fix(server): Ensure all JSON responses are protected

Author: petebacondarwin

server/lib/mongo-proxy.js

@@ -36,12 +36,6 @@ module.exports = function(basePath, apiKey) {
     return newReq;
   };
 
-  // JSON vulnerability protection
-  // we prepend the data with ")]},\n", which will be stripped by $http in AngularJS
-  var protectJSON = function(data) {
-    return ")]}',\n" + data;
-  };
-
   var proxy = function(req, res, next) {
     try {
       var options = mapRequest(req);
@@ -55,10 +49,11 @@ module.exports = function(basePath, apiKey) {
           data = data + chunk;
         });
         dbRes.on('end', function() {
+          res.header('Content-Type', 'application/json');
           res.statusCode = dbRes.statusCode;
           res.httpVersion = dbRes.httpVersion;
           res.trailers = dbRes.trailers;
-          res.send(protectJSON(data));
+          res.send(data);
           res.end();
         });
       });

server/lib/security.js

@@ -28,15 +28,15 @@ var security = {
     if (req.isAuthenticated()) {
       next();
     } else {
-      res.send(401, filterUser(req.user));
+      res.json(401, filterUser(req.user));
     }
   },
   adminRequired: function(req, res, next) {
     console.log('adminRequired');
     if (req.user && req.user.admin ) {
       next();
     } else {
-      res.send(401, filterUser(req.user));
+      res.json(401, filterUser(req.user));
     }
   },
   sendCurrentUser: function(req, res, next) {

server/server.js

@@ -27,6 +27,30 @@ app.use(config.server.staticUrl, function(req, res, next) {
   res.send(404); // If we get here then the request for a static file is invalid
 });
 
+// JSON vulnerability protection
+// we prepend the data with ")]},\n", which will be stripped by $http in AngularJS
+app.use(function(req, res, next) {
+  var _send = res.send;
+  res.send = function(body) {
+    var contentType = res.getHeader('Content-Type');
+    if ( contentType && contentType.indexOf('application/json') !== -1 ) {
+      if (2 == arguments.length) {
+        // res.send(body, status) backwards compat
+        if ('number' != typeof body && 'number' == typeof arguments[1]) {
+          this.statusCode = arguments[1];
+        } else {
+          this.statusCode = body;
+          body = arguments[1];
+        }
+      }
+      body = ")]}',\n" + body;
+      return _send.call(res, body);
+    }
+    _send.apply(res, arguments);
+  };
+  next();
+});
+
 app.use(express.logger());                                  // Log requests to the console
 app.use(express.bodyParser());                              // Extract the data from the body of the request - this is needed by the LocalStrategy authenticate method
 app.use(express.cookieParser(config.server.cookieSecret));  // Hash cookies with this secret