jschaufuss/DiceCloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Hardened archive upload slightly

Browse Source
This commit is contained in:
Stefan Zermatten
2022-07-24 14:17:39 +02:00
parent 8b62bac83f
commit f88ffcf0c3
4 changed files with 33 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/imports/api/creature/archive/methods/restoreCreatureFromFile.js
View File

@@ -10,6 +10,7 @@ import { removeCreatureWork } from '/imports/api/creature/creatures/methods/remo
import ArchiveCreatureFiles from '/imports/api/creature/archive/ArchiveCreatureFiles.js';
import assertHasCharactersSlots from '/imports/api/creature/creatures/methods/assertHasCharacterSlots.js';
import { incrementFileStorageUsed } from '/imports/api/users/methods/updateFileStorageUsed.js';
import verifyArchiveSafety from '/imports/api/creature/archive/methods/verifyArchiveSafety.js';
let migrateArchive;
if (Meteor.isServer){
@@ -25,6 +26,9 @@ function restoreCreature(archive, userId){
// Migrate and verify the archive meets the current schema
migrateArchive(archive);
// Asset that the archive is safe
verifyArchiveSafety(archive);
// Don't upload creatures twice
const existingCreature = Creatures.findOne(archive.creature._id, {
fields: { _id: 1 }

28
app/imports/api/creature/archive/methods/verifyArchiveSafety.js Normal file
View File

@@ -0,0 +1,28 @@
import { slice } from 'lodash';
import PER_CREATURE_LOG_LIMIT from '/imports/api/creature/log/CreatureLogs.js';
export default function verifyArchiveSafety({ meta, creature, properties, experiences, logs }){
const creatureId = creature._id;
// Check lengths of arrays
if (logs.length > PER_CREATURE_LOG_LIMIT) {
logs = slice(logs, 0, PER_CREATURE_LOG_LIMIT);
}
// Check that everything belongs to the right creature
logs.forEach(log => {
if (log.creatureId !== creatureId) {
throw new Meteor.Error('Malicious log', 'Log contains an entry for the wrong creature');
}
});
experiences.forEach(experience => {
if (experience.creatureId !== creatureId) {
throw new Meteor.Error('Malicious experience', 'Experiences contains an entry for the wrong creature');
}
});
properties.forEach(prop => {
if (prop.ancestors[0].id !== creatureId) {
throw new Meteor.Error('Malicious prop', 'Properties contains an entry for the wrong creature');
}
});
}

2
app/imports/api/creature/log/CreatureLogs.js
View File

@@ -211,4 +211,4 @@ const logRoll = new ValidatedMethod({
});
export default CreatureLogs;
export { CreatureLogSchema, insertCreatureLog, logRoll};
export { CreatureLogSchema, insertCreatureLog, logRoll, PER_CREATURE_LOG_LIMIT};

12
app/imports/migrations/v1Migration/migrateCharacter.js
View File

@@ -1,12 +0,0 @@
import { fetch } from 'meteor/fetch'
export default function importCharacter(url){
// Using v1's JSON API to fetch the character data in a usable format
// url -> https://dicecloud.com/character/<id>/json?key=<key>
fetch(url)
.then(response => response.json())
.then(data => {
let character = data.characters[0];
console.log(character.name + ' fetched successfuly')
});
}