Escape LevalDB namespaces

Author: ohtake

package.json

@@ -77,6 +77,7 @@
     "postcss-loader": "^2.0.10",
     "react-test-renderer": "^16.2.0",
     "rimraf": "^2.6.2",
+    "sanitize-filename": "^1.6.1",
     "sinon": "^4.1.4",
     "source-map-explorer": "^1.5.0",
     "webpack": "^3.10.0",

server-websocket.js

@@ -16,6 +16,8 @@ import crypto from 'crypto';
 import { join, sep } from 'path';
 import { lstatSync, readdirSync } from 'fs';
 
+import LevelDBLib from './src/server/LevelDBLib';
+
 Y.extend(yWebsocketsServer, yleveldb);
 
 const isDirectory = (source) => {
@@ -46,7 +48,7 @@ const server = http.createServer((req, res) => {
 const io = socketIo.listen(server);
 
 const yInstances = {};
-const dirs = getDirectories('y-leveldb-databases').map(p => p.split(sep)[1]);
+const dirs = getDirectories('y-leveldb-databases').map(p => LevelDBLib.unescapeNamespace(p.split(sep)[1]));
 const metadata = dirs.reduce((accumulator, d) => Object.assign(accumulator, { [d]: {} }), {});
 
 function getInstanceOfY(room) {
@@ -55,11 +57,12 @@ function getInstanceOfY(room) {
       db: {
         name: options.db,
         dir: 'y-leveldb-databases',
-        namespace: room,
+        namespace: LevelDBLib.escapeNamespace(room),
       },
       connector: {
         name: 'websockets-server',
-        room,
+        // TODO: Will be solved in future https://github.com/y-js/y-websockets-server/commit/2c8588904a334631cb6f15d8434bb97064b59583#diff-e6a5b42b2f7a26c840607370aed5301a
+        room: encodeURIComponent(room),
         io,
         debug: !!options.debug,
       },
@@ -96,10 +99,12 @@ router.get('/pages', (req, res) => {
 
 io.on('connection', (socket) => {
   const rooms = [];
-  socket.on('joinRoom', (room) => {
+  socket.on('joinRoom', (escapedRoom) => {
+    // TODO: Will be solved in future https://github.com/y-js/y-websockets-server/commit/2c8588904a334631cb6f15d8434bb97064b59583#diff-e6a5b42b2f7a26c840607370aed5301a
+    const room = decodeURIComponent(escapedRoom);
     console.log('User', socket.id, 'joins room:', room);
     socket.join(room);
-    getInstanceOfY(room).then((y) => {
+    getInstanceOfY(decodeURIComponent(room)).then((y) => {
       if (rooms.indexOf(room) === -1) {
         y.connector.userJoined(socket.id, 'slave');
         rooms.push(room);
@@ -110,10 +115,12 @@ io.on('connection', (socket) => {
   });
   socket.on('yjsEvent', (msg) => {
     if (msg.room != null) {
-      getInstanceOfY(msg.room).then((y) => {
+      // TODO: Will be solved in future https://github.com/y-js/y-websockets-server/commit/2c8588904a334631cb6f15d8434bb97064b59583#diff-e6a5b42b2f7a26c840607370aed5301a
+      const room = decodeURIComponent(msg.room);
+      getInstanceOfY(room).then((y) => {
         y.connector.receiveMessage(socket.id, msg);
         if (msg.type === 'update') {
-          metadata[msg.room].modified = new Date();
+          metadata[room].modified = new Date();
         }
       });
     }
@@ -127,13 +134,17 @@ io.on('connection', (socket) => {
           y.connector.userLeft(socket.id);
           rooms.splice(j, 1);
           metadata[room].active -= 1;
-          io.in(room).emit('activeUser', metadata[room].active);
-          io.in(room).emit('clientCursor', { type: 'delete', id: getSha1Hash(socket.id) });
+          // TODO: Will be solved in future https://github.com/y-js/y-websockets-server/commit/2c8588904a334631cb6f15d8434bb97064b59583#diff-e6a5b42b2f7a26c840607370aed5301a
+          const escapedRoom = encodeURIComponent(room);
+          io.in(escapedRoom).emit('activeUser', metadata[room].active);
+          io.in(escapedRoom).emit('clientCursor', { type: 'delete', id: getSha1Hash(socket.id) });
         }
       });
     }
   });
-  socket.on('leaveRoom', (room) => {
+  socket.on('leaveRoom', (escapedRoom) => {
+    // TODO: Will be solved in future https://github.com/y-js/y-websockets-server/commit/2c8588904a334631cb6f15d8434bb97064b59583#diff-e6a5b42b2f7a26c840607370aed5301a
+    const room = decodeURIComponent(escapedRoom);
     getInstanceOfY(room).then((y) => {
       const i = rooms.indexOf(room);
       if (i >= 0) {
@@ -146,7 +157,9 @@ io.on('connection', (socket) => {
     });
   });
   socket.on('clientCursor', (msg) => {
-    if (msg.room != null) {
+    // TODO: Will be solved in future https://github.com/y-js/y-websockets-server/commit/2c8588904a334631cb6f15d8434bb97064b59583#diff-e6a5b42b2f7a26c840607370aed5301a
+    const room = decodeURIComponent(msg.room);
+    if (room != null) {
       const msgCloned = clone(msg);
       msgCloned.id = getSha1Hash(socket.id);
       socket.to(msg.room).emit('clientCursor', msgCloned);

