From 99a35e40d0a4aff26278d31a8cdc496da8003fb2 Mon Sep 17 00:00:00 2001 From: Amy Yan Date: Wed, 25 Oct 2023 21:33:23 +1100 Subject: [PATCH] fix: added `ErrorIdentitiesManagerInvalidIdentityId` that throws in `IdentityManager` when any provided `identityId` is `__proto__` --- src/identities/IdentitiesManager.ts | 20 ++++++ src/identities/errors.ts | 6 ++ tests/identities/IdentitiesManager.test.ts | 82 +++++++++++++--------- 3 files changed, 75 insertions(+), 33 deletions(-) diff --git a/src/identities/IdentitiesManager.ts b/src/identities/IdentitiesManager.ts index 201ee93eb5..5adc51b65d 100644 --- a/src/identities/IdentitiesManager.ts +++ b/src/identities/IdentitiesManager.ts @@ -177,6 +177,11 @@ class IdentitiesManager { identityId: IdentityId, tran?: DBTransaction, ): Promise { + if (identityId === '__proto__') { + throw new identitiesErrors.ErrorIdentitiesManagerInvalidIdentityId( + '"__proto__" is not a valid Identity ID', + ); + } if (tran == null) { return this.db.withTransactionF((tran) => this.getToken(providerId, identityId, tran), @@ -200,6 +205,11 @@ class IdentitiesManager { providerToken: ProviderToken, tran?: DBTransaction, ): Promise { + if (identityId === '__proto__') { + throw new identitiesErrors.ErrorIdentitiesManagerInvalidIdentityId( + '"__proto__" is not a valid Identity ID', + ); + } if (tran == null) { return this.db.withTransactionF((tran) => this.putToken(providerId, identityId, providerToken, tran), @@ -220,6 +230,11 @@ class IdentitiesManager { identityId: IdentityId, tran?: DBTransaction, ): Promise { + if (identityId === '__proto__') { + throw new identitiesErrors.ErrorIdentitiesManagerInvalidIdentityId( + '"__proto__" is not a valid Identity ID', + ); + } if (tran == null) { return this.db.withTransactionF((tran) => this.delToken(providerId, identityId, tran), @@ -245,6 +260,11 @@ class IdentitiesManager { providerId: ProviderId, identityId: IdentityId, ) { + if (identityId === '__proto__') { + throw new identitiesErrors.ErrorIdentitiesManagerInvalidIdentityId( + '"__proto__" is not a valid Identity ID', + ); + } // Check provider is authenticated const provider = this.getProvider(providerId); if (provider == null) { diff --git a/src/identities/errors.ts b/src/identities/errors.ts index 3a2d8ff647..211d5f2952 100644 --- a/src/identities/errors.ts +++ b/src/identities/errors.ts @@ -18,6 +18,11 @@ class ErrorIdentitiesManagerDestroyed extends ErrorIdentities { exitCode = sysexits.USAGE; } +class ErrorIdentitiesManagerInvalidIdentityId extends ErrorIdentities { + static description = 'IdentitiesManager encountered an invalid Identity ID'; + exitCode = sysexits.USAGE; +} + class ErrorProviderDuplicate extends ErrorIdentities { static description = 'Provider has already been registered'; exitCode = sysexits.USAGE; @@ -59,6 +64,7 @@ export { ErrorIdentitiesManagerRunning, ErrorIdentitiesManagerNotRunning, ErrorIdentitiesManagerDestroyed, + ErrorIdentitiesManagerInvalidIdentityId, ErrorProviderDuplicate, ErrorProviderCall, ErrorProviderAuthentication, diff --git a/tests/identities/IdentitiesManager.test.ts b/tests/identities/IdentitiesManager.test.ts index f9e6bf1319..1e10dd7d9e 100644 --- a/tests/identities/IdentitiesManager.test.ts +++ b/tests/identities/IdentitiesManager.test.ts @@ -114,19 +114,27 @@ describe('IdentitiesManager', () => { }, ); const providerId = 'test-provider' as ProviderId; - await identitiesManager.putToken(providerId, identityId, providerToken); - const providerToken_ = await identitiesManager.getToken( - providerId, - identityId, - ); - expect(providerToken).toStrictEqual(providerToken_); - await identitiesManager.delToken(providerId, identityId); - await identitiesManager.delToken(providerId, identityId); - const providerToken__ = await identitiesManager.getToken( - providerId, - identityId, - ); - expect(providerToken__).toBeUndefined(); + if (identityId === '__proto__') { + await expect( + identitiesManager.putToken(providerId, identityId, providerToken), + ).rejects.toBeInstanceOf( + identitiesErrors.ErrorIdentitiesManagerInvalidIdentityId, + ); + } else { + await identitiesManager.putToken(providerId, identityId, providerToken); + const providerToken_ = await identitiesManager.getToken( + providerId, + identityId, + ); + expect(providerToken).toStrictEqual(providerToken_); + await identitiesManager.delToken(providerId, identityId); + await identitiesManager.delToken(providerId, identityId); + const providerToken__ = await identitiesManager.getToken( + providerId, + identityId, + ); + expect(providerToken__).toBeUndefined(); + } await identitiesManager.stop(); }, ); @@ -143,27 +151,35 @@ describe('IdentitiesManager', () => { fresh: true, }); const providerId = 'test-provider' as ProviderId; - await identitiesManager.putToken(providerId, identityId, providerToken); - const testProvider = new TestProvider(); - identitiesManager.registerProvider(testProvider); - await identitiesManager.stop(); + if (identityId === '__proto__') { + await expect( + identitiesManager.putToken(providerId, identityId, providerToken), + ).rejects.toBeInstanceOf( + identitiesErrors.ErrorIdentitiesManagerInvalidIdentityId, + ); + } else { + await identitiesManager.putToken(providerId, identityId, providerToken); + const testProvider = new TestProvider(); + identitiesManager.registerProvider(testProvider); + await identitiesManager.stop(); - identitiesManager = await IdentitiesManager.createIdentitiesManager({ - db, - keyRing: dummyKeyRing, - gestaltGraph: dummyGestaltGraph, - sigchain: dummySigchain, - logger, - }); - identitiesManager.registerProvider(testProvider); - const providerToken_ = await identitiesManager.getToken( - providerId, - identityId, - ); - expect(providerToken).toStrictEqual(providerToken_); - expect(identitiesManager.getProviders()).toStrictEqual({ - [testProvider.id]: testProvider, - }); + identitiesManager = await IdentitiesManager.createIdentitiesManager({ + db, + keyRing: dummyKeyRing, + gestaltGraph: dummyGestaltGraph, + sigchain: dummySigchain, + logger, + }); + identitiesManager.registerProvider(testProvider); + const providerToken_ = await identitiesManager.getToken( + providerId, + identityId, + ); + expect(providerToken).toStrictEqual(providerToken_); + expect(identitiesManager.getProviders()).toStrictEqual({ + [testProvider.id]: testProvider, + }); + } await identitiesManager.stop(); }, );