moon
/
sync
mirror of https://github.com/calzoneman/sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #314 from calzoneman/dev 

Dev
This commit is contained in:
Calvin Montgomery 2013-12-05 19:32:56 -08:00
parent d0544a8eb8 3ced278bd0
commit 1a44d7ca31
5 changed files with 176 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
lib/api.js
View File

@ -183,9 +183,9 @@ module.exports = function (Server) {
app.post("/api/login", function (req, res) { app.post("/api/login", function (req, res) {
res.type("application/jsonp"); res.type("application/jsonp");
res.setHeader("Access-Control-Allow-Origin", "*"); res.setHeader("Access-Control-Allow-Origin", "*");
var name = req.body.name; var name = req.body.name || "";
var pw = req.body.pw; var pw = req.body.pw || "";
var session = req.body.session; var session = req.body.session || "";
// for some reason CyTube previously allowed guest logins // for some reason CyTube previously allowed guest logins
// over the API...wat // over the API...wat
@ -226,6 +226,15 @@ module.exports = function (Server) {
res.setHeader("Access-Control-Allow-Origin", "*"); res.setHeader("Access-Control-Allow-Origin", "*");
var name = req.body.name; var name = req.body.name;
var pw = req.body.pw; var pw = req.body.pw;
if (typeof name !== "string" ||
typeof pw !== "string") {
res.status(400);
res.jsonp({
success: false,
error: "Invalid request"
});
return;
}
var ip = getIP(req); var ip = getIP(req);
// Limit registrations per IP within a certain time period // Limit registrations per IP within a certain time period
@ -300,6 +309,17 @@ module.exports = function (Server) {
var oldpw = req.body.oldpw; var oldpw = req.body.oldpw;
var newpw = req.body.newpw; var newpw = req.body.newpw;
if (typeof name !== "string" ||
typeof oldpw !== "string" ||
typeof newpw !== "string") {
res.status(400);
res.jsonp({
success: false,
error: "Invalid request"
});
return;
}
if(!oldpw || !newpw) { if(!oldpw || !newpw) {
res.jsonp({ res.jsonp({
success: false, success: false,
@ -340,6 +360,15 @@ module.exports = function (Server) {
res.setHeader("Access-Control-Allow-Origin", "*"); res.setHeader("Access-Control-Allow-Origin", "*");
var name = req.body.name; var name = req.body.name;
var email = req.body.email; var email = req.body.email;
if (typeof name !== "string" ||
typeof email !== "string") {
res.status(400);
res.jsonp({
success: false,
error: "Invalid request"
});
return;
}
var ip = getIP(req); var ip = getIP(req);
var hash = false; var hash = false;
@ -407,6 +436,14 @@ module.exports = function (Server) {
app.get("/api/account/passwordrecover", function (req, res) { app.get("/api/account/passwordrecover", function (req, res) {
res.type("application/jsonp"); res.type("application/jsonp");
var hash = req.query.hash; var hash = req.query.hash;
if (typeof hash !== "string") {
res.status(400);
res.jsonp({
success: false,
error: "Invalid request"
});
return;
}
var ip = getIP(req); var ip = getIP(req);
db.recoverUserPassword(hash, function (err, auth) { db.recoverUserPassword(hash, function (err, auth) {
@ -457,6 +494,25 @@ module.exports = function (Server) {
var session = req.body.session; var session = req.body.session;
var img = req.body.profile_image; var img = req.body.profile_image;
var text = req.body.profile_text; var text = req.body.profile_text;
if (typeof name !== "string" ||
typeof session !== "string" ||
typeof img !== "string" ||
typeof text !== "string") {
