pkg/http_server/test/virtual_directory_test.dart - Issue 225813002: Fix XSS issues in http_server's dir-listing and error-page.

Side by Side Diff: pkg/http_server/test/virtual_directory_test.dart

Issue 225813002: Fix XSS issues in http_server's dir-listing and error-page. (Closed) Base URL: https://dart.googlecode.com/svn/branches/bleeding_edge/dart

Patch Set: Remove debug code. Created 6 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file	1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file

2 // for details. All rights reserved. Use of this source code is governed by a	2 // for details. All rights reserved. Use of this source code is governed by a

3 // BSD-style license that can be found in the LICENSE file.	3 // BSD-style license that can be found in the LICENSE file.

4	4

5 import 'dart:async';	5 import 'dart:async';

6 import 'dart:io';	6 import 'dart:io';

7	7

8 import "package:http_server/http_server.dart";	8 import "package:http_server/http_server.dart";

9 import 'package:path/path.dart' as pathos;	9 import 'package:path/path.dart' as pathos;

10 import "package:unittest/unittest.dart";	10 import "package:unittest/unittest.dart";

(...skipping 81 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
92 });	92 });

93	93

94 group('serve-dir', () {	94 group('serve-dir', () {

95 group('top-level', () {	95 group('top-level', () {

96 testVirtualDir('simple', (dir) {	96 testVirtualDir('simple', (dir) {

97 var virDir = new VirtualDirectory(dir.path);	97 var virDir = new VirtualDirectory(dir.path);

98 virDir.allowDirectoryListing = true;	98 virDir.allowDirectoryListing = true;

99	99

100 return getAsString(virDir, '/')	100 return getAsString(virDir, '/')

101 .then((result) {	101 .then((result) {

102 expect(result, contains('Index of /'));	102 expect(result, contains('Index of &#x2F'));

103 });	103 });

104 });	104 });

105	105

106 testVirtualDir('files', (dir) {	106 testVirtualDir('files', (dir) {

107 var virDir = new VirtualDirectory(dir.path);	107 var virDir = new VirtualDirectory(dir.path);

108 for (int i = 0; i < 10; i++) {	108 for (int i = 0; i < 10; i++) {

109 new File('${dir.path}/$i').createSync();	109 new File('${dir.path}/$i').createSync();

110 }	110 }

111 virDir.allowDirectoryListing = true;	111 virDir.allowDirectoryListing = true;

112	112

113 return getAsString(virDir, '/')	113 return getAsString(virDir, '/')

114 .then((result) {	114 .then((result) {

115 expect(result, contains('Index of /'));	115 expect(result, contains('Index of &#x2F'));

116 });	116 });

117 });	117 });

118	118

119 testVirtualDir('dirs', (dir) {	119 testVirtualDir('dirs', (dir) {

120 var virDir = new VirtualDirectory(dir.path);	120 var virDir = new VirtualDirectory(dir.path);

121 for (int i = 0; i < 10; i++) {	121 for (int i = 0; i < 10; i++) {

122 new Directory('${dir.path}/$i').createSync();	122 new Directory('${dir.path}/$i').createSync();

123 }	123 }

124 virDir.allowDirectoryListing = true;	124 virDir.allowDirectoryListing = true;

125	125

126 return getAsString(virDir, '/')	126 return getAsString(virDir, '/')

127 .then((result) {	127 .then((result) {

128 expect(result, contains('Index of /'));	128 expect(result, contains('Index of &#x2F'));

129 });	129 });

130 });	130 });

131	131

	132 testVirtualDir('encoded', (dir) {

	133 var virDir = new VirtualDirectory(dir.path);

