Начало Каталог Помощ
Вход
lovecoding
/
W0407
10
0
Разклонения 0
Файлове Задачи 0 Заявки за сливане 0 Уики
Клон: main
Клонове Маркери
W0407
/
Webpack
/
node_modules
/
fast-uri
/
test
/
security.test.js

security.test.js 4.2 KB
Постоянна връзка История Директен файл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133 
  1. 'use strict'
    2. 

  2. 

  3. const test = require('tape')
    4. 

  4. const fastURI = require('..')
    5. 

  5. 

  6. test('parse marks malformed authority and port inputs as errors', (t) => {
    7. 

  7.   const malformedCases = [
    8. 

  8.     {
    9. 

  9.       input: 'http://[::1]foo',
    10. 

  10.       expectedError: 'URI path must start with "/" when authority is present.'
    11. 

  11.     },
    12. 

  12.     {
    13. 

  13.       input: 'http://[::1]:80abc/path',
    14. 

  14.       expectedError: 'URI path must start with "/" when authority is present.'
    15. 

  15.     },
    16. 

  16.     {
    17. 

  17.       input: 'http://example.com:80abc/path',
    18. 

  18.       expectedError: 'URI path must start with "/" when authority is present.'
    19. 

  19.     },
    20. 

  20.     {
    21. 

  21.       input: 'http://[::1]:65536',
    22. 

  22.       expectedError: 'URI port is malformed.'
    23. 

  23.     }
    24. 

  24.   ]
    25. 

  25. 

  26.   t.plan(malformedCases.length)
    27. 

  27. 

  28.   malformedCases.forEach(({ input, expectedError }) => {
    29. 

  29.     t.equal(fastURI.parse(input).error, expectedError, input)
    30. 

  30.   })
    31. 

  31. })
    32. 

  32. 

  33. test('normalize does not canonicalize malformed URLs into different valid URLs', (t) => {
    34. 

  34.   const malformedCases = [
    35. 

  35.     'http://[::1]foo',
    36. 

  36.     'http://[::1]:80abc/path',
    37. 

  37.     'http://example.com:80abc/path',
    38. 

  38.     'http://[::1]:65536'
    39. 

  39.   ]
    40. 

  40. 

  41.   t.plan(malformedCases.length)
    42. 

  42. 

  43.   malformedCases.forEach((input) => {
    44. 

  44.     t.equal(fastURI.normalize(input), input, input)
    45. 

  45.   })
    46. 

  46. })
    47. 

  47. 

  48. test('equal returns false when either side is malformed', (t) => {
    49. 

  49.   const malformedPairs = [
    50. 

  50.     ['http://[::1]foo', 'http://[::1]/foo'],
    51. 

  51.     ['http://[::1]:80abc/path', 'http://[::1]/abc/path'],
    52. 

  52.     ['http://example.com:80abc/path', 'http://example.com/abc/path'],
    53. 

  53.     ['http://[::1]:65536', 'http://[::1]:65536/']
    54. 

  54.   ]
    55. 

  55. 

  56.   t.plan(malformedPairs.length)
    57. 

  57. 

  58.   malformedPairs.forEach(([left, right]) => {
    59. 

  59.     t.equal(fastURI.equal(left, right), false, `${left} != ${right}`)
    60. 

  60.   })
    61. 

  61. })
    62. 

  62. 

  63. test('normalize preserves encoded authority delimiters in host', (t) => {
    64. 

  64.   const cases = [
    65. 

  65.     ['http://trusted.com%40evil.com/', 'http://trusted.com%40evil.com/'],
    66. 

  66.     ['http://example.com%3A8080/', 'http://example.com%3A8080/'],
    67. 

  67.     ['http://example.com%2Fevil.com/path', 'http://example.com%2Fevil.com/path'],
    68. 

  68.     ['http://example.com%23fragment/path', 'http://example.com%23fragment/path'],
    69. 