res.status(400);
res.jsonp({
success: false,
error: "Invalid request"
});
return;
}
if (img.length > 255) {
img = img.substring(0, 255);
}
if (text.length > 255) {
text = text.substring(0, 255);
}
db.userLoginSession(name, session, function (err, row) { db.userLoginSession(name, session, function (err, row) {
if(err) { if(err) {
@ -507,6 +563,18 @@ module.exports = function (Server) {
var pw = req.body.pw; var pw = req.body.pw;
var email = req.body.email; var email = req.body.email;
if (typeof name !== "string" ||
typeof pw !== "string" ||
typeof email !== "string") {
res.status(400);
res.jsonp({
success: false,
error: "Invalid request"
});
return;
}
if(!email.match(/^[\w_\.]+@[\w_\.]+[a-z]+$/i)) { if(!email.match(/^[\w_\.]+@[\w_\.]+[a-z]+$/i)) {
res.jsonp({ res.jsonp({
success: false, success: false,
@ -555,6 +623,16 @@ module.exports = function (Server) {
var name = req.query.name; var name = req.query.name;
var session = req.query.session; var session = req.query.session;
if (typeof name !== "string" ||
typeof session !== "string") {
res.status(400);
res.jsonp({
success: false,
error: "Invalid request"
});
return;
}
db.userLoginSession(name, session, function (err, row) { db.userLoginSession(name, session, function (err, row) {
if(err) { if(err) {
res.jsonp({ res.jsonp({
@ -593,6 +671,17 @@ module.exports = function (Server) {
var session = req.query.session; var session = req.query.session;
var types = req.query.actions; var types = req.query.actions;
if (typeof name !== "string" ||
typeof session !== "string" ||
typeof types !== "string") {
res.status(400);
res.jsonp({
success: false,
error: "Invalid request"
});
return;
}
db.userLoginSession(name, session, function (err, row) { db.userLoginSession(name, session, function (err, row) {
if(err) { if(err) {
if(err !== "Invalid session" && if(err !== "Invalid session" &&
@ -644,6 +733,16 @@ module.exports = function (Server) {
var name = req.query.name; var name = req.query.name;
var session = req.query.session; var session = req.query.session;
if (typeof name !== "string" ||
typeof session !== "string") {
res.status(400);
res.jsonp({
success: false,
error: "Invalid request"
});
return;
}
db.userLoginSession(name, session, function (err, row) { db.userLoginSession(name, session, function (err, row) {
if(err) { if(err) {
if(err !== "Invalid session" && if(err !== "Invalid session" &&
@ -671,6 +770,16 @@ module.exports = function (Server) {
var name = req.query.name; var name = req.query.name;
var session = req.query.session; var session = req.query.session;
if (typeof name !== "string" ||
typeof session !== "string") {
res.status(400);
res.jsonp({
success: false,
error: "Invalid request"
});
return;
}
db.userLoginSession(name, session, function (err, row) { db.userLoginSession(name, session, function (err, row) {
if(err) { if(err) {
if(err !== "Invalid session" && if(err !== "Invalid session" &&
@ -698,6 +807,16 @@ module.exports = function (Server) {
var name = req.query.name; var name = req.query.name;
var session = req.query.session; var session = req.query.session;
if (typeof name !== "string" ||
typeof session !== "string") {
res.status(400);
res.jsonp({
success: false,
error: "Invalid request"
});
return;
}
db.userLoginSession(name, session, function (err, row) { db.userLoginSession(name, session, function (err, row) {
if(err) { if(err) {
if(err !== "Invalid session" && if(err !== "Invalid session" &&