	134 new Directory('${dir.path}/alert(\'hacked!\');').createSync();
	nweiz 2014/04/04 18:06:37 "/" isn't a great test case for HTML-escaping beca "/" isn't a great test case for HTML-escaping because it's not an HTML-active character. Make sure you test "<", ">", and "&". Anders Johnsen 2014/04/07 07:03:08 Done. Show quoted text On 2014/04/04 18:06:37, nweiz wrote: > "/" isn't a great test case for HTML-escaping because it's not an HTML-active > character. Make sure you test "<", ">", and "&". Done.
	135 virDir.allowDirectoryListing = true;

	136

	137 return getAsString(virDir, '/alert(\'hacked!\');')

	138 .then((result) {

	139 expect(result, contains('/alert('hacked!');/'));

	140 });

	141 });

	142

	143 testVirtualDir('encoded', (dir) {

	144 var virDir = new VirtualDirectory(dir.path);

	145 new Directory('${dir.path}/javascript:alert(document);"').createSync();

	146 virDir.allowDirectoryListing = true;

	147

	148 return getAsString(virDir, '/')

	149 .then((result) {

	150 expect(result, contains('%2Fjavascript%3Aalert(document)%3B%22'));

	151 });

	152 });

	153

132 if (!Platform.isWindows) {	154 if (!Platform.isWindows) {

133 testVirtualDir('recursive-link', (dir) {	155 testVirtualDir('recursive-link', (dir) {

134 var link = new Link('${dir.path}/recursive')..createSync('.');	156 var link = new Link('${dir.path}/recursive')..createSync('.');

135 var virDir = new VirtualDirectory(dir.path);	157 var virDir = new VirtualDirectory(dir.path);

136 virDir.allowDirectoryListing = true;	158 virDir.allowDirectoryListing = true;

137	159

138 return Future.wait([	160 return Future.wait([

139 getAsString(virDir, '/').then(	161 getAsString(virDir, '/').then(

140 (s) => s.contains('recursive/')),	162 (s) => s.contains('recursive/')),

141 getAsString(virDir, '/').then(	163 getAsString(virDir, '/').then(

142 (s) => !s.contains('../')),	164 (s) => !s.contains('../')),

143 getAsString(virDir, '/').then(	165 getAsString(virDir, '/').then(

144 (s) => s.contains('Index of /')),	166 (s) => s.contains('Index of /')),

145 getAsString(virDir, '/recursive').then(	167 getAsString(virDir, '/recursive').then(

146 (s) => s.contains('recursive/')),	168 (s) => s.contains('recursive/')),

147 getAsString(virDir, '/recursive').then(	169 getAsString(virDir, '/recursive').then(

148 (s) => s.contains('../')),	170 (s) => s.contains('../')),

149 getAsString(virDir, '/recursive').then(	171 getAsString(virDir, '/recursive').then(

150 (s) => s.contains('Index of /recursive'))])	172 (s) => s.contains('Index of /recursive'))])

151 .then((result) {	173 .then((result) {

152 expect(result, equals([true, true, true, true, true, true]));	174 expect(result, equals([true, true, true, true, true, true]));

153 });	175 });

154 });	176 });

155 }	177 }

156 });	178 });

157	179

158 group('custom', () {	180 group('custom', () {

159 testVirtualDir('simple', (dir) {	181 testVirtualDir('simple', (dir) {

160 var virDir = new VirtualDirectory(dir.path);	182 var virDir = new VirtualDirectory(dir.path);

(...skipping 369 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
530 return virDir.serveFile(new File('${d.path}/file'), request);	552 return virDir.serveFile(new File('${d.path}/file'), request);

531 };	553 };

532	554

533 return getAsString(virDir, '/')	555 return getAsString(virDir, '/')

534 .then((result) {	556 .then((result) {

535 expect(result, 'file contents');	557 expect(result, 'file contents');

536 });	558 });

537 });	559 });

538 });	560 });

539 }	561 }

OLD	NEW

« pkg/http_server/lib/src/virtual_directory.dart ('K') | « pkg/http_server/lib/src/virtual_directory.dart ('k') | no next file » | no next file with comments »