From bb73ff43e4f63f50d2165034118d435cf752126b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wolfgang=20Hu=C3=9F?= Date: Fri, 4 Oct 2019 16:43:42 +0200 Subject: [PATCH] Sanitize reason description and test, fix report in 'seed-db.js' --- backend/src/middleware/xssMiddleware.js | 2 +- backend/src/schema/resolvers/reports.js | 7 +++++- backend/src/schema/resolvers/reports.spec.js | 25 ++++++++++++++++---- backend/src/seed/seed-db.js | 18 ++++++++++---- 4 files changed, 40 insertions(+), 12 deletions(-) diff --git a/backend/src/middleware/xssMiddleware.js b/backend/src/middleware/xssMiddleware.js index f98ab9d61..9b4e3e759 100644 --- a/backend/src/middleware/xssMiddleware.js +++ b/backend/src/middleware/xssMiddleware.js @@ -85,7 +85,7 @@ function clean(dirty) { return dirty } -const fields = ['content', 'contentExcerpt'] +const fields = ['content', 'contentExcerpt', 'reasonDescription'] export default { Mutation: async (resolve, root, args, context, info) => { diff --git a/backend/src/schema/resolvers/reports.js b/backend/src/schema/resolvers/reports.js index 42f9a416f..4b86e57f4 100644 --- a/backend/src/schema/resolvers/reports.js +++ b/backend/src/schema/resolvers/reports.js @@ -2,7 +2,12 @@ import uuid from 'uuid/v4' export default { Mutation: { - report: async (_parent, { resourceId, reasonCategory, reasonDescription }, { driver, req, user }, _resolveInfo) => { + report: async ( + _parent, + { resourceId, reasonCategory, reasonDescription }, + { driver, _req, user }, + _resolveInfo, + ) => { const reportId = uuid() const session = driver.session() const reportProperties = { diff --git a/backend/src/schema/resolvers/reports.spec.js b/backend/src/schema/resolvers/reports.spec.js index d96b894c5..ed459df17 100644 --- a/backend/src/schema/resolvers/reports.spec.js +++ b/backend/src/schema/resolvers/reports.spec.js @@ -123,11 +123,13 @@ describe('report', () => { it('returns a date', async () => { returnedObject = '{ createdAt }' - await expect(action()).resolves.toEqual(expect.objectContaining({ - report: { - createdAt: expect.any(String), - }, - })) + await expect(action()).resolves.toEqual( + expect.objectContaining({ + report: { + createdAt: expect.any(String), + }, + }), + ) }) it('returns the reason category', async () => { @@ -155,6 +157,19 @@ describe('report', () => { }, }) }) + + it('sanitize the reason description', async () => { + variables = { + ...variables, + reasonDescription: 'My reason !', + } + returnedObject = '{ reasonDescription }' + await expect(action()).resolves.toEqual({ + report: { + reasonDescription: 'My reason !', + }, + }) + }) }) describe('reported resource is a post', () => { diff --git a/backend/src/seed/seed-db.js b/backend/src/seed/seed-db.js index bc85e2a7d..89180ac2e 100644 --- a/backend/src/seed/seed-db.js +++ b/backend/src/seed/seed-db.js @@ -649,9 +649,14 @@ import { gql } from '../jest/helpers' ]) authenticatedUser = null + // There is no error logged or the 'try' fails if this mutation is wrong. Why? const reportMutation = gql` - mutation($resourceId: ID!, $reasonDescription: String!) { - report(reasonDescription: $reasonDescription, resourceId: $resourceId) { + mutation($resourceId: ID!, $reasonCategory: String!, $reasonDescription: String!) { + report( + resourceId: $resourceId + reasonCategory: $reasonCategory + reasonDescription: $reasonDescription + ) { id } } @@ -661,22 +666,25 @@ import { gql } from '../jest/helpers' mutate({ mutation: reportMutation, variables: { - reasonDescription: 'This comment is bigoted', resourceId: 'c1', + reasonCategory: 'other', + reasonDescription: 'This comment is bigoted', }, }), mutate({ mutation: reportMutation, variables: { - reasonDescription: 'This post is bigoted', resourceId: 'p1', + reasonCategory: 'discrimination-etc', + reasonDescription: 'This post is bigoted', }, }), mutate({ mutation: reportMutation, variables: { - reasonDescription: 'This user is harassing me with bigoted remarks', resourceId: 'u1', + reasonCategory: 'doxing', + reasonDescription: 'This user is harassing me with bigoted remarks', }, }), ])