60
lib/channel.js
View File

@ -826,6 +826,9 @@ Channel.prototype.handlePendingJoins = function () {
}; };
Channel.prototype.userJoin = function(user, password) { Channel.prototype.userJoin = function(user, password) {
if (typeof password === "string" && password.length > 100) {
password = password.substring(0, 100);
}
var self = this; var self = this;
if (!self.ready) { if (!self.ready) {
self.addPendingJoin(user, password); self.addPendingJoin(user, password);
@ -1869,12 +1872,13 @@ Channel.prototype.tryUpdate = function(user, data) {
return; return;
} }
if(this.playlist.current.media.id != data.id) { if (this.playlist.current.media.id !== data.id ||
isNaN(+data.currentTime)) {
return; return;
} }
this.playlist.current.media.currentTime = data.currentTime; this.playlist.current.media.currentTime = +data.currentTime;
this.playlist.current.media.paused = data.paused; this.playlist.current.media.paused = Boolean(data.paused);
this.sendAll("mediaUpdate", this.playlist.current.media.timeupdate()); this.sendAll("mediaUpdate", this.playlist.current.media.timeupdate());
} }
@ -1928,6 +1932,10 @@ Channel.prototype.tryOpenPoll = function(user, data) {
return; return;
} }
for (var i = 0; i < data.opts.length; i++) {
data.opts[i] = ""+data.opts[i];
}
var obscured = (data.obscured === true); var obscured = (data.obscured === true);
var poll = new Poll(user.name, data.title, data.opts, obscured); var poll = new Poll(user.name, data.title, data.opts, obscured);
this.poll = poll; this.poll = poll;
@ -2013,10 +2021,7 @@ Channel.prototype.trySetLock = function(user, data) {
return; return;
} }
if(data.locked == undefined) { data.locked = Boolean(data.locked);
return;
}
this.logger.log("*** " + user.name + " set playlist lock to " + data.locked); this.logger.log("*** " + user.name + " set playlist lock to " + data.locked);
this.setLock(data.locked); this.setLock(data.locked);
} }
@ -2036,6 +2041,11 @@ Channel.prototype.tryRemoveFilter = function(user, f) {
return; return;
} }
// Don't care about the other parameters since we're just removing
if (typeof f.name !== "string") {
return;
}
this.logger.log("%%% " + user.name + " removed filter: " + f.name); this.logger.log("%%% " + user.name + " removed filter: " + f.name);
this.removeFilter(f); this.removeFilter(f);
} }
@ -2079,6 +2089,14 @@ Channel.prototype.tryUpdateFilter = function(user, f) {
return; return;
} }
if (f.replace.length > 1000) {
f.replace = f.replace.substring(0, 1000);
}
if (f.flags.length > 4) {
f.flags = f.flags.substring(0, 4);
}
var re = f.source; var re = f.source;
var flags = f.flags; var flags = f.flags;
// Temporary fix // Temporary fix
@ -2304,7 +2322,10 @@ Channel.prototype.tryUpdateMotd = function(user, data) {
return; return;
} }
data.motd = data.motd || ""; if (data.motd.length > 20000) {
data.motd = data.motd.substring(0, 20000);
}
this.updateMotd(data.motd); this.updateMotd(data.motd);
this.logger.log("%%% " + user.name + " set the MOTD"); this.logger.log("%%% " + user.name + " set the MOTD");
} }
@ -2432,29 +2453,6 @@ Channel.prototype.sendMessage = function (user, msg, meta, filter) {
} }
}; };
Channel.prototype.sendMessageOld = function(username, msg, msgclass, data) {
// I don't want HTML from strangers
msg = sanitize(msg).escape();
msg = this.filterMessage(msg);
var msgobj = {
username: username,
msg: msg,
msgclass: msgclass,
time: Date.now()
};
if(data) {
for(var key in data) {
msgobj[key] = data[key];
}
}
this.sendAll("chatMsg", msgobj);
this.chatbuffer.push(msgobj);
if(this.chatbuffer.length > 15)
this.chatbuffer.shift();
var unescaped = sanitize(msg).entityDecode();
this.logger.log("<" + username + "." + msgclass + "> " + unescaped);
};
/* REGION Rank stuff */ /* REGION Rank stuff */
Channel.prototype.trySetRank = function(user, data) { Channel.prototype.trySetRank = function(user, data) {

10
lib/poll.js
View File

@ -8,11 +8,19 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/ */
const link = /(\w+:\/\/(?:[^:\/\[\]\s]+|\[[0-9a-f:]+\])(?::\d+)?(?:\/[^\/\s]*)*)/ig;
var XSS = require("./xss");
var Poll = function(initiator, title, options, obscured) { var Poll = function(initiator, title, options, obscured) {
this.initiator = initiator; this.initiator = initiator;
this.title = title; title = XSS.sanitizeText(title);
this.title = title.replace(link, "<a href=\"$1\" target=\"_blank\">$1</a>");
this.options = options; this.options = options;
for (var i = 0; i < this.options.length; i++) {
this.options[i] = XSS.sanitizeText(this.options[i]);
this.options[i] = this.options[i].replace(link, "<a href=\"$1\" target=\"_blank\">$1</a>");
}
this.obscured = obscured || false; this.obscured = obscured || false;
this.counts = new Array(options.length); this.counts = new Array(options.length);
for(var i = 0; i < this.counts.length; i++) { for(var i = 0; i < this.counts.length; i++) {

