diff --git a/api-server/server/middlewares/add-return-to.js b/api-server/server/middlewares/add-return-to.js index 087b08153b..47d7bbfc03 100644 --- a/api-server/server/middlewares/add-return-to.js +++ b/api-server/server/middlewares/add-return-to.js @@ -11,10 +11,10 @@ const pathsOfNoReturn = [ 'css' ]; -const pathsWhiteList = ['challenges', 'map', 'commit']; +const pathsAllowedList = ['challenges', 'map', 'commit']; const pathsOfNoReturnRegex = new RegExp(pathsOfNoReturn.join('|'), 'i'); -const whiteListRegex = new RegExp(pathsWhiteList.join('|'), 'i'); +const pathsAllowedRegex = new RegExp(pathsAllowedList.join('|'), 'i'); export default function addReturnToUrl() { return function(req, res, next) { @@ -24,7 +24,7 @@ export default function addReturnToUrl() { if ( req.method !== 'GET' || pathsOfNoReturnRegex.test(path) || - !whiteListRegex.test(path) || + !pathsAllowedRegex.test(path) || /hot/i.test(req.path) ) { return next(); diff --git a/api-server/server/middlewares/constant-headers.js b/api-server/server/middlewares/constant-headers.js index 7742c49ff3..4f77b0d9cf 100644 --- a/api-server/server/middlewares/constant-headers.js +++ b/api-server/server/middlewares/constant-headers.js @@ -1,12 +1,12 @@ import { homeLocation } from '../../../config/env'; -import { whitelistOrigins } from '../../../config/cors-settings'; +import { allowedOrigins } from '../../../config/cors-settings'; export default function constantHeaders() { return function(req, res, next) { if ( req.headers && req.headers.origin && - whitelistOrigins.includes(req.headers.origin) + allowedOrigins.includes(req.headers.origin) ) { res.header('Access-Control-Allow-Origin', req.headers.origin); } else { diff --git a/api-server/server/middlewares/request-authorization.js b/api-server/server/middlewares/request-authorization.js index 3aa8ad486c..55d98a1223 100644 --- a/api-server/server/middlewares/request-authorization.js +++ b/api-server/server/middlewares/request-authorization.js @@ -28,7 +28,7 @@ const updateHooksRE = /^\/hooks\/update-paypal$|^\/hooks\/update-stripe$/; // note: this would be replaced by webhooks later const donateRE = /^\/donate\/charge-stripe$/; -const _whiteListREs = [ +const _pathsAllowedREs = [ authRE, confirmEmailRE, newsShortLinksRE, @@ -44,14 +44,14 @@ const _whiteListREs = [ donateRE ]; -export function isWhiteListedPath(path, whiteListREs = _whiteListREs) { - return whiteListREs.some(re => re.test(path)); +export function isAllowedPath(path, pathsAllowedREs = _pathsAllowedREs) { + return pathsAllowedREs.some(re => re.test(path)); } export default ({ jwtSecret = _jwtSecret, getUserById = _getUserById } = {}) => function requestAuthorisation(req, res, next) { const { path } = req; - if (!isWhiteListedPath(path)) { + if (!isAllowedPath(path)) { const { accessToken, error, jwt } = getAccessTokenFromRequest( req, jwtSecret diff --git a/api-server/server/middlewares/request-authorization.test.js b/api-server/server/middlewares/request-authorization.test.js index 86a4a7cb9a..ba56cded40 100644 --- a/api-server/server/middlewares/request-authorization.test.js +++ b/api-server/server/middlewares/request-authorization.test.js @@ -4,7 +4,7 @@ import { mockReq, mockRes } from 'sinon-express-mock'; import jwt from 'jsonwebtoken'; import createRequestAuthorization, { - isWhiteListedPath + isAllowedPath } from './request-authorization'; const validJWTSecret = 'this is a super secret string'; @@ -27,7 +27,7 @@ const mockGetUserById = id => id in users ? Promise.resolve(users[id]) : Promise.reject('No user found'); describe('request-authorization', () => { - describe('isWhiteListedPath', () => { + describe('isAllowedPath', () => { const authRE = /^\/auth\//; const confirmEmailRE = /^\/confirm-email$/; const newsShortLinksRE = /^\/n\/|^\/p\//; @@ -42,7 +42,7 @@ describe('request-authorization', () => { const unsubscribeRE = /^\/u\/|^\/unsubscribe\/|^\/ue\//; const updateHooksRE = /^\/hooks\/update-paypal$|^\/hooks\/update-stripe$/; - const whiteList = [ + const allowedPathsList = [ authRE, confirmEmailRE, newsShortLinksRE, @@ -58,18 +58,21 @@ describe('request-authorization', () => { ]; it('returns a boolean', () => { - const result = isWhiteListedPath(); + const result = isAllowedPath(); expect(typeof result).toBe('boolean'); }); it('returns true for a white listed path', () => { - const resultA = isWhiteListedPath( + const resultA = isAllowedPath( '/auth/auth0/callback?code=yF_mGjswLsef-_RLo', - whiteList + allowedPathsList ); - const resultB = isWhiteListedPath('/ue/WmjInLerysPrcon6fMb/', whiteList); - const resultC = isWhiteListedPath('/hooks/update-paypal', whiteList); - const resultD = isWhiteListedPath('/hooks/update-stripe', whiteList); + const resultB = isAllowedPath( + '/ue/WmjInLerysPrcon6fMb/', + allowedPathsList + ); + const resultC = isAllowedPath('/hooks/update-paypal', allowedPathsList); + const resultD = isAllowedPath('/hooks/update-stripe', allowedPathsList); expect(resultA).toBe(true); expect(resultB).toBe(true); expect(resultC).toBe(true); @@ -77,8 +80,11 @@ describe('request-authorization', () => { }); it('returns false for a non-white-listed path', () => { - const resultA = isWhiteListedPath('/hax0r-42/no-go', whiteList); - const resultB = isWhiteListedPath('/update-current-challenge', whiteList); + const