Merge 79e8854 into 0c9bfe8

moscajs · Jul 21, 2017 · ef69210 · ef69210
2 parents 0c9bfe8 + 79e8854
commit ef69210
Show file tree

Hide file tree

Showing 3 changed files with 125 additions and 0 deletions.
diff --git a/lib/handlers/publish.js b/lib/handlers/publish.js
@@ -17,6 +17,22 @@ var publishActions = [
   enqueuePublish
 ]
 function handlePublish (client, packet, done) {
+  var topic = packet.topic
+  var err
+  if (topic.length === 0) {
+    err = new Error('empty topic not allowed in PUBLISH')
+    return done(err)
+  }
+  for (var i = 0; i < topic.length; i++) {
+    switch (topic.charCodeAt(i)) {
+      case 35:
+        err = new Error('# is not allowed in PUBLISH')
+        return done(err)
+      case 43:
+        err = new Error('+ is not allowed in PUBLISH')
+        return done(err)
+    }
+  }
   client.broker._series(client, publishActions, packet, done)
 }
 

diff --git a/lib/handlers/subscribe.js b/lib/handlers/subscribe.js
@@ -36,6 +36,33 @@ function doSubscribe (sub, done) {
 
 function authorize (sub, done) {
   var client = this.client
+  var topic = sub.topic
+  var end = topic.length - 1
+  var endMinus = end - 1
+  var err
+  var slashInPreEnd = endMinus > 0 && topic.charCodeAt(endMinus) !== 47
+  if (topic.length === 0) {
+    return done(new Error('impossible to subscribe to an empty topic'))
+  }
+  for (var i = 0; i < topic.length; i++) {
+    switch (topic.charCodeAt(i)) {
+      case 35:
+        var notAtTheEnd = i !== end
+        if (notAtTheEnd || slashInPreEnd) {
+          err = new Error('# is only allowed in SUBSCRIBE in the last position')
+          return done(err)
+        }
+        break
+      case 43:
+        var pastChar = i < end - 1 && topic.charCodeAt(i + 1) !== 47
+        var preChar = i > 1 && topic.charCodeAt(i - 1) !== 47
+        if (pastChar || preChar) {
+          err = new Error('+ is only allowed in SUBSCRIBE between /')
+          return done(err)
+        }
+        break
+    }
+  }
   client.broker.authorizeSubscribe(client, sub, done)
 }
 

diff --git a/test/basic.js b/test/basic.js
@@ -486,3 +486,85 @@ test('avoid wrong deduping of retain messages', function (t) {
 
   publisher.inStream.write(expected)
 })
+
+test('publish empty topic', function (t) {
+  var s = connect(setup())
+
+  subscribe(t, s, '#', 0, function () {
+    s.outStream.once('data', function (packet) {
+      t.fail('no packet')
+      t.end()
+    })
+
+    s.inStream.write({
+      cmd: 'publish',
+      topic: '',
+      payload: 'world'
+    })
+  })
+
+  eos(s.conn, function () {
+    t.equal(s.broker.connectedClients, 0, 'no connected clients')
+    t.end()
+  })
+})
+
+test('publish invalid topic with #', function (t) {
+  var s = connect(setup())
+
+  subscribe(t, s, '#', 0, function () {
+    s.outStream.once('data', function (packet) {
+      t.fail('no packet')
+      t.end()
+    })
+
+    s.inStream.write({
+      cmd: 'publish',
+      topic: 'hello/#',
+      payload: 'world'
+    })
+  })
+
+  s.broker.on('clientError', function () {
+    t.end()
+  })
+})
+
+test('publish invalid topic with +', function (t) {
+  var s = connect(setup())
+
+  subscribe(t, s, '#', 0, function () {
+    s.outStream.once('data', function (packet) {
+      t.fail('no packet')
+    })
+
+    s.inStream.write({
+      cmd: 'publish',
+      topic: 'hello/+/eee',
+      payload: 'world'
+    })
+  })
+
+  s.broker.on('clientError', function () {
+    t.end()
+  })
+})
+
+;['base/#/sub', 'base/#sub', 'base/sub#', 'base/xyz+/sub', 'base/+xyz/sub'].forEach(function (topic) {
+  test('subscribe to invalid topic with "' + topic + '"', function (t) {
+    var s = connect(setup())
+
+    s.broker.on('clientError', function () {
+      t.end()
+    })
+
+    s.inStream.write({
+      cmd: 'subscribe',
+      messageId: 24,
+      subscriptions: [{
+        topic: topic,
+        qos: 0
+      }]
+    })
+  })
+})