48
lib/user.js
View File

@ -34,8 +34,6 @@ var User = function (socket) {
afk: false, afk: false,
icon: false icon: false
}; };
this.throttle = {};
this.flooded = {};
this.queueLimiter = $util.newRateLimiter(); this.queueLimiter = $util.newRateLimiter();
this.chatLimiter = $util.newRateLimiter(); this.chatLimiter = $util.newRateLimiter();
this.profile = { this.profile = {
@ -59,38 +57,6 @@ User.prototype.inPendingChannel = function () {
return this.pendingChannel != null && !this.pendingChannel.dead; return this.pendingChannel != null && !this.pendingChannel.dead;
}; };
// Throttling/cooldown
User.prototype.noflood = function (name, hz) {
var time = new Date().getTime();
if (!(name in this.throttle)) {
this.throttle[name] = [time];
return false;
} else if (name in this.flooded && time < this.flooded[name]) {
this.socket.emit("noflood", {
action: name,
msg: "You're still on cooldown!"
});
return true;
} else {
this.throttle[name].push(time);
var diff = (time - this.throttle[name][0]) / 1000.0;
// Twice might be an accident, more than that is probably spam
if (this.throttle[name].length > 2) {
var rate = this.throttle[name].length / diff;
this.throttle[name] = [time];
if (rate > hz) {
this.flooded[name] = time + 5000;
this.socket.emit("noflood", {
action: name,
msg: "Stop doing that so fast! Cooldown: 5s"
});
return true;
}
return false;
}
}
};
User.prototype.setAFK = function (afk) { User.prototype.setAFK = function (afk) {
if (!this.inChannel()) if (!this.inChannel())
return; return;
@ -149,8 +115,9 @@ User.prototype.initCallbacks = function () {
self.socket.on("joinChannel", function (data) { self.socket.on("joinChannel", function (data) {
data = (typeof data !== "object") ? {} : data; data = (typeof data !== "object") ? {} : data;
if (self.inChannel() || self.inPendingChannel()) if (self.inChannel() || self.inPendingChannel()) {
return; return;
}
if (typeof data.name != "string") { if (typeof data.name != "string") {
return; return;
} }
@ -166,6 +133,7 @@ User.prototype.initCallbacks = function () {
self.pendingChannel = self.server.getChannel(data.name); self.pendingChannel = self.server.getChannel(data.name);
if (self.loggedIn) { if (self.loggedIn) {
// TODO fix // TODO fix
// I'm not sure what I meant by "fix", but I suppose I'll find out soon
self.pendingChannel.getRank(self.name, function (err, rank) { self.pendingChannel.getRank(self.name, function (err, rank) {
if (!err && rank > self.rank) if (!err && rank > self.rank)
self.rank = rank; self.rank = rank;
@ -187,6 +155,8 @@ User.prototype.initCallbacks = function () {
var session = (typeof data.session === "string") ? data.session : ""; var session = (typeof data.session === "string") ? data.session : "";
if (pw.length > 100) if (pw.length > 100)
pw = pw.substring(0, 100); pw = pw.substring(0, 100);
if (session.length > 64)
session = session.substring(0, 64);
if (self.loggedIn) if (self.loggedIn)
return; return;
@ -342,6 +312,10 @@ User.prototype.initCallbacks = function () {
if (typeof data.query !== "string") { if (typeof data.query !== "string") {
return; return;
} }
// Soft limit to prevent someone from making a massive query
if (data.query.length > 255) {
data.query = data.query.substring(0, 255);
}
if (data.source === "yt") { if (data.source === "yt") {
var searchfn = InfoGetter.Getters.ytSearch; var searchfn = InfoGetter.Getters.ytSearch;
searchfn(data.query.split(" "), function (e, vids) { searchfn(data.query.split(" "), function (e, vids) {
@ -526,6 +500,10 @@ User.prototype.initCallbacks = function () {
if (typeof data.name !== "string") { if (typeof data.name !== "string") {
return; return;
} }
// Soft limit to prevent someone from saving a list with a massive name
if (data.name.length > 200) {
data.name = data.name.substring(0, 200);
}
if (self.rank < 1) { if (self.rank < 1) {
self.socket.emit("savePlaylist", { self.socket.emit("savePlaylist", {
success: false, success: false,

6
www/assets/js/callbacks.js
View File

@ -1100,7 +1100,7 @@ Callbacks = {
newPoll: function(data) { newPoll: function(data) {
Callbacks.closePoll(); Callbacks.closePoll();
var pollMsg = $("<div/>").addClass("poll-notify") var pollMsg = $("<div/>").addClass("poll-notify")
.text(data.initiator + " opened a poll: \"" + data.title + "\"") .html(data.initiator + " opened a poll: \"" + data.title + "\"")
.appendTo($("#messagebuffer")); .appendTo($("#messagebuffer"));
scrollChat(); scrollChat();
@ -1116,7 +1116,7 @@ Callbacks = {
}); });
} }
$("<h3/>").text(data.title).appendTo(poll); $("<h3/>").html(data.title).appendTo(poll);
for(var i = 0; i < data.options.length; i++) { for(var i = 0; i < data.options.length; i++) {
(function(i) { (function(i) {
var callback = function () { var callback = function () {
@ -1129,7 +1129,7 @@ Callbacks = {
$(this).parent().addClass("option-selected"); $(this).parent().addClass("option-selected");
} }
$("<button/>").addClass("btn").text(data.counts[i]) $("<button/>").addClass("btn").text(data.counts[i])
.prependTo($("<div/>").addClass("option").text(data.options[i]) .prependTo($("<div/>").addClass("option").html(data.options[i])
.appendTo(poll)) .appendTo(poll))
.click(callback); .click(callback);
})(i); })(i);