From 34e9b48d2825faeec5baf661fa14f501d2942795 Mon Sep 17 00:00:00 2001 From: Alicia Lopez Date: Sat, 19 Mar 2022 11:45:43 -0700 Subject: [PATCH] fix: correct username and token validation The current username and token validation regular expressions will match any string. This adds tests and fixes the regular expressions. --- lib/auth.js | 32 ++++++++++++++++++++++++-------- test/unit/auth.test.js | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 8 deletions(-) diff --git a/lib/auth.js b/lib/auth.js index 2569b04..761d01c 100644 --- a/lib/auth.js +++ b/lib/auth.js @@ -1,4 +1,3 @@ -import assert from 'node:assert'; import fs from 'node:fs'; import { ClientRequest } from 'node:http'; import util from 'node:util'; @@ -11,9 +10,27 @@ const ghauth = util.promisify(ghauthBase); export default lazy(auth); +function errorExit(message) { + process.stderr.write(`${message}\n`); + process.exit(1); +} + function check(username, token) { - assert(typeof username === 'string' && /^[a-zA-Z0-9]*/.test(username)); - assert(typeof token === 'string' && /^[0-9a-f]*/.test(token)); + if (typeof username !== 'string') { + errorExit(`username must be a string, received ${typeof username}`); + } + if (!/^[a-zA-Z0-9-]+$/.test(username)) { + errorExit( + 'username may only contain alphanumeric characters or hyphens, ' + + `received ${username}` + ); + } + if (typeof token !== 'string') { + errorExit(`token must be a string, received ${typeof token}`); + } + if (!/^[0-9a-f]+$/.test(token)) { + errorExit(`token must be lowercase hexadecimal, received ${token}`); + } } function lazy(fn) { @@ -36,8 +53,7 @@ async function tryCreateGitHubToken(githubAuth) { note: 'node-core-utils CLI tools' }); } catch (e) { - process.stderr.write(`Could not get token: ${e.message}\n`); - process.exit(1); + errorExit(`Could not get token: ${e.message}`); } return credentials; } @@ -84,11 +100,11 @@ async function auth( if (options.jenkins) { const { username, jenkins_token } = getMergedConfig(); if (!username || !jenkins_token) { - process.stdout.write( + errorExit( 'Get your Jenkins API token in https://ci.nodejs.org/me/configure ' + 'and run the following command to add it to your ncu config: ' + - 'ncu-config --global set jenkins_token TOKEN\n'); - process.exit(1); + 'ncu-config --global set jenkins_token TOKEN' + ); }; check(username, jenkins_token); result.jenkins = encode(username, jenkins_token); diff --git a/test/unit/auth.test.js b/test/unit/auth.test.js index ea68aea..589de00 100644 --- a/test/unit/auth.test.js +++ b/test/unit/auth.test.js @@ -70,6 +70,43 @@ describe('auth', async function() { 'Could not get token: Bad credentials\n', 'run-auth-error' ); }); + + it('does not accept a non-string username', async function() { + this.timeout(2000); + await runAuthScript( + { HOME: { username: {}, token: '0123456789abcdef' } }, + [], + 'username must be a string, received object\n' + ); + }); + + it('does not accept a non-string token', async function() { + this.timeout(2000); + await runAuthScript( + { HOME: { username: 'nyancat', token: 42 } }, + [], + 'token must be a string, received number\n' + ); + }); + + it('does not accept an invalid username format', async function() { + this.timeout(2000); + await runAuthScript( + { HOME: { username: ' ^^^ ', token: '0123456789abcdef' } }, + [], + 'username may only contain alphanumeric characters or hyphens, ' + + 'received ^^^ \n' + ); + }); + + it('does not accept an invalid token format', async function() { + this.timeout(2000); + await runAuthScript( + { HOME: { username: 'nyancat', token: '0123456789ABCDEF' } }, + [], + 'token must be lowercase hexadecimal, received 0123456789ABCDEF\n' + ); + }); }); // ncurc: { HOME: 'text to put in home ncurc',