src/server/LevelDBLib.js

@@ -0,0 +1,30 @@
+const unsafeChars = /[^-_a-zA-Z0-9]/g;
+const windowsReserved = /^(con|prn|aux|nul|com[0-9]|lpt[0-9])(\..*)?$/i;
+const escapeSeq = /%([_0-9a-fA-F]+)%/g;
+
+export default class LevelDBLib {
+  /**
+   * It escapes a namespace to a safe file name.
+   * This function is injective.
+   * @param {string} namespace namespace of Level DB
+   * @returns {string}
+   */
+  static escapeNamespace(namespace) {
+    if (!namespace) return '%_%';
+    if (namespace.match(windowsReserved)) {
+      return `%_%${namespace}`;
+    }
+    return namespace.replace(unsafeChars, substr => `%${substr.charCodeAt(0).toString(16)}%`);
+  }
+  /**
+   * Reversed function of escapeNamespace.
+   * @param {string} escapedNamedpace file name generated by escapeNamespace
+   * @returns {string}
+   */
+  static unescapeNamespace(escapedNamedpace) {
+    return escapedNamedpace.replace(escapeSeq, (substr, group) => {
+      if (group === '_') return '';
+      return String.fromCharCode(parseInt(group, 16));
+    });
+  }
+}

test/server/LevelDBLib.ava.js

@@ -0,0 +1,93 @@
+import test from 'ava';
+import sanitize from 'sanitize-filename';
+
+import LevelDBLib from '../../src/server/LevelDBLib';
+
+const unsafePaths = [
+  // path traversal
+  '/',
+  '/etc/passwd',
+  '.',
+  './..',
+  './dir/../..',
+  '..',
+  '../',
+  // invalid filename
+  '',
+  ' ',
+  'last space ',
+  'last-dot.',
+  'con',
+  'con.txt',
+  'nul',
+  // illegal chars
+  'question?mark?char',
+  'angle<>char',
+  'asterisk*char',
+  'null\0char',
+  'newline\nchar',
+  'tab\tchar',
+  // path separator
+  'dir/file',
+  'dir\\file',
+];
+
+/** @test {LevelDBLib.escapeNamespace} */
+test('escapeNamespace should escape unsafe path', t => {
+  unsafePaths.forEach(p => {
+    const escaped = LevelDBLib.escapeNamespace(p);
+    t.not(p, escaped, 'should escape unsafe filename');
+    const sanitizedEscaped = sanitize(escaped);
+    t.is(escaped, sanitizedEscaped, 'escaped namespace must be a safe filename');
+  });
+});
+
+/** @test {LevelDBLib.unescapeNamespace} */
+test('unescapeNamespace should unescape path', t => {
+  unsafePaths.forEach(p => {
+    const escaped = LevelDBLib.escapeNamespace(p);
+    const unescaped = LevelDBLib.unescapeNamespace(escaped);
+    t.is(p, unescaped);
+  });
+});
+
+/** @test {LevelDBLib.escapeNamespace} */
+test('escapeNamespace should be injective', t => {
+  const inputs = new Set([
+    '',
+    '%',
+    '%%',
+    '%%%',
+    '%_%',
+    '%%_%',
+    '%%__%',
+    '%1%',
+    '%01%',
+  ]);
+  const outputs = new Set();
+  inputs.forEach(p => {
+    const escaped = LevelDBLib.escapeNamespace(p);
+    t.false(outputs.has(escaped), `not injective: ${p} -> ${escaped}`);
+    outputs.add(escaped);
+  });
+});
+
+/** @test {LevelDBLib.escapeNamespace} */
+test('escapeNamespace should handle non-ascii chars', t => {
+  const inputs = new Set([
+    'ひらがな',
+    'カタカナ',
+    '漢字',
+    '汉语',
+    '한글',
+    'عربی زبان',
+  ]);
+  inputs.forEach(p => {
+    const escaped = LevelDBLib.escapeNamespace(p);
+    t.not(p, escaped, 'should escape');
+    const sanitizedEscaped = sanitize(escaped);
+    t.is(escaped, sanitizedEscaped, 'escaped namespace must be a safe filename');
+    const unescaped = LevelDBLib.unescapeNamespace(escaped);
+    t.is(p, unescaped, 'should restore to non-ascii');
+  });
+});

yarn.lock

@@ -8790,6 +8790,12 @@ [email protected]:
   version "1.3.0"
   resolved "https://registry.yarnpkg.com/samsam/-/samsam-1.3.0.tgz#8d1d9350e25622da30de3e44ba692b5221ab7c50"
 
+sanitize-filename@^1.6.1:
+  version "1.6.1"
+  resolved "https://registry.yarnpkg.com/sanitize-filename/-/sanitize-filename-1.6.1.tgz#612da1c96473fa02dccda92dcd5b4ab164a6772a"
+  dependencies:
+    truncate-utf8-bytes "^1.0.0"
+
 sax@^1.1.4, sax@~1.2.1:
   version "1.2.4"
   resolved "https://registry.yarnpkg.com/sax/-/sax-1.2.4.tgz#2816234e2378bddc4e5354fab5caa895df7100d9"
@@ -9714,6 +9720,12 @@ trough@^1.0.0:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/trough/-/trough-1.0.1.tgz#a9fd8b0394b0ae8fff82e0633a0a36ccad5b5f86"
 
+truncate-utf8-bytes@^1.0.0:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/truncate-utf8-bytes/-/truncate-utf8-bytes-1.0.2.tgz#405923909592d56f78a5818434b0b78489ca5f2b"
+  dependencies:
+    utf8-byte-length "^1.0.1"
+
 [email protected]:
   version "0.0.0"
   resolved "https://registry.yarnpkg.com/tty-browserify/-/tty-browserify-0.0.0.tgz#a157ba402da24e9bf957f9aa69d524eed42901a6"
@@ -10060,6 +10072,10 @@ [email protected]:
     bindings "~1.2.1"
     nan "~2.4.0"
 
+utf8-byte-length@^1.0.1:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/utf8-byte-length/-/utf8-byte-length-1.0.4.tgz#f45f150c4c66eee968186505ab93fcbb8ad6bf61"
+
 [email protected]:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/utf8/-/utf8-2.1.0.tgz#0cfec5c8052d44a23e3aaa908104e8075f95dfd5"