Fix XSS.

6 years ago · 870d8c3af5
15 changed files with 34 additions and 31 deletions
--- a/app.js
+++ b/app.js
@ -1,5 +1,6 @@
 let fs = require('fs'),
    path = require('path');
+const serializejs = require('serialize-javascript');

 const commandLineArgs = require('command-line-args');
 const optionDefinitions = [
@ -52,6 +53,7 @@ global.syzoj = {

    // Use cookie parser
    app.use(require('cookie-parser')());
+    app.locals.serializejs = serializejs;

    let multer = require('multer');
    app.multer = multer({ dest: syzoj.utils.resolvePath(syzoj.config.upload_dir, 'tmp') });
--- a/package.json
+++ b/package.json
@ -43,12 +43,12 @@
    "jsondiffpatch": "0.2.5",
    "jsonwebtoken": "^8.4.0",
    "katex": "^0.10.0",
+    "mariadb": "^2.0.2-rc",
    "mathjax-node": "^2.1.1",
    "moemark": "^0.3.10",
-    "moment": "^2.23.0",
+    "moment": "^2.24.0",
    "msgpack-lite": "^0.1.26",
    "multer": "^1.2.0",
-    "mariadb": "^2.0.2-rc",
    "node-7z": "^0.4.0",
    "nodemailer": "^4.7.0",
    "object-assign-deep": "^0.4.0",
@ -58,6 +58,7 @@
    "request-promise": "^4.1.1",
    "sendmail": "^1.1.1",
    "sequelize": "^5.0.0-beta.15",
+    "serialize-javascript": "^1.6.1",
    "session-file-store": "^1.0.0",
    "socket.io": "^2.2.0",
    "stream-to-string": "^1.1.0",
--- a/views/admin_links.ejs
+++ b/views/admin_links.ejs
@ -62,7 +62,7 @@ this.adminPage = 'links';
 </form>

 <script>
-var links = <%- JSON.stringify(links) %>;
+var links = <%- serializejs(links) %>;
 $('.remove_link').click(function () {
  links.splice($(this).data('id'), 1);
  $('#submit_data').val(JSON.stringify(links));
--- a/views/admin_raw.ejs
+++ b/views/admin_raw.ejs
@ -3,7 +3,7 @@
 <form method="post" class="ui form">

 <div id="editor" style="border: 1px solid #D4D4D5; height: 500px; margin-bottom: 20px; "></div>
-<script>$('#editor').text(<%- JSON.stringify(data) %>)</script>
+<script>$('#editor').text(<%- serializejs(data) %>)</script>
 <input type="hidden" name="data">

