Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move hapi security tests here #32

Closed
hueniverse opened this issue Aug 7, 2015 · 1 comment
Closed

Move hapi security tests here #32

hueniverse opened this issue Aug 7, 2015 · 1 comment
Assignees
Labels
Milestone

Comments

@hueniverse
Copy link
Member

@hueniverse hueniverse commented Aug 7, 2015

    it('blocks path traversal to files outside of hosted directory is not allowed with null byte injection', function (done) {

        var server = new Hapi.Server();
        server.connection();
        server.route({ method: 'GET', path: '/{path*}', handler: { directory: { path: './directory' } } });

        server.inject('/%00/../security.js', function (res) {

            expect(res.statusCode).to.equal(403);
            done();
        });
    });

    it('blocks path traversal to files outside of hosted directory is not allowed', function (done) {

        var server = new Hapi.Server();
        server.connection();
        server.route({ method: 'GET', path: '/{path*}', handler: { directory: { path: './directory' } } });

        server.inject('/../security.js', function (res) {

            expect(res.statusCode).to.equal(403);
            done();
        });
    });

    it('blocks path traversal to files outside of hosted directory is not allowed with encoded slash', function (done) {

        var server = new Hapi.Server();
        server.connection();
        server.route({ method: 'GET', path: '/{path*}', handler: { directory: { path: './directory' } } });

        server.inject('/..%2Fsecurity.js', function (res) {

            expect(res.statusCode).to.equal(403);
            done();
        });
    });

    it('blocks path traversal to files outside of hosted directory is not allowed with double encoded slash', function (done) {

        var server = new Hapi.Server();
        server.connection();
        server.route({ method: 'GET', path: '/{path*}', handler: { directory: { path: './directory' } } });

        server.inject('/..%252Fsecurity.js', function (res) {

            expect(res.statusCode).to.equal(403);
            done();
        });
    });

    it('blocks path traversal to files outside of hosted directory is not allowed with unicode encoded slash', function (done) {

        var server = new Hapi.Server();
        server.connection();
        server.route({ method: 'GET', path: '/{path*}', handler: { directory: { path: './directory' } } });

        server.inject('/..\u2216security.js', function (res) {

            expect(res.statusCode).to.equal(403);
            done();
        });
    });

    it('blocks null byte injection when serving a file', function (done) {

        var server = new Hapi.Server();
        server.connection();
        server.route({ method: 'GET', path: '/{path*}', handler: { directory: { path: './directory' } } });

        server.inject('/index%00.html', function (res) {

            expect(res.statusCode).to.equal(404);
            done();
        });
    });
@hueniverse hueniverse added the test label Aug 7, 2015
@hueniverse

This comment has been minimized.

Copy link
Member Author

@hueniverse hueniverse commented Aug 7, 2015

Didn't do a PR so you can decide where you want to put these.

@kanongil kanongil added this to the 3.0.1 milestone Aug 12, 2015
@kanongil kanongil self-assigned this Aug 12, 2015
@kanongil kanongil closed this in 1efdf42 Aug 12, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.