Skip to content

Commit

Permalink
Merge a11e33d into 4a63619
Browse files Browse the repository at this point in the history
  • Loading branch information
Camilo QS committed Feb 23, