Trim up the local brute DB a little

* Normalize on username standards and do a precheck so we don't track some obvious bad requests. This should lower the MongoLab traffic a little. * Remove a stray comma * Fixed a bug in lib detection... technically this was refactored out. * Removed last commit unused var **NOTES** Consider `keyScript` as a preop to make sure we're "trying the right kind of key in the lock first" which just happens to be our `installName` :) Applies to OpenUserJS#944 and a little to OpenUserJS#37 *(silence is golden)*
Martii · Apr 15, 2016 · 14b33ef · 14b33ef
1 parent a7de9ae
commit 14b33ef
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 38 deletions.
diff --git a/controllers/scriptStorage.js b/controllers/scriptStorage.js
@@ -203,58 +203,81 @@ exports.getSource = function (aReq, aCallback) {
     });
 };
 
-exports.sendScript = function (aReq, aRes, aNext) {
-  if (aReq.params.type === 'libs') {
-    aReq.params.isLib = true;
-  }
+exports.keyScript = function (aReq, aRes, aNext) {
+  let pathname = aReq._parsedUrl.pathname;
+  let isLib = /^\/src\/libs\//.test(pathname);
+
+  let installName = pathname.replace(/^\/(?:install|src\/(?:scripts|libs))\//, '');
 
-  let accept = aReq.headers.accept;
+  let rUserJS = /\.user\.js$/;
+  let rMetaJS = /\.meta\.js$/;
+  let rJS = /\.js$/;
+
+  let accept = aReq.headers.accept || '*/*';
   let accepts = null;
+
   let hasAcceptUserScriptMeta = false;
   let hasAcceptNotAcceptable = false;
-  let url = URL.parse(aReq.url);
 
-  let isLib = aReq.params.isLib || /^\/libs\//.test(url.pathname);
-  let rUserJS = /\.user\.js$/;
-  let rMetaJS = /\.meta\.js$/;
+  let parts = installName.split('/');
+  let userName = parts[0].toLowerCase();
+  let scriptName = parts[1];
 
   if (!isLib) {
-    if (accept) {
-      accepts = accept.split(',');
+    accepts = accept.split(',');
+
+    if (rUserJS.test(scriptName)) {
       accepts.forEach(function (aElement, aIndex, aArray) {
         let acceptItem = aElement.trim();
 
-        if (/^text\/x\-userscript\-meta/.test(acceptItem)) { // TODO: toggle `\-meta` in re
-          hasAcceptUserScriptMeta = true;
-        }
-
-        // Find 406 (not acceptables)
+        // Find not acceptables
         if (/^image\//.test(acceptItem)) {
           hasAcceptNotAcceptable = true;
         }
 
+        // Find acceptables
+        if (/^text\/x\-userscript\-meta/.test(acceptItem)) {
+          hasAcceptUserScriptMeta = true;
+        }
       });
-    }
 
-    // Test for 406 (not acceptables)
-    if (hasAcceptNotAcceptable && rUserJS.test(url.pathname)) {
-      aRes.status(406).send();
-      return;
-    }
+      // Test acceptables
+      if (hasAcceptNotAcceptable) {
+        aRes.status(406).send();
+        return;
+      }
 
-    if (hasAcceptUserScriptMeta && rUserJS.test(url.pathname) ||
-      rMetaJS.test(url.pathname)) {
-      //
-      exports.sendMeta(aReq, aRes, aNext);
+      if (hasAcceptUserScriptMeta) {
+        exports.sendMeta(aReq, aRes, aNext);
+        return;
+      }
+
+      aNext(userName + '/' + scriptName.replace(/(\.min)?\.user\.js/, '.user.js'));
       return;
+
+    } else if (rMetaJS.test(scriptName)) {
+      if (!/\.min\.meta\.js$/.test(scriptName)) {
+        exports.sendMeta(aReq, aRes, aNext);
+        return;
+      }
     }
-  } else {
-    if (rMetaJS.test(url.pathname)) {
-      aNext();
+  } else if (rJS.test(scriptName)) {
+      aNext(userName + '/' + scriptName.replace(/(\.min)?\.js/, '.js'));
       return;
-    }
   }
 
+  // No matches so return a bad request
+  aRes.status(400).send();
+}
+
+exports.sendScript = function (aReq, aRes, aNext) {
+  if (aReq.params.type === 'libs') {
+    aReq.params.isLib = true;
+  }
+
+  let pathname = aReq._parsedUrl.pathname;
+  let isLib = aReq.params.isLib || /^\/src\/libs\//.test(pathname);
+
   exports.getSource(aReq, function (aScript, aStream) {
     let chunks = [];
     let updateURL = null;
@@ -581,7 +604,6 @@ exports.storeScript = function (aUser, aMeta, aBuf, aCallback, aUpdate) {
   var name = null;
   var thisName = null;
   var scriptName = null;
-  var updateURL = null;
   var author = null;
   var collaborators = null;
   var installName = aUser.name + '/';

diff --git a/routes.js b/routes.js
@@ -58,10 +58,6 @@ var sourcesBruteforce = new ExpressBrute(store, {
   failCallback: tooManyRequests
 });
 
-var fnKeySources = function (aReq, aRes, aNext) {
-  // Prevent too many attempts from the same source `pathname`
-  aNext(aReq._parsedUrl.pathname);
-};
 
 module.exports = function (aApp) {
   //--- Middleware
@@ -105,7 +101,7 @@ module.exports = function (aApp) {
     aRes.redirect('/users/' + aReq.params.username + '/scripts'); // NOTE: Watchpoint
   });
 
-  aApp.route('/install/:username/:scriptname').get(sourcesBruteforce.getMiddleware({key : fnKeySources}), scriptStorage.sendScript);
+  aApp.route('/install/:username/:scriptname').get(sourcesBruteforce.getMiddleware({key : scriptStorage.keyScript}), scriptStorage.sendScript);
   aApp.route('/meta/:username/:scriptname').get(scriptStorage.sendMeta);
 
   // Github hook routes
@@ -119,7 +115,7 @@ module.exports = function (aApp) {
   aApp.route('/libs/:username/:scriptname/source').get(script.lib(user.editScript));
 
   // Raw source
-  aApp.route('/src/:type(scripts|libs)/:username/:scriptname').get(sourcesBruteforce.getMiddleware({key : fnKeySources}), scriptStorage.sendScript);
+  aApp.route('/src/:type(scripts|libs)/:username/:scriptname').get(sourcesBruteforce.getMiddleware({key : scriptStorage.keyScript}), scriptStorage.sendScript);
 
   // Issues routes
   aApp.route('/:type(scripts|libs)/:username/:scriptname/issues/:open(open|closed|all)?').get(issue.list);
@@ -185,7 +181,7 @@ module.exports = function (aApp) {
   aApp.use(function (aReq, aRes, aNext) {
     statusCodePage(aReq, aRes, aNext, {
       statusCode: 404,
-      statusMessage: 'This is not the page you\'re are looking for.',
+      statusMessage: 'This is not the page you\'re are looking for.'
     });
   });
 };