Skip to content
This repository has been archived by the owner on Jul 8, 2023. It is now read-only.

Commit

Permalink
Improved security.
Browse files Browse the repository at this point in the history
  • Loading branch information
@ezzatron
ezzatron committed Jul 5, 2013
1 parent e9c8317 commit 740a509
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 9 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ This configuration would allow access to any user's timeline or statuses, with
the exclusion of Justin Bieber.

heroku config:set MOOCH_ALLOW='["^/1\\.1/statuses/user_timeline\\.json","^/1\\.1/statuses/show\\.json"]'
heroku config:set MOOCH_DENY='["justinbieber"]'
heroku config:set MOOCH_DENY='["\\bscreen_name=justinbieber\\b"]'

### Step 5: Deploy

Expand Down
17 changes: 13 additions & 4 deletions lib/Server.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 8 additions & 2 deletions src/Server.coffee
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ For the full copyright and license information, please view the LICENSE
file that was distributed with this source code.
###

querystring = require 'querystring'
url = require 'url'
util = require 'util'
Logger = require './Logger'

Expand Down Expand Up @@ -116,11 +118,15 @@ module.exports = class Server
new Buffer(encodedRequestPair).toString 'base64'

_requestAllowed: (request) ->
uriParts = url.parse request.url
normalizedUri = url.format
pathname: decodeURIComponent uriParts.pathname
search: querystring.stringify querystring.parse uriParts.query
allowMatched = @_options.allow.length < 1
for pattern in @_options.allow
if request.url.match pattern
if normalizedUri.match pattern
allowMatched = true
break
return false if !allowMatched
return false for pattern in @_options.deny when request.url.match pattern
return false for pattern in @_options.deny when normalizedUri.match pattern
return true
4 changes: 2 additions & 2 deletions test/Server.test.coffee
View file
Original file line number Diff line number Diff line change
Expand Up @@ -262,10 +262,10 @@ suite 'Server', =>

test 'does not allow paths matching the deny rules', (done) =>
options =
uri: util.format 'http://localhost:%d/path/to/bar', @port
uri: util.format 'http://localhost:%d/path/to/%62%61%72', @port

request options, (error, response, body) =>
assert.isNull error
sinon.assert.calledWith @logger.log, 'request', '%s "%s %s HTTP/%s" 403 -', '127.0.0.1', 'GET', '/path/to/bar', '1.1'
sinon.assert.calledWith @logger.log, 'request', '%s "%s %s HTTP/%s" 403 -', '127.0.0.1', 'GET', '/path/to/%62%61%72', '1.1'
assert.strictEqual body, '{"errors":[{"message":"Forbidden.","code":64}]}'
done()

0 comments on commit 740a509

Please sign in to comment.