resultA = isAllowedPath('/hax0r-42/no-go', allowedPathsList); + const resultB = isAllowedPath( + '/update-current-challenge', + allowedPathsList + ); expect(resultA).toBe(false); expect(resultB).toBe(false); }); diff --git a/config/cors-settings.js b/config/cors-settings.js index ba83f1849f..aeb15aba45 100644 --- a/config/cors-settings.js +++ b/config/cors-settings.js @@ -1,4 +1,4 @@ -exports.whitelistOrigins = [ +exports.allowedOrigins = [ 'https://www.freecodecamp.dev', 'https://www.freecodecamp.org', 'https://beta.freecodecamp.dev', diff --git a/curriculum/challenges/arabic/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.arabic.md b/curriculum/challenges/arabic/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.arabic.md index 868f751b40..3de9eabcc5 100644 --- a/curriculum/challenges/arabic/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.arabic.md +++ b/curriculum/challenges/arabic/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.arabic.md @@ -37,7 +37,7 @@ tests: const result = { success: ["max-length", "no-amd", "prefer-arrow-functions"], failure: ["no-var", "var-on-top", "linebreak"], - skipped: ["id-blacklist", "no-dup-keys"] + skipped: ["no-extra-semi", "no-dup-keys"] }; function makeList(arr) { "use strict"; diff --git a/curriculum/challenges/chinese/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.chinese.md b/curriculum/challenges/chinese/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.chinese.md index ec4a7434f0..41fed35547 100644 --- a/curriculum/challenges/chinese/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.chinese.md +++ b/curriculum/challenges/chinese/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.chinese.md @@ -67,7 +67,7 @@ tests: const result = { success: ["max-length", "no-amd", "prefer-arrow-functions"], failure: ["no-var", "var-on-top", "linebreak"], - skipped: ["id-blacklist", "no-dup-keys"] + skipped: ["no-extra-semi", "no-dup-keys"] }; function makeList(arr) { "use strict"; diff --git a/curriculum/challenges/english/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.english.md b/curriculum/challenges/english/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.english.md index 0fa47d51b7..80b1a21434 100644 --- a/curriculum/challenges/english/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.english.md +++ b/curriculum/challenges/english/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.english.md @@ -75,7 +75,7 @@ tests: const result = { success: ["max-length", "no-amd", "prefer-arrow-functions"], failure: ["no-var", "var-on-top", "linebreak"], - skipped: ["id-blacklist", "no-dup-keys"] + skipped: ["no-extra-semi", "no-dup-keys"] }; function makeList(arr) { "use strict"; @@ -103,7 +103,7 @@ const resultDisplayArray = makeList(result.failure); const result = { success: ["max-length", "no-amd", "prefer-arrow-functions"], failure: ["no-var", "var-on-top", "linebreak"], - skipped: ["id-blacklist", "no-dup-keys"] + skipped: ["no-extra-semi", "no-dup-keys"] }; function makeList(arr) { "use strict"; diff --git a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.english.md b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.english.md index 2ed0c926f6..143a5c8e7f 100644 --- a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.english.md +++ b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.english.md @@ -8,7 +8,7 @@ forumTopicId: 301585 ## Description
As a reminder, this project is being built upon the following starter project on Repl.it, or cloned from GitHub. -This challenge highlights one promising new defense that can significantly reduce the risk and impact of many type of attacks in modern browsers. By setting and configuring a Content Security Policy you can prevent the injection of anything unintended into your page. This will protect your app from XSS vulnerabilities, undesired tracking, malicious frames, and much more. CSP works by defining a whitelist of content sources which are trusted. You can configure them for each kind of resource a web page may need (scripts, stylesheets, fonts, frames, media, and so on…). There are multiple directives available, so a website owner can have a granular control. See HTML 5 Rocks, KeyCDN for more details. Unfortunately CSP is unsupported by older browser. +This challenge highlights one promising new defense that can significantly reduce the risk and impact of many type of attacks in modern browsers. By setting and configuring a Content Security Policy you can prevent the injection of anything unintended into your page. This will protect your app from XSS vulnerabilities, undesired tracking, malicious frames, and much more. CSP works by defining an allowed list of content sources which are trusted. You can configure them for each kind of resource a web page may need (scripts, stylesheets, fonts, frames, media, and so on…). There are multiple directives available, so a website owner can have a granular control. See HTML 5 Rocks, KeyCDN for more details. Unfortunately CSP is unsupported by older browser. By default, directives are wide open, so it’s important to set the defaultSrc directive as a fallback. Helmet supports both defaultSrc and default-src naming styles. The fallback applies for most of the unspecified directives.