 <script src="<%- lib('ace/1.4.2/ace.js') %>"></script>
--- a/views/forget_confirm.ejs
+++ b/views/forget_confirm.ejs
@ -50,7 +50,7 @@ function submitForm() {
        url: "/api/reset_password",
        type: 'POST',
        data: {
-            "token": <%- JSON.stringify(token) %>,
+            "token": <%- serializejs(token) %>,
            "password": password
        },
        async: true,
--- a/views/index.ejs
+++ b/views/index.ejs
@ -56,7 +56,7 @@
                    <td style="font-content">
                      <script id="user-infomation-script-<%= i %>">
                      (function () {
-                        var html = <%- JSON.stringify(user.information) %>;
+                        var html = <%- serializejs(user.information) %>;
                        var elem = document.createElement('div');
                        elem.style = 'overflow: hidden; width: 100%; position: relative; ';
                        elem.style.maxHeight = lineHeight + 'px';
--- a/views/login.ejs
+++ b/views/login.ejs
@ -50,7 +50,7 @@ function show_error(error) {
    $("#error").show();
 }
 function success(session_id) {
-    window.location.href = location.protocol + '//' + location.host + <%- JSON.stringify(req.query.url || '/') %>;
+    window.location.href = location.protocol + '//' + location.host + <%- serializejs(req.query.url || '/') %>;
 }
 function login() {
    password = md5($("#password").val() + "syzoj2_xxx");
--- a/views/problem.ejs
+++ b/views/problem.ejs
@ -237,7 +237,7 @@ div[class*=ace_br] {
              }
              %>
              <script>
-              var cases = <%- JSON.stringify(cases) %>, currCase = 0;
+              var cases = <%- serializejs(cases) %>, currCase = 0;
              </script>
              <div class="ui grid">
                <% if (testcases) { %>
@ -325,7 +325,7 @@ div[class*=ace_br] {
                </div>
                <div class="twelve wide stretched column" style="padding-left: 0; margin-left: calc(-1rem - 1px); width: calc(75% + 1rem + 1px + 25px) !important; ">
                  <div id="editor" style="border: 1px solid #D4D4D5; "></div>
-                  <% if (state) { %><script>$('#editor').text(<%- JSON.stringify(state.code) %>)</script><% } %>
+                  <% if (state) { %><script>$('#editor').text(<%- serializejs(state.code) %>)</script><% } %>
                </div>
                <div class="inline fields" style="width: 100%; ">
                <div class="field" style="margin: 0 auto; ">
--- a/views/problem_data.ejs
+++ b/views/problem_data.ejs
@ -145,7 +145,7 @@ function getIcon(filename) {
        </div>
        <script>
        function check_replace() {
-          var old_files = <%- JSON.stringify((testdata && testdata.files ? testdata.files : []).map(function(x) { return x.filename; })) %>;
+          var old_files = <%- serializejs((testdata && testdata.files ? testdata.files : []).map(function(x) { return x.filename; })) %>;
          var replaced_files = Array.prototype.slice.call($('#upload_file')[0].files).map(function (x) { return x.name; }).filter(function (x) { return old_files.includes(x); });
          var s = '';
          for (let file of replaced_files) s += '<samp>' + file + '</samp><br>';
--- a/views/ranklist.ejs
+++ b/views/ranklist.ejs
@ -42,7 +42,7 @@
 		        	<td class="font-content">
              <script id="user-infomation-script-<%= i %>">
              (function () {
-                var html = <%- JSON.stringify(user.information) %>;
+                var html = <%- serializejs(user.information) %>;
                var elem = document.createElement('div');
                elem.style = 'overflow: hidden; width: 100%; position: relative; ';
                elem.style.maxHeight = lineHeight + 'px';
--- a/views/sign_up.ejs
+++ b/views/sign_up.ejs
@ -37,7 +37,7 @@ function show_error(error) {

 function success() {
    alert("注册成功！");
-    window.location.href = location.protocol + '//' + location.host + <%- JSON.stringify(req.query.url || '/') %>;
+    window.location.href = location.protocol + '//' + location.host + <%- serializejs(req.query.url || '/') %>;
 }

 function mail_required() {
@ -63,7 +63,7 @@ function submit() {
          username: $("#username").val(),
          password: password,
          email: $("#email").val(),
-          prevUrl: <%- JSON.stringify(req.query.url || '/') %>
+          prevUrl: <%- serializejs(req.query.url || '/') %>
        },
        success: function(data) {
            error_code = data.error_code;
--- a/views/statistics.ejs
+++ b/views/statistics.ejs
@ -103,7 +103,7 @@ function getColorOfScore(score) {
  <script type="text/javascript">
  new Morris.Bar({
  	element: 'score-distribution-chart',
-  	data: <%- JSON.stringify(statistics.scoreDistribution) %>,
+  	data: <%- serializejs(statistics.scoreDistribution) %>,
  	barColors: function(r, s, type) {
  		return getColorOfScore(r.label);
  	},
@ -129,7 +129,7 @@ function getColorOfScore(score) {
  %>
  new Morris.Line({
  	element: 'score-distribution-chart-pre',
-    data: <%- JSON.stringify(statistics.prefixSum) %>,
+    data: <%- serializejs(statistics.prefixSum) %>,
  	xkey: 'score',
  	ykeys: ['count'],
  	labels: ['number'],
@ -161,7 +161,7 @@ function getColorOfScore(score) {
  %>
  new Morris.Line({
  	element: 'score-distribution-chart-suf',
-    data: <%- JSON.stringify(statistics.suffixSum) %>,
+    data: <%- serializejs(statistics.suffixSum) %>,
  	xkey: 'score',
  	ykeys: ['count'],
  	labels: ['number'],
--- a/views/submission.ejs
+++ b/views/submission.ejs
@ -149,8 +149,8 @@ Vue.component("code-box", {
    props: ['title', 'content', 'escape']
 });
 const socketUrl = "/detail";
-const displayConfig = <%- JSON.stringify(displayConfig) %>;
-const token = <%- JSON.stringify(socketToken) %>;
+const displayConfig = <%- serializejs(displayConfig) %>;
+const token = <%- serializejs(socketToken) %>;

