1.0.0 #1
1.0.0 #1
Conversation
to fix error handler security vunerability
| node_js: | ||
| - "0.10" | ||
| - "0.12" | ||
| - "iojs" |
There was a problem hiding this comment.
iojs is no longer relevant, please add "4" (LTS) and "5" (stable) instead
|
@loay your coding style seems a bit inconsistent to me, some lines have trailing semi colon, some don't. Please add |
| /* istanbul ignore next */ | ||
| var defer = typeof setImmediate === 'function' | ||
| ? setImmediate | ||
| : function(fn){ process.nextTick(fn.bind.apply(fn, arguments)) } |
There was a problem hiding this comment.
Huh, why is this needed? setImmediate is always a function in Node.js 0.10 and newer.
|
Please use a different file name than |
| var util = require('util'); | ||
| var loopback = require('loopback'); | ||
|
|
||
| describe('strongErrorHandler() when debug is set to true', function() { |
There was a problem hiding this comment.
Uh, maintaining two copies of test cases that are mostly identical is a nightmare. It's difficult to tell what is specific for the case when debug==true and what's same for both.
Ideally, the tests should be written in such way, that tests for things like nosniff header that do not depend on debug will use the default value and should be written in such way that they pass regardless of what's the default value. Then there should be tests focused solely on debug:false, debug:true and debug:undefined.
There was a problem hiding this comment.
If you want to run the same set of tests with different config options, then create parameterised test suite instead:
var SCENARIOS = [
{ debug: false },
{ debug: true }
];
SCENARIOS.forEach(function(sc) {
describe('strongErrorHandler with ' + JSON.stringify(sc), function() {
// run the tests and use `sc.debug` for the debug option passed to `createServer`
}
}However, I think that's an overkill here.
| // json | ||
| } else if (type === 'json') { | ||
| var error = { message: err.message, stack: err.stack }; | ||
| for (var prop in err) error[prop] = err[prop]; |
There was a problem hiding this comment.
This does not follow the spec, please rework and add unit-tests too.
strongloop/loopback#1650 (comment)
JSON response fields
- debug:true - all error fields are sent in the HTTP response
- debug:false & status code is 4xx - the error object contains the following fields:
- name
- message - as provided by Error.message
- statusCode
- details
- + any fields from
options.safeFields
- debug:false & status code is 5xx or <400 or falsey - the error object
contains the following fields- statusCode
- message - the string from HTTP spec
- + any fields from
options.safeFields
There was a problem hiding this comment.
Also note that the rules outlined above applies to other content types too. I.e. the message should be always the string from HTTP spec when statusCode is not 4xx, regardless whether we render HTML, JSON or text.
There was a problem hiding this comment.
added the 3 conditions in JSON
|
@bajtos
|
|
@bajtos |
See the proposal in strongloop/loopback#1650 (comment) for details.
Connect to strongloop/loopback#1650