  69.     ['http://example.com%3Fq=evil/path', 'http://example.com%3Fq=evil/path'],
    70. 

  70.     ['http://user%3Apass%40evil.com/', 'http://user%3Apass%40evil.com/'],
    71. 

  71.     ['http://user@trusted.com%40evil.com/', 'http://user@trusted.com%40evil.com/'],
    72. 

  72.     ['https://trusted.com%40evil.com/', 'https://trusted.com%40evil.com/'],
    73. 

  73.     ['ws://trusted.com%40evil.com/chat', 'ws://trusted.com%40evil.com/chat'],
    74. 

  74.     ['wss://trusted.com%40evil.com/chat', 'wss://trusted.com%40evil.com/chat']
    75. 

  75.   ]
    76. 

  76. 

  77.   t.plan(cases.length)
    78. 

  78. 

  79.   cases.forEach(([input, expected]) => {
    80. 

  80.     t.equal(fastURI.normalize(input), expected, input)
    81. 

  81.   })
    82. 

  82. })
    83. 

  83. 

  84. test('parse preserves encoded authority delimiters in host', (t) => {
    85. 

  85.   const cases = [
    86. 

  86.     ['http://trusted.com%40evil.com/', 'trusted.com%40evil.com'],
    87. 

  87.     ['http://example.com%3A8080/', 'example.com%3A8080'],
    88. 

  88.     ['http://user%3Apass%40evil.com/', 'user%3Apass%40evil.com']
    89. 

  89.   ]
    90. 

  90. 

  91.   t.plan(cases.length)
    92. 

  92. 

  93.   cases.forEach(([input, expectedHost]) => {
    94. 

  94.     t.equal(fastURI.parse(input).host, expectedHost, input)
    95. 

  95.   })
    96. 

  96. })
    97. 

  97. 

  98. test('equal returns false when encoded delimiters differ from live delimiters', (t) => {
    99. 

  99.   const pairs = [
    100. 

  100.     ['http://trusted.com%40evil.com/', 'http://trusted.com@evil.com/'],
    101. 

  101.     ['http://example.com%3A8080/', 'http://example.com:8080/']
    102. 

  102.   ]
    103. 

  103. 

  104.   t.plan(pairs.length)
    105. 

  105. 

  106.   pairs.forEach(([left, right]) => {
    107. 

  107.     t.equal(fastURI.equal(left, right, {}), false, `${left} != ${right}`)
    108. 

  108.   })
    109. 

  109. })
    110. 

  110. 

  111. test('resolve preserves encoded authority delimiters', (t) => {
    112. 

  112.   const result = fastURI.resolve('http://base.com/', '//trusted.com%40evil.com/path')
    113. 

  113.   const parsed = fastURI.parse(result)
    114. 

  114. 

  115.   t.plan(1)
    116. 

  116.   t.notEqual(parsed.host, 'evil.com', '//trusted.com%40evil.com/path')
    117. 

  117. })
    118. 

  118. 

  119. test('serialize escapes authority delimiters in host field', (t) => {
    120. 

  120.   const result = fastURI.serialize({ scheme: 'http', host: 'trusted.com@evil.com', path: '/' })
    121. 

  121.   const parsed = fastURI.parse(result)
    122. 

  122. 

  123.   t.plan(1)
    124. 

  124.   t.notEqual(parsed.host, 'evil.com', 'host: trusted.com@evil.com')
    125. 

  125. })
    126. 

  126. 

  127. test('normalize does not double-decode %2540 into a live @', (t) => {
    128. 

  128.   const result = fastURI.normalize('http://trusted.com%2540evil.com/')
    129. 

  129.   const parsed = fastURI.parse(result)
    130. 

  130. 

  131.   t.plan(1)
    132. 

  132.   t.notEqual(parsed.host, 'trusted.com@evil.com', 'http://trusted.com%2540evil.com/')
    133. 

  133. })
    134.