Skip to content

Commit 81a8b25

Browse files
author
noel-enquanta
committed
URL-encode userId, groupId, contentLanguage, subAccountAPIKey path params
Defense in depth: caller-supplied IDs containing '/' or '?' can no longer change the endpoint or inject query parameters. Same fix as the morning pass for python/ruby/php/scala/perl/cpp; node was deferred and is now done via encodeURIComponent.
1 parent fc3c091 commit 81a8b25

2 files changed

Lines changed: 18 additions & 18 deletions

File tree

index.js

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ function VoiceIt3(apk, tok, baseUrl) {
6060
};
6161

6262
this.getPhrases = (options, callback) => {
63-
this.axiosInstance.get(`${BASE_URL}/phrases/${options.contentLanguage}${this.notificationUrl}`)
63+
this.axiosInstance.get(`${BASE_URL}/phrases/${encodeURIComponent(options.contentLanguage)}${this.notificationUrl}`)
6464
.then((httpResponse) => {
6565
callback(httpResponse.data);
6666
}).catch((error) => {
@@ -125,7 +125,7 @@ function VoiceIt3(apk, tok, baseUrl) {
125125

126126

127127
this.regenerateSubAccountAPIToken = (options, callback) => {
128-
this.axiosInstance.post(`${BASE_URL}/subaccount/${options.subAccountAPIKey}${this.notificationUrl}`)
128+
this.axiosInstance.post(`${BASE_URL}/subaccount/${encodeURIComponent(options.subAccountAPIKey)}${this.notificationUrl}`)
129129
.then((httpResponse) => {
130130
callback(httpResponse.data);
131131
}).catch((error) => {
@@ -139,7 +139,7 @@ function VoiceIt3(apk, tok, baseUrl) {
139139
//TODO: is it ok to name the property subAccountAPIKey to be consistent with the other wrappers
140140
// or should it be userId?
141141
this.deleteSubAccount = (options, callback) => {
142-
this.axiosInstance.delete(`${BASE_URL}/subaccount/${options.subAccountAPIKey}${this.notificationUrl}`)
142+
this.axiosInstance.delete(`${BASE_URL}/subaccount/${encodeURIComponent(options.subAccountAPIKey)}${this.notificationUrl}`)
143143
.then((httpResponse) => {
144144
callback(httpResponse.data);
145145
}).catch((error) => {
@@ -152,7 +152,7 @@ function VoiceIt3(apk, tok, baseUrl) {
152152

153153

154154
this.checkUserExists = (options, callback) => {
155-
this.axiosInstance.get(`${BASE_URL}/users/${options.userId}${this.notificationUrl}`)
155+
this.axiosInstance.get(`${BASE_URL}/users/${encodeURIComponent(options.userId)}${this.notificationUrl}`)
156156
.then((httpResponse) => {
157157
callback(httpResponse.data);
158158
}).catch((error) => {
@@ -164,7 +164,7 @@ function VoiceIt3(apk, tok, baseUrl) {
164164
};
165165

166166
this.deleteUser = (options, callback) => {
167-
this.axiosInstance.delete(`${BASE_URL}/users/${options.userId}${this.notificationUrl}`)
167+
this.axiosInstance.delete(`${BASE_URL}/users/${encodeURIComponent(options.userId)}${this.notificationUrl}`)
168168
.then((httpResponse) => {
169169
callback(httpResponse.data);
170170
}).catch((error) => {
@@ -176,7 +176,7 @@ function VoiceIt3(apk, tok, baseUrl) {
176176
};
177177

178178
this.getGroupsForUser = (options, callback) => {
179-
this.axiosInstance.get(`${BASE_URL}/users/${options.userId}/groups${this.notificationUrl}`)
179+
this.axiosInstance.get(`${BASE_URL}/users/${encodeURIComponent(options.userId)}/groups${this.notificationUrl}`)
180180
.then((httpResponse) => {
181181
callback(httpResponse.data);
182182
}).catch((error) => {
@@ -202,7 +202,7 @@ function VoiceIt3(apk, tok, baseUrl) {
202202
};
203203

204204
this.getGroup = (options, callback) => {
205-
this.axiosInstance.get(`${BASE_URL}/groups/${options.groupId}${this.notificationUrl}`)
205+
this.axiosInstance.get(`${BASE_URL}/groups/${encodeURIComponent(options.groupId)}${this.notificationUrl}`)
206206
.then((httpResponse) => {
207207
callback(httpResponse.data);
208208
}).catch((error) => {
@@ -214,7 +214,7 @@ function VoiceIt3(apk, tok, baseUrl) {
214214
};
215215

216216
this.checkGroupExists = (options, callback) => {
217-
this.axiosInstance.get(`${BASE_URL}/groups/${options.groupId}/exists${this.notificationUrl}`)
217+
this.axiosInstance.get(`${BASE_URL}/groups/${encodeURIComponent(options.groupId)}/exists${this.notificationUrl}`)
218218
.then((httpResponse) => {
219219
callback(httpResponse.data);
220220
}).catch((error) => {
@@ -275,7 +275,7 @@ function VoiceIt3(apk, tok, baseUrl) {
275275
};
276276

