Crashing quill via false verification token

Question

Crashing quill via false verification token

neilmckibben opened this issue 5 years ago · 5 comments

You can crash quill by submitting an invalid verification request. Try this: https://my.hackmit.org/verify/crash. It will break quill and the error message will be along these lines:

/home/ubuntu/quill/app/server/controllers/UserController.js:397
      email: email.toLowerCase()
                   ^
TypeError: Cannot read property 'toLowerCase' of undefined
    at /home/ubuntu/quill/app/server/controllers/UserController.js:397:20
    at /home/ubuntu/quill/app/server/models/User.js:309:12
    at /home/ubuntu/quill/node_modules/jsonwebtoken/index.js:101:18
    at process._tickCallback (internal/process/next_tick.js:61:11)
[14:38:49] [nodemon] app crashed - waiting for file changes before starting...`

When clicking the link above it will only go down for a couple of seconds since the app auto-restarts, but in other instances without this feature, quill will go down indefinitely. It is probably due to due to receiving an false token for verification.

Answer 1 · 2019-10-09T21:53:42.000Z

I was able to reproduce this. Scary!

Answer 2 · 2020-07-12T02:02:35.000Z

i was gonna post about this lol, so i guess its been a problem for a while

Answer 3 · 2020-07-12T02:04:38.000Z

It's a simple fix, just adding a null pointer check before accessing the token

Answer 4 · 2020-07-12T02:07:41.000Z

yup i just fixed it, surprised that they never changed the code

Answer 5 · 2020-07-12T02:38:34.000Z

Thanks for bringing it to my attention! We've fallen behind on maintaining quill and pushing many of our internal features to the main repository, which is why it hadn't been fixed yet :( Just pushed a commit for this fix.