 const TestcaseResultType = {};
 (function (TestcaseResultType) {
@ -187,8 +187,8 @@ const TaskStatus = {};
    TaskStatus[TaskStatus["Skipped"] = 4] = "Skipped";
 })(TaskStatus);

-const unformattedCode = <%- JSON.stringify(code) %>;
-const formattedCode = <%- JSON.stringify(formattedCode) %>;
+const unformattedCode = <%- serializejs(code) %>;
+const formattedCode = <%- serializejs(formattedCode) %>;

 function toggleFormattedCode() {
  if (vueApp.currentFormatted) {
@ -204,14 +204,14 @@ const vueApp = new Vue({
  el: '#vueAppFuckSafari',
  data: {
    roughData: {
-      info: <%- JSON.stringify(info) %>,
-      result: <%- JSON.stringify(roughResult) %>,
+      info: <%- serializejs(info) %>,
+      result: <%- serializejs(roughResult) %>,
      running: false,
      displayConfig: displayConfig
    },
-    code: <%- JSON.stringify(preferFormattedCode && formattedCode !== null) -%> ? formattedCode : unformattedCode,
-    currentFormatted: <%- JSON.stringify(preferFormattedCode && formattedCode !== null) -%>,
-    detailResult: <%- JSON.stringify(detailResult) %>,
+    code: <%- serializejs(preferFormattedCode && formattedCode !== null) -%> ? formattedCode : unformattedCode,
+    currentFormatted: <%- serializejs(preferFormattedCode && formattedCode !== null) -%>,
+    detailResult: <%- serializejs(detailResult) %>,
    displayConfig: displayConfig,
  },
  computed: {
--- a/views/submissions.ejs
+++ b/views/submissions.ejs
@ -74,7 +74,7 @@
      <script>
      $(function () {
        $('#my_submit').click(function () {
-          $('[name=submitter]').val(<%- JSON.stringify(user.username) %>);
+          $('[name=submitter]').val(<%- serializejs(user.username) %>);
          $('#form').submit();
        });
      });
@ -129,9 +129,9 @@ $(function () {
  $('#select_language').dropdown();
  $('#select_status').dropdown();
 });
-const itemList = <%- JSON.stringify(items) %>;
+const itemList = <%- serializejs(items) %>;
 const socketUrl = "/rough";
-const displayConfig = <%- JSON.stringify(displayConfig) %>;
+const displayConfig = <%- serializejs(displayConfig) %>;

 const vueApp = new Vue({
  el: '#vueAppFuckSafari',
--- a/views/submissions_item.ejs
+++ b/views/submissions_item.ejs
@ -10,13 +10,13 @@ function formatSize(x, precision) {
  return fixed + ' ' + unit;
 }

-const submissionUrl = <%- JSON.stringify(displayConfig.inContest ?
+const submissionUrl = <%- serializejs(displayConfig.inContest ?
  syzoj.utils.makeUrl(['contest', 'submission', '20000528']) :
  syzoj.utils.makeUrl(['submission', '20000528'])) %>;
-const problemUrl = <%- JSON.stringify(displayConfig.inContest ?
+const problemUrl = <%- serializejs(displayConfig.inContest ?
  syzoj.utils.makeUrl(['contest', contest.id, 'problem', '20000528']) :
  syzoj.utils.makeUrl(['problem', '20000528'])) %>;
-const userUrl = <%- JSON.stringify(syzoj.utils.makeUrl(['user', '20000528'])) %>;
+const userUrl = <%- serializejs(syzoj.utils.makeUrl(['user', '20000528'])) %>;

 Vue.component('submission-item', {
  template: '#submissionItemTemplate',