Skip to content

Commit

Permalink
safeNextPathFrom(): add tests for bad content (#1003)
Browse files Browse the repository at this point in the history 
* safeNextPathFrom(): add tests for bad content

* add lint exception

* Update test cases for:

* fragment injection
* query string injection
* domain redirect

---------

Co-authored-by: alxndrsn <alxndrsn>
  • Loading branch information
@alxndrsn
alxndrsn authored Sep 25, 2023
1 parent 11d9b81 commit 0d2efaa
Showing 1 changed file with 39 additions and 3 deletions.
42 changes: 39 additions & 3 deletions test/unit/util/html.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,45 @@ describe('util/html', () => {

describe('safeNextPathFrom()', () => {
[
[ '/-/xyz', 'http://localhost:8989/-/xyz' ], // eslint-disable-line no-multi-spaces
[ '/account/edit', '/#/account/edit' ], // eslint-disable-line no-multi-spaces
[ '/users', '/#/users' ], // eslint-disable-line no-multi-spaces
// odk-central-frontend
[ '/account/edit', '/#/account/edit' ], // eslint-disable-line no-multi-spaces
[ '/users', '/#/users' ], // eslint-disable-line no-multi-spaces
[ '/users"><badTag ', '/#/users%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces

// query params
[ '/users?"><badTag ', '/#/users?%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
[ '/users?="><badTag ', '/#/users?=%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
[ '/users?a="><badTag ', '/#/users?a=%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
[ '/users?"=><badTag ', '/#/users?%22=%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces

// fragments
[ '/users#"><badTag ', '/#/users#%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
[ '/users#="><badTag ', '/#/users#=%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
[ '/users#a="><badTag ', '/#/users#a=%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
[ '/users#"=><badTag ', '/#/users#%22=%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces

// query string & fragment
[ '/users?"=1#"=><badTag ', '/#/users?%22=1#%22=%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces

// enketo-express
[ '/-/xyz', 'http://localhost:8989/-/xyz' ], // eslint-disable-line no-multi-spaces
[ '/-/xyz?"><b', 'http://localhost:8989/-/xyz?%22%3E%3Cb' ], // eslint-disable-line no-multi-spaces
[ '/-/xyz#"><b', 'http://localhost:8989/-/xyz#%22%3E%3Cb' ], // eslint-disable-line no-multi-spaces
[ '/-/xyz?"><b#"><b', 'http://localhost:8989/-/xyz?%22%3E%3Cb#%22%3E%3Cb' ], // eslint-disable-line no-multi-spaces

// bad domain
[ 'http://example.com', '/#/' ], // eslint-disable-line no-multi-spaces
// with @ char - not a problem if positioned in fragment or after first `/`:
[ '@baddomain.com', '/#/@baddomain.com' ], // eslint-disable-line no-multi-spaces
[ '/-/@baddomain.com', 'http://localhost:8989/-/@baddomain.com' ], // eslint-disable-line no-multi-spaces
[ '&64;baddomain.com', '/#/&64;baddomain.com' ], // eslint-disable-line no-multi-spaces
[ '/-/&64;baddomain.com', 'http://localhost:8989/-/&64;baddomain.com' ], // eslint-disable-line no-multi-spaces
[ 'http://localhost:[email protected]', '/#/' ], // eslint-disable-line no-multi-spaces
[ 'http://localhost:[email protected]', '/#/' ], // eslint-disable-line no-multi-spaces

// bad protocols
[ 'https://localhost:8989', '/#/' ], // eslint-disable-line no-multi-spaces
[ 'javascript:badFn()', '/#/' ], // eslint-disable-line no-multi-spaces,no-script-url
].forEach(([next, expected]) => {
it(`should convert next=${next} to ${expected}`, () => {
safeNextPathFrom(next).should.equal(expected);
Expand Down

0 comments on commit 0d2efaa

Please sign in to comment.