@@ -42,8 +42,8 @@ tests: ```js /** - Backend challenges don't need solutions, - because they would need to be tested against a full working project. + Backend challenges don't need solutions, + because they would need to be tested against a full working project. Please check our contributing guidelines to learn more. */ ``` diff --git a/curriculum/challenges/portuguese/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.portuguese.md b/curriculum/challenges/portuguese/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.portuguese.md index 0d95d8dfc8..61da73a023 100644 --- a/curriculum/challenges/portuguese/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.portuguese.md +++ b/curriculum/challenges/portuguese/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.portuguese.md @@ -37,7 +37,7 @@ tests: const result = { success: ["max-length", "no-amd", "prefer-arrow-functions"], failure: ["no-var", "var-on-top", "linebreak"], - skipped: ["id-blacklist", "no-dup-keys"] + skipped: ["no-extra-semi", "no-dup-keys"] }; function makeList(arr) { "use strict"; diff --git a/curriculum/challenges/russian/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.russian.md b/curriculum/challenges/russian/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.russian.md index 6bb412818c..2dbda79b70 100644 --- a/curriculum/challenges/russian/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.russian.md +++ b/curriculum/challenges/russian/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.russian.md @@ -43,7 +43,7 @@ tests: const result = { success: ["max-length", "no-amd", "prefer-arrow-functions"], failure: ["no-var", "var-on-top", "linebreak"], - skipped: ["id-blacklist", "no-dup-keys"] + skipped: ["no-extra-semi", "no-dup-keys"] }; function makeList(arr) { "use strict"; @@ -75,7 +75,7 @@ const resultDisplayArray = makeList(result.failure); const result = { success: ["max-length", "no-amd", "prefer-arrow-functions"], failure: ["no-var", "var-on-top", "linebreak"], - skipped: ["id-blacklist", "no-dup-keys"] + skipped: ["no-extra-semi", "no-dup-keys"] }; function makeList(arr) { "use strict"; diff --git a/curriculum/challenges/spanish/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.spanish.md b/curriculum/challenges/spanish/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.spanish.md index 02c5de8e37..c1a0914568 100644 --- a/curriculum/challenges/spanish/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.spanish.md +++ b/curriculum/challenges/spanish/02-javascript-algorithms-and-data-structures/es6/create-strings-using-template-literals.spanish.md @@ -37,7 +37,7 @@ tests: const result = { success: ["max-length", "no-amd", "prefer-arrow-functions"], failure: ["no-var", "var-on-top", "linebreak"], - skipped: ["id-blacklist", "no-dup-keys"] + skipped: ["no-extra-semi", "no-dup-keys"] }; function makeList(arr) { "use strict"; diff --git a/utils/validate.test.js b/utils/validate.test.js index 7c516482dc..a96d8f8db5 100644 --- a/utils/validate.test.js +++ b/utils/validate.test.js @@ -40,7 +40,7 @@ describe('isValidUsername', () => { }); it('rejects all other ASCII characters', () => { - const whiteList = ['-', '_', '+']; + const allowedCharactersList = ['-', '_', '+']; const numbers = [48, 57]; const upperCase = [65, 90]; const lowerCase = [97, 122]; @@ -50,7 +50,7 @@ describe('isValidUsername', () => { for (let code = 0; code <= finalCode; code++) { let char = String.fromCharCode(code); let expected = invalidCharError; - if (whiteList.includes(char)) expected = validationSuccess; + if (allowedCharactersList.includes(char)) expected = validationSuccess; if (inRange(code, numbers)) expected = validationSuccess; if (inRange(code, upperCase)) expected = validationSuccess; if (inRange(code, lowerCase)) expected = validationSuccess;