rdrew
/
druid
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
d11 theme
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
42 MiB
 
 
 
Tree: f035d16951
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f035d16951'
${ noResults }
druid/node_modules/fast-uri/test/security.test.js

133 lines
4.2 KiB
Raw Blame History

'use strict'
const test = require('tape')
const fastURI = require('..')
test('parse marks malformed authority and port inputs as errors', (t) => {
const malformedCases = [
{
input: 'http://[::1]foo',
expectedError: 'URI path must start with "/" when authority is present.'
},
{
input: 'http://[::1]:80abc/path',
expectedError: 'URI path must start with "/" when authority is present.'
},
{
input: 'http://example.com:80abc/path',
expectedError: 'URI path must start with "/" when authority is present.'
},
{
input: 'http://[::1]:65536',
expectedError: 'URI port is malformed.'
}
]
t.plan(malformedCases.length)
malformedCases.forEach(({ input, expectedError }) => {
t.equal(fastURI.parse(input).error, expectedError, input)
})
})
test('normalize does not canonicalize malformed URLs into different valid URLs', (t) => {
const malformedCases = [
'http://[::1]foo',
'http://[::1]:80abc/path',
'http://example.com:80abc/path',
'http://[::1]:65536'
]
t.plan(malformedCases.length)
malformedCases.forEach((input) => {
t.equal(fastURI.normalize(input), input, input)
})
})
test('equal returns false when either side is malformed', (t) => {
const malformedPairs = [
['http://[::1]foo', 'http://[::1]/foo'],
['http://[::1]:80abc/path', 'http://[::1]/abc/path'],
['http://example.com:80abc/path', 'http://example.com/abc/path'],
['http://[::1]:65536', 'http://[::1]:65536/']
]
t.plan(malformedPairs.length)
malformedPairs.forEach(([left, right]) => {
t.equal(fastURI.equal(left, right), false, `${left} != ${right}`)
})
})
test('normalize preserves encoded authority delimiters in host', (t) => {
const cases = [
['http://trusted.com%40evil.com/', 'http://trusted.com%40evil.com/'],
['http://example.com%3A8080/', 'http://example.com%3A8080/'],
['http://example.com%2Fevil.com/path', 'http://example.com%2Fevil.com/path'],
['http://example.com%23fragment/path', 'http://example.com%23fragment/path'],
['http://example.com%3Fq=evil/path', 'http://example.com%3Fq=evil/path'],
['http://user%3Apass%40evil.com/', 'http://user%3Apass%40evil.com/'],
['http://user@trusted.com%40evil.com/', 'http://user@trusted.com%40evil.com/'],
['https://trusted.com%40evil.com/', 'https://trusted.com%40evil.com/'],
['ws://trusted.com%40evil.com/chat', 'ws://trusted.com%40evil.com/chat'],
['wss://trusted.com%40evil.com/chat', 'wss://trusted.com%40evil.com/chat']
]
t.plan(cases.length)
cases.forEach(([input, expected]) => {
t.equal(fastURI.normalize(input), expected, input)
})
})
test('parse preserves encoded authority delimiters in host', (t) => {
const cases = [
['http://trusted.com%40evil.com/', 'trusted.com%40evil.com'],
['http://example.com%3A8080/', 'example.com%3A8080'],
['http://user%3Apass%40evil.com/', 'user%3Apass%40evil.com']
]
t.plan(cases.length)
cases.forEach(([input, expectedHost]) => {
t.equal(fastURI.parse(input).host, expectedHost, input)
})
})
test('equal returns false when encoded delimiters differ from live delimiters', (t) => {
const pairs = [
['http://trusted.com%40evil.com/', 'http://trusted.com@evil.com/'],
['http://example.com%3A8080/', 'http://example.com:8080/']
]
t.plan(pairs.length)
pairs.forEach(([left, right]) => {
t.equal(fastURI.equal(left, right, {}), false, `${left} != ${right}`)
})
})
test('resolve preserves encoded authority delimiters', (t) => {
const result = fastURI.resolve('http://base.com/', '//trusted.com%40evil.com/path')
const parsed = fastURI.parse(result)
t.plan(1)
t.notEqual(parsed.host, 'evil.com', '//trusted.com%40evil.com/path')
})
test('serialize escapes authority delimiters in host field', (t) => {
const result = fastURI.serialize({ scheme: 'http', host: 'trusted.com@evil.com', path: '/' })
const parsed = fastURI.parse(result)
t.plan(1)
t.notEqual(parsed.host, 'evil.com', 'host: trusted.com@evil.com')
})
test('normalize does not double-decode %2540 into a live @', (t) => {
const result = fastURI.normalize('http://trusted.com%2540evil.com/')
const parsed = fastURI.parse(result)
t.plan(1)
t.notEqual(parsed.host, 'trusted.com@evil.com', 'http://trusted.com%2540evil.com/')
})