Dedup code, added negative test cases for isIP.

bawerd · Sep 20, 2012 · 2571611 · 2571611
1 parent 51c287e
commit 2571611
Showing 1 changed file with 43 additions and 10 deletions.
diff --git a/tests/test-valve.js b/tests/test-valve.js
@@ -685,19 +685,52 @@ exports['test_validate_ip'] = function(test, assert) {
     assert.deepEqual(err.message, 'IP address is not a string', 'IP test (negative case 3)');
   });
 
-  // IPv6 normalization
-  obj = { a: '2001:0db8:0000:0000:0001:0000:0000:0001' };
-  obj_ext = { a: '2001:db8::1:0:0:1'};
-  v.check(obj_ext, function(err, cleaned) {
-    assert.ifError(err);
-    assert.deepEqual(cleaned, obj, 'IPv6 test and normalization');
+  // Validator doesn't choke on this in the way we expect it should.
+  // TODO(sfalvo): Fix validator.
+  // neg = {a: '2001:0db8:0:0:1:0:0:127.0.0.1'};
+  // v.check(neg, function(err, cleaned) {
+  //   console.error(err);
+  //   console.error(cleaned);
+  //   assert.deepEqual(err.message, 'Invalid IP', 'Malformed IPv6 address w/ embedded IPv4 address');
+  // });
+
+  neg = {a: '2001:0db8::1::1' };
+  v.check(neg, function(err, cleaned) {
+    assert.deepEqual(err.message, 'Invalid IP', 'IPv6 can only have at most one "::" symbol in it.');
   });
 
-  // net.isIP would claim this is invalid, despite it being valid ipv6
-  obj = { a: '1234::' };
-  v.check(obj, function(err, cleaned) {
-    assert.ifError(err);
+  neg = {a: '2001:0db8:0000:0000:0001:0000:0000'};
+  v.check(neg, function(err, cleaned) {
+    assert.deepEqual(err.message, 'Invalid IP', 'IPv6 coloned-octet notation requires eight hex words.');
+  });
+
+  neg = {a: '2001:0db8::1:0:0:00001' };
+  v.check(neg, function(err, cleaned) {
+    assert.deepEqual(err.message, 'Invalid IP', 'IPv6 hex groups can be at most 4 characters long.');
   });
+
+  var stack_attack = "";
+  var possible = "0123456789.:";
+  for(var i=0; i < 1048576; i++) {
+    stack_attack += possible.charAt(Math.floor(Math.random()*possible.length));
+  }
+  stack_attack = '1'+stack_attack;	// Make sure it starts with a digit
+
+  neg = {a: stack_attack};
+  v.check(neg, function(err, cleaned) {
+    assert.deepEqual(err.message, 'Invalid IP', 'Stack overflow attacks, to 1MB, should be rejected out of hand.');
+  });
+
+  neg = {a: '2001:0db8:0:0:1:0:0:'+stack_attack};
+  v.check(neg, function(err, cleaned) {
+    assert.deepEqual(err.message, 'Invalid IP', 'Stack overflow attacks, to 1MB, should be rejected out of hand.');
+  });
+
+  neg = {a: '192.168.0.'+stack_attack};
+  v.check(neg, function(err, cleaned) {
+    assert.deepEqual(err.message, 'Invalid IP', 'Stack overflow attacks, to 1MB, should be rejected out of hand.');
+  });
+
   test.finish();
 };