From f78c575cd2d00066fb0bc29182a1cf3e1f9a8c96 Mon Sep 17 00:00:00 2001 From: bourgeoa Date: Sun, 6 Mar 2022 23:54:44 +0100 Subject: [PATCH 1/2] reject url with %2F --- lib/resource-mapper.js | 2 ++ test/unit/resource-mapper-test.js | 12 ++++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/resource-mapper.js b/lib/resource-mapper.js index 3da8bf01c..3e660fcc2 100644 --- a/lib/resource-mapper.js +++ b/lib/resource-mapper.js @@ -153,11 +153,13 @@ class ResourceMapper { _parseUrl (url) { // URL specified as string if (typeof url === 'string') { + if (url.includes('%2F')) throw new Error('Url cannot contain %2F (%encoded /)') return URL.parse(url) } // URL specified as Express request object if (!url.pathname && url.path) { const { hostname, path } = url + if (path.includes('%2F')) throw new Error('Url cannot contain %2F (%encoded /)') return { hostname, pathname: path.replace(/[?#].*/, '') } } // URL specified as object diff --git a/test/unit/resource-mapper-test.js b/test/unit/resource-mapper-test.js index bfd0dfc7e..50376dcc1 100644 --- a/test/unit/resource-mapper-test.js +++ b/test/unit/resource-mapper-test.js @@ -226,7 +226,7 @@ describe('ResourceMapper', () => { itMapsUrl(mapper, 'a URL of a new file with encoded characters', { - url: 'http://localhost/space%2Ffoo%20bar%20bar.html', + url: 'http://localhost/space/foo%20bar%20bar.html', contentType: 'text/html', createIfNotExists: true }, @@ -235,6 +235,14 @@ describe('ResourceMapper', () => { contentType: 'text/html' }) + itMapsUrl(mapper, 'a URL of a new file with encoded characters', + { + url: 'http://localhost/space%2Ffoo%20bar%20bar.html', + contentType: 'text/html', + createIfNotExists: true + }, + new Error('Url cannot contain %2F (%encoded /)')) + itMapsUrl(mapper, 'a URL of an existing .acl file', { url: 'http://localhost/space/.acl' @@ -413,7 +421,7 @@ describe('ResourceMapper', () => { { url: 'http://localhost/space%2F..%2Fbar' }, - new Error('Disallowed /.. segment in URL')) + new Error('Url cannot contain %2F (%encoded /)')) // File to URL mapping From 724d6f47f45e294bdecdd74c9194e35dfb41f4ac Mon Sep 17 00:00:00 2001 From: bourgeoa Date: Mon, 7 Mar 2022 17:08:26 +0100 Subject: [PATCH 2/2] update following comments --- lib/resource-mapper.js | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/lib/resource-mapper.js b/lib/resource-mapper.js index 3e660fcc2..e77d155c8 100644 --- a/lib/resource-mapper.js +++ b/lib/resource-mapper.js @@ -151,19 +151,21 @@ class ResourceMapper { // Parses a URL into hostname and pathname _parseUrl (url) { + let parsed // URL specified as string if (typeof url === 'string') { - if (url.includes('%2F')) throw new Error('Url cannot contain %2F (%encoded /)') - return URL.parse(url) - } + parsed = URL.parse(url) // URL specified as Express request object - if (!url.pathname && url.path) { + } else if (!url.pathname && url.path) { const { hostname, path } = url - if (path.includes('%2F')) throw new Error('Url cannot contain %2F (%encoded /)') - return { hostname, pathname: path.replace(/[?#].*/, '') } - } + parsed = { hostname, pathname: path.replace(/[?#].*/, '') } // URL specified as object - return url + } else { + parsed = url + } + // reject Url containning %encoded / + if (parsed.pathname.includes('%2F')) throw new Error('Url cannot contain %2F (%encoded /)') + return parsed } // Gets the expected content type based on the extension of the path