fix attack on /-/all/since?stale=update_after&startkey=2 close #336

Also add modified_time key to tag
cnpm · May 27, 2014 · 922f26b · 922f26b
1 parent 9371685
commit 922f26b
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 28 deletions.
diff --git a/docs/db.sql b/docs/db.sql
@@ -87,10 +87,12 @@ CREATE TABLE `tag` (
  `version` varchar(30) NOT NULL COMMENT 'module version',
  `module_id` bigint(20) unsigned NOT NULL COMMENT 'module id',
  PRIMARY KEY (`id`),
- UNIQUE KEY `name` (`name`, `tag`)
+ UNIQUE KEY `name` (`name`, `tag`),
+ KEY `gmt_modified` (`gmt_modified`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='module tag';
 -- ALTER TABLE  `tag` ADD  `module_id` BIGINT( 20 ) UNSIGNED NOT NULL;
 -- ALTER TABLE  `tag` CHANGE  `name`  `name` VARCHAR( 100 ) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT  'module name';
+-- ALTER TABLE `tag` ADD KEY `gmt_modified` (`gmt_modified`);
 
 CREATE TABLE `total` (
  `name` varchar(100) NOT NULL COMMENT 'total name',

diff --git a/lib/common.js b/lib/common.js
@@ -21,6 +21,7 @@ var util = require('util');
 
 exports.getTarballFilepath = function (filename) {
   // ensure download file path unique
+  // TODO: not only .tgz, and also other extname
   var name = filename.replace(/\.tgz$/, '.' + crypto.randomBytes(16).toString('hex') + '.tgz');
   return path.join(config.uploadDir, name);
 };

diff --git a/proxy/module.js b/proxy/module.js
@@ -433,38 +433,16 @@ exports.listByName = function (name, callback) {
   });
 };
 
-var LIST_SINCE_SQLS = [];
-LIST_SINCE_SQLS.push(multiline(function () {;/*
-  SELECT
-    module_id
-  FROM
-    tag
-  WHERE
-    tag="latest" AND gmt_modified>?;
-*/}));
-LIST_SINCE_SQLS.push(multiline(function () {;/*
+var LIST_SINCE_SQL = multiline(function () {;/*
   SELECT
     distinct(name)
   FROM
-    module
+    tag
   WHERE
-    id IN (?);
-*/}));
+    gmt_modified > ?;
+*/});
 exports.listSince = function (start, callback) {
-  var ep = eventproxy.create();
-  ep.fail(callback);
-  mysql.query(LIST_SINCE_SQLS[0], [new Date(start)], ep.done(function (rows) {
-    if (!rows || rows.length === 0) {
-      return callback(null, []);
-    }
-    ep.emit('ids', rows.map(function (r) {
-      return r.module_id;
-    }));
-  }));
-
-  ep.once('ids', function (ids) {
-    mysql.query(LIST_SINCE_SQLS[1], [ids], callback);
-  });
+  mysql.query(LIST_SINCE_SQL, [new Date(start)], callback);
 };
 
 var LIST_ALL_NAME_SQL = multiline(function () {;/*

diff --git a/test/controllers/registry/module.test.js b/test/controllers/registry/module.test.js
@@ -557,6 +557,8 @@ describe('controllers/registry/module.test.js', function () {
       request(app)
       .get('/-/all/since?stale=update_after&startkey=0')
       .expect(200, function (err, res) {
+        should.not.exist(err);
+        should.exist(res.body);
         res.body.should.be.an.Object;
         res.body._updated.should.be.a.Number;
         var keys = Object.keys(res.body);
@@ -569,6 +571,8 @@ describe('controllers/registry/module.test.js', function () {
       request(app)
       .get('/-/all/since?stale=update_after&startkey=' + (Date.now() * 2))
       .expect(200, function (err, res) {
+        should.not.exist(err);
+        should.exist(res.body);
         res.body.should.be.an.Object;
         res.body._updated.should.be.a.Number;
         res.body.should.eql({