Merge pull request #3849 from weseek/fix/70354-adjust-access-token-parser

Fix/70354

package.json

@@ -109,6 +109,7 @@
     "express": "^4.16.1",
     "express-bunyan-logger": "^1.3.3",
     "express-form": "~0.12.0",
+    "express-mongo-sanitize": "^2.1.0",
     "express-session": "^1.16.1",
     "express-validator": "^6.1.1",
     "express-webpack-assets": "^0.1.0",

src/server/crowi/express-init.js

@@ -11,6 +11,7 @@ module.exports = function(crowi, app) {
   const passport = require('passport');
   const expressSession = require('express-session');
   const flash = require('connect-flash');
+  const mongoSanitize = require('express-mongo-sanitize');
   const swig = require('swig-templates');
   const webpackAssets = require('express-webpack-assets');
   const i18next = require('i18next');
@@ -116,6 +117,7 @@ module.exports = function(crowi, app) {
   app.use(passport.session());
 
   app.use(flash());
+  app.use(mongoSanitize());
 
   app.use(promster);
   app.use(registerSafeRedirect);

src/server/middlewares/access-token-parser.js

@@ -8,7 +8,7 @@ module.exports = (crowi) => {
   return async(req, res, next) => {
     // TODO: comply HTTP header of RFC6750 / Authorization: Bearer
     const accessToken = req.query.access_token || req.body.access_token || null;
-    if (!accessToken) {
+    if (accessToken == null || typeof accessToken !== 'string') {
       return next();
     }
 

yarn.lock

@@ -6036,6 +6036,11 @@ express-form@~0.12.0:
     object-additions "^0.5.1"
     validator "^2.1.0"
 
+express-mongo-sanitize@^2.1.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/express-mongo-sanitize/-/express-mongo-sanitize-2.1.0.tgz#a8c647787c25ded6e97b5e864d113e7687c5d471"
+  integrity sha512-ELGeH/Tx+kJGn3klCzSmOewfN1ezJQrkqzq83dl/K3xhd5PUbvLtiD5CiuYRmQfoZPL4rUEVjANf/YjE2BpTWQ==
+
 express-session@^1.16.1:
   version "1.16.1"
   resolved "https://registry.yarnpkg.com/express-session/-/express-session-1.16.1.tgz#251ff9776c59382301de6c8c33411af357ed439c"