pkg/http_server/test/virtual_directory_test.dart - Issue 225813002: Fix XSS issues in http_server's dir-listing and error-page.

Unified Diff: pkg/http_server/test/virtual_directory_test.dart

Issue 225813002: Fix XSS issues in http_server's dir-listing and error-page. (Closed) Base URL: https://dart.googlecode.com/svn/branches/bleeding_edge/dart

Patch Set: Also encode size and modified. Created 6 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: pkg/http_server/test/virtual_directory_test.dart

diff --git a/pkg/http_server/test/virtual_directory_test.dart b/pkg/http_server/test/virtual_directory_test.dart

index c04ec3414522e10bbc534d865dc28ea4015a3124..b58ee31c0a24acb5a3f7ce75fcf1d72cff09d1ff 100644

--- a/pkg/http_server/test/virtual_directory_test.dart

+++ b/pkg/http_server/test/virtual_directory_test.dart

@@ -99,7 +99,7 @@ void main() {

return getAsString(virDir, '/')

.then((result) {

- expect(result, contains('Index of /'));

+ expect(result, contains('Index of &#x2F'));

});

@@ -112,7 +112,7 @@ void main() {

return getAsString(virDir, '/')

.then((result) {

- expect(result, contains('Index of /'));

+ expect(result, contains('Index of &#x2F'));

});

@@ -125,7 +125,41 @@ void main() {

return getAsString(virDir, '/')

.then((result) {

- expect(result, contains('Index of /'));

+ expect(result, contains('Index of &#x2F'));

+ });

+ testVirtualDir('encoded-dir', (dir) {

+ var virDir = new VirtualDirectory(dir.path);

+ new Directory('${dir.path}/alert(\'hacked!\');').createSync();

+ virDir.allowDirectoryListing = true;

+ return getAsString(virDir, '/alert(\'hacked!\');')

+ .then((result) {

+ expect(result, contains('/alert('hacked!');/'));

+ });

+ testVirtualDir('encoded-path', (dir) {

+ var virDir = new VirtualDirectory(dir.path);

+ new Directory('${dir.path}/javascript:alert(document);"').createSync();

+ virDir.allowDirectoryListing = true;

+ return getAsString(virDir, '/')

+ .then((result) {

+ expect(result, contains('%2Fjavascript%3Aalert(document)%3B%22'));

+ });

+ testVirtualDir('encoded-special', (dir) {

+ var virDir = new VirtualDirectory(dir.path);

+ new Directory('${dir.path}/<>&"').createSync();

+ virDir.allowDirectoryListing = true;

+ return getAsString(virDir, '/')

+ .then((result) {

+ expect(result, contains('<>&"/'));

+ expect(result, contains('href="%2F%3C%3E%26%22"'));

});

@@ -137,17 +171,17 @@ void main() {

return Future.wait([

getAsString(virDir, '/').then(

- (s) => s.contains('recursive/')),

+ (s) => s.contains('recursive/')),

getAsString(virDir, '/').then(

(s) => !s.contains('../')),

getAsString(virDir, '/').then(

- (s) => s.contains('Index of /')),

+ (s) => s.contains('Index of /')),

getAsString(virDir, '/recursive').then(

- (s) => s.contains('recursive/')),

+ (s) => s.contains('recursive/')),

getAsString(virDir, '/recursive').then(

- (s) => s.contains('../')),

+ (s) => s.contains('../')),

getAsString(virDir, '/recursive').then(

- (s) => s.contains('Index of /recursive'))])

+ (s) => s.contains('Index of /recursive'))])

.then((result) {

expect(result, equals([true, true, true, true, true, true]));

});

« no previous file with comments | « pkg/http_server/lib/src/virtual_directory.dart ('k') | no next file » | no next file with comments »