannel(channels[i])
}
events.trigger(this, channels, event, data, socketId, callback);
};
Expand Down
15 changes: 15 additions & 0 deletions tests/integration/pusher/authenticate.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,21 @@ describe("Pusher", function() {
}).to.throwException(/^Invalid socket id: ''$/);
});

it("should raise an exception if socket id is invalid", function() {
expect(function() {
pusher.authenticate("1.1:", "test")
}).to.throwException(/^Invalid socket id/);
expect(function() {
pusher.authenticate(":1.1", "test")
}).to.throwException(/^Invalid socket id/);
expect(function() {
pusher.authenticate(":\n1.1", "test")
}).to.throwException(/^Invalid socket id/);
expect(function() {
pusher.authenticate("1.1\n:", "test")
}).to.throwException(/^Invalid socket id/);
});

it("should raise an exception if channel name is not a string", function() {
expect(function() {
pusher.authenticate("111.222", undefined)
Expand Down
2 changes: 1 addition & 1 deletion tests/integration/pusher/trigger.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ describe("Pusher", function() {
pusher.trigger(channel, "test");
}).to.throwError(function(e) {
expect(e).to.be.an(Error);
expect(e.message).to.equal("Too long channel name: '" + channel + "'");
expect(e.message).to.equal("Channel name too long: '" + channel + "'");
});
});

Expand Down