StyAndCo/zappyzep
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Disallow anchors/aliases to objects when loading config YAML

Browse source
This commit is contained in:
Dragory 2021-08-14 18:22:29 +03:00
parent e8e764c3b7
commit cb8d914fef
No known key found for this signature in database
GPG key ID: 5F387BA66DF8AAC1
5 changed files with 96 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

10
backend/src/api/guilds.ts
View file

@ -1,6 +1,6 @@
import { ApiPermissions } from "@shared/apiPermissions";
import express, { Request, Response } from "express";
import yaml, { YAMLException } from "js-yaml";
import { YAMLException } from "js-yaml";
import { validateGuildConfig } from "../configValidator";
import { AllowedGuilds } from "../data/AllowedGuilds";
import { ApiPermissionAssignments } from "../data/ApiPermissionAssignments";
@ -8,6 +8,8 @@ import { Configs } from "../data/Configs";
import { apiTokenAuthHandlers } from "./auth";
import { hasGuildPermission, requireGuildPermission } from "./permissions";
import { clientError, ok, serverError, unauthorized } from "./responses";
import { loadYamlSafely } from "../utils/loadYamlSafely";
import { ObjectAliasError } from "../utils/validateNoObjectAliases";
const apiPermissionAssignments = new ApiPermissionAssignments();
@ -61,12 +63,16 @@ export function initGuildsAPI(app: express.Express) {
// Validate config
let parsedConfig;
try {
parsedConfig = yaml.safeLoad(config);
parsedConfig = loadYamlSafely(config);
} catch (e) {
if (e instanceof YAMLException) {
return res.status(400).json({ errors: [e.message] });
}
if (e instanceof ObjectAliasError) {
return res.status(400).json({ errors: [e.message] });
}
// tslint:disable-next-line:no-console
console.error("Error when loading YAML: " + e.message);
return serverError(res, "Server error");