277277
this.deleteGroup = (options, callback) => {
278-
this.axiosInstance.delete(`${BASE_URL}/groups/${options.groupId}${this.notificationUrl}`)
278+
this.axiosInstance.delete(`${BASE_URL}/groups/${encodeURIComponent(options.groupId)}${this.notificationUrl}`)
279279
.then((httpResponse) => {
280280
callback(httpResponse.data);
281281
}).catch((error) => {
@@ -289,7 +289,7 @@ function VoiceIt3(apk, tok, baseUrl) {
289289
/* Enrollment API Calls */
290290

291291
this.getAllEnrollmentsForUser = (options, callback) => {
292-
this.axiosInstance.get(`${BASE_URL}/enrollments/${options.userId}${this.notificationUrl}`)
292+
this.axiosInstance.get(`${BASE_URL}/enrollments/${encodeURIComponent(options.userId)}${this.notificationUrl}`)
293293
.then((httpResponse) => {
294294
callback(httpResponse.data);
295295
}).catch((error) => {
@@ -301,7 +301,7 @@ function VoiceIt3(apk, tok, baseUrl) {
301301
};
302302

303303
this.getAllVoiceEnrollments = (options, callback) => {
304-
this.axiosInstance.get(`${BASE_URL}/enrollments/voice/${options.userId}${this.notificationUrl}`)
304+
this.axiosInstance.get(`${BASE_URL}/enrollments/voice/${encodeURIComponent(options.userId)}${this.notificationUrl}`)
305305
.then((httpResponse) => {
306306
callback(httpResponse.data);
307307
}).catch((error) => {
@@ -313,7 +313,7 @@ function VoiceIt3(apk, tok, baseUrl) {
313313
};
314314

315315
this.getAllFaceEnrollments = (options, callback) => {
316-
this.axiosInstance.get(`${BASE_URL}/enrollments/face/${options.userId}${this.notificationUrl}`)
316+
this.axiosInstance.get(`${BASE_URL}/enrollments/face/${encodeURIComponent(options.userId)}${this.notificationUrl}`)
317317
.then((httpResponse) => {
318318
callback(httpResponse.data);
319319
}).catch((error) => {
@@ -325,7 +325,7 @@ function VoiceIt3(apk, tok, baseUrl) {
325325
};
326326

327327
this.getAllVideoEnrollments = (options, callback) => {
328-
this.axiosInstance.get(`${BASE_URL}/enrollments/video/${options.userId}${this.notificationUrl}`)
328+
this.axiosInstance.get(`${BASE_URL}/enrollments/video/${encodeURIComponent(options.userId)}${this.notificationUrl}`)
329329
.then((httpResponse) => {
330330
callback(httpResponse.data);
331331
}).catch((error) => {
@@ -491,7 +491,7 @@ function VoiceIt3(apk, tok, baseUrl) {
491491
};
492492

493493
this.deleteAllEnrollments = (options, callback) => {
494-
this.axiosInstance.delete(`${BASE_URL}/enrollments/${options.userId}/all${this.notificationUrl}`)
494+
this.axiosInstance.delete(`${BASE_URL}/enrollments/${encodeURIComponent(options.userId)}/all${this.notificationUrl}`)
495495
.then((httpResponse) => {
496496
callback(httpResponse.data);
497497
}).catch((error) => {
@@ -819,7 +819,7 @@ function VoiceIt3(apk, tok, baseUrl) {
819819
callback({ status: 400, responseCode: 'FAIL', message: 'secondsToTimeout must be a numeric value' });
820820
}
821821
} else if (options.secondsToTimeout === undefined) {
822-
this.axiosInstance.post(`${BASE_URL}/users/${options.userId}/token`)
822+
this.axiosInstance.post(`${BASE_URL}/users/${encodeURIComponent(options.userId)}/token`)
823823
.then((httpResponse) => {
824824
callback(httpResponse.data);
825825
}).catch((error) => {
@@ -829,7 +829,7 @@ function VoiceIt3(apk, tok, baseUrl) {
829829
throw error;
830830
});
831831
} else {
832-
this.axiosInstance.post(`${BASE_URL}/users/${options.userId}/token?timeOut=${options.secondsToTimeout}`)
832+
this.axiosInstance.post(`${BASE_URL}/users/${encodeURIComponent(options.userId)}/token?timeOut=${options.secondsToTimeout}`)
833833
.then((httpResponse) => {
834834
callback(httpResponse.data);
835835
}).catch((error) => {
@@ -845,7 +845,7 @@ function VoiceIt3(apk, tok, baseUrl) {
845845
if (options.userId === undefined) {
846846
callback({ status: 400, responseCode: 'FAIL', message: 'Missing userId argument' });
847847
}
848-
this.axiosInstance.post(`${BASE_URL}/users/${options.userId}/expireTokens`)
848+
this.axiosInstance.post(`${BASE_URL}/users/${encodeURIComponent(options.userId)}/expireTokens`)
849849
.then((httpResponse) => {
850850
callback(httpResponse.data);
851851
}).catch((error) => {

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "@voiceittech/voiceit3-nodejs",
3-
"version": "3.0.6",
3+
"version": "3.0.7",
44
"description": "VoiceIt's API 3.0 Face + Voice Verification/Identification Node Wrapper",
55
"main": "index.js",
66
"scripts": {

0 commit comments

Comments
 (0)