Merge pull request #25 from /issues/24

Protect against stanza ID spoofing
xmpp-ftw · Apr 10, 2014 · cac4acc · cac4acc
2 parents 11b4846 + 305cf0c
commit cac4acc
Show file tree

Hide file tree

Showing 8 changed files with 31 additions and 17 deletions.
diff --git a/lib/pubsub.js b/lib/pubsub.js
@@ -80,7 +80,7 @@ PubSub.prototype.createNode = function(data, callback) {
             )
         }
     }
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if (stanza.attrs.type === 'error')
             return callback(self._parseError(stanza))
         callback(null, true)
@@ -100,7 +100,7 @@ PubSub.prototype.deleteNode = function(data, callback) {
     if (data.redirect)
         stanza.c('redirect', { uri: data.redirect })
 
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if ('error' === stanza.attrs.type)
             return callback(self._parseError(stanza), null)
         callback(null, true)
@@ -120,7 +120,7 @@ PubSub.prototype.subscribe = function(data, callback) {
     var self   = this
     var stanza = this._getStanza(data, 'set', 'subscribe')
 
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if (stanza.attrs.type === 'error')
             return callback(self._parseError(stanza), null)
         var subscription = stanza.getChild('pubsub').getChild('subscription')
@@ -146,7 +146,7 @@ PubSub.prototype.unsubscribe = function(data, callback) {
 
     var self   = this
     var stanza = this._getStanza(data, 'set', 'unsubscribe')
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if (stanza.attrs.type === 'error')
             return callback(self._parseError(stanza), null)
         callback(null, true)
@@ -174,7 +174,7 @@ PubSub.prototype.setSubscription = function(data, callback) {
         { jid: data.jid, subscription: data.subscription }
     )
 
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if ('error' === stanza.attrs.type)
             return callback(self._parseError(stanza), null)
         callback(null, true)
@@ -193,7 +193,7 @@ PubSub.prototype.subscriptionConfigurationGet = function(data, callback) {
     var self   = this
     var stanza = this._getStanza(data, 'get', 'options')
 
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if (stanza.attrs.type === 'error')
             return callback(self._parseError(stanza), null)
         var data = dataForm.parseFields(
@@ -213,7 +213,7 @@ PubSub.prototype.subscriptionDefaultConfigurationGet = function(data, callback)
     var self   = this
     var stanza = this._getStanza(data, 'get', 'default')
 
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if (stanza.attrs.type === 'error')
             return callback(self._parseError(stanza), null)
         var data = dataForm.parseFields(
@@ -241,7 +241,7 @@ PubSub.prototype.subscriptionConfigurationSet = function(data, callback) {
     } catch(e) {
         return this._clientError('Badly formatted data form', data, callback)
     }
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if (stanza.attrs.type === 'error')
             return callback(self._parseError(stanza), null)
         callback(null, true)
@@ -280,7 +280,7 @@ PubSub.prototype.publish = function(data, callback) {
             )
         }
     }
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if (stanza.attrs.type === 'error')
             return callback(self._parseError(stanza), null)
         callback(null, {
@@ -301,7 +301,7 @@ PubSub.prototype.deleteItem = function(data, callback) {
     var self    = this
     var stanza  = this._getStanza(data, 'set', 'retract')
     stanza.c('item', { id: data.id })
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if (stanza.attrs.type === 'error')
             return callback(self._parseError(stanza), null)
         callback(null, true)
@@ -318,7 +318,7 @@ PubSub.prototype.purgeNode = function(data, callback) {
 
     var self    = this
     var stanza  = this._getStanza(data, 'set', 'purge')
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if (stanza.attrs.type === 'error')
             return callback(self._parseError(stanza), null)
         callback(null, true)
@@ -335,7 +335,7 @@ PubSub.prototype.getNodeConfiguration = function(data, callback) {
 
     var self = this
     var stanza = this._getStanza(data, 'get', 'configure', this.NS_OWNER)
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if ('error' === stanza.attrs.type)
             return callback(self._parseError(stanza), null)
         var data = dataForm.parseFields(
@@ -363,7 +363,7 @@ PubSub.prototype.setNodeConfiguration = function(data, callback) {
     } catch(e) {
         return this._clientError('Badly formatted data form', data, callback)
     }
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if ('error' === stanza.attrs.type)
             return callback(self._parseError(stanza), null)
         callback(null, true)
@@ -402,7 +402,7 @@ PubSub.prototype.getItems = function(data, callback) {
     }
     if (data.rsm) rsm.build(stanza.root().getChild('pubsub'), data.rsm)
 
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if (stanza.attrs.type === 'error')
             return callback(self._parseError(stanza), null)
         var items = []
@@ -433,7 +433,7 @@ PubSub.prototype.getAffiliations = function(data, callback) {
     var self = this
     var stanza = this._getStanza(data, 'get', 'affiliations', owner)
     if (data.rsm) rsm.build(stanza.root().getChild('pubsub'), data.rsm)
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if (stanza.attrs.type === 'error')
             return callback(self._parseError(stanza), null)
         var affiliations = []
@@ -470,7 +470,7 @@ PubSub.prototype.setAffiliation = function(data, callback) {
     var detail = { jid: data.jid }
     if (data.affiliation) detail.affiliation = data.affiliation
     stanza.c('affiliation', detail)
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if ('error' === stanza.attrs.type)
             return callback(self._parseError(stanza), null)
         callback(null, true)
@@ -491,7 +491,7 @@ PubSub.prototype.getSubscriptions = function(data, callback) {
     var self = this
     var stanza = this._getStanza(data, 'get', 'subscriptions', owner)
     if (data.rsm) rsm.build(stanza.root().getChild('pubsub'), data.rsm)
-    this.manager.trackId(stanza.root().attr('id'), function(stanza) {
+    this.manager.trackId(stanza, function(stanza) {
         if (stanza.attrs.type === 'error')
             return callback(self._parseError(stanza), null)
         var subscriptions = []

diff --git a/test/lib/pubsub.affiliations.js b/test/lib/pubsub.affiliations.js
@@ -19,6 +19,8 @@ describe('Publish-Subscribe', function() {
             socket: socket,
             client: xmpp,
             trackId: function(id, callback) {
+                if (typeof id !== 'object')
+                    throw new Error('Stanza protection ID not added')
                 this.callback = callback
             },
             makeCallback: function(error, data) {

diff --git a/test/lib/pubsub.configuration.js b/test/lib/pubsub.configuration.js
@@ -17,6 +17,8 @@ describe('Publish-Subscribe', function() {
             socket: socket,
             client: xmpp,
             trackId: function(id, callback) {
+                if (typeof id !== 'object')
+                    throw new Error('Stanza protection ID not added')
                 this.callback = callback
             },
             makeCallback: function(error, data) {

diff --git a/test/lib/pubsub.create.js b/test/lib/pubsub.create.js
@@ -17,6 +17,8 @@ describe('Publish-Subscribe', function() {
             socket: socket,
             client: xmpp,
             trackId: function(id, callback) {
+                if (typeof id !== 'object')
+                    throw new Error('Stanza protection ID not added')
                 this.callback = callback
             },
             makeCallback: function(error, data) {

diff --git a/test/lib/pubsub.events.js b/test/lib/pubsub.events.js
@@ -17,6 +17,8 @@ describe('Publish-Subscribe', function() {
             socket: socket,
             client: xmpp,
             trackId: function(id, callback) {
+                if (typeof id !== 'object')
+                    throw new Error('Stanza protection ID not added')
                 this.callback = callback
             },
             makeCallback: function(error, data) {

diff --git a/test/lib/pubsub.items.js b/test/lib/pubsub.items.js
@@ -19,6 +19,8 @@ describe('Publish-Subscribe', function() {
             socket: socket,
             client: xmpp,
             trackId: function(id, callback) {
+                if (typeof id !== 'object')
+                    throw new Error('Stanza protection ID not added')
                 this.callback = callback
             },
             makeCallback: function(error, data) {

diff --git a/test/lib/pubsub.subscribe.js b/test/lib/pubsub.subscribe.js
@@ -19,6 +19,8 @@ describe('Publish-Subscribe', function() {
             socket: socket,
             client: xmpp,
             trackId: function(id, callback) {
+                if (typeof id !== 'object')
+                    throw new Error('Stanza protection ID not added')
                 this.callback = callback
             },
             makeCallback: function(error, data) {

diff --git a/test/lib/pubsub.subscription.js b/test/lib/pubsub.subscription.js
@@ -17,6 +17,8 @@ describe('Publish-Subscribe', function() {
             socket: socket,
             client: xmpp,
             trackId: function(id, callback) {
+                if (typeof id !== 'object')
+                    throw new Error('Stanza protection ID not added')
                 this.callback = callback
             },
             makeCallback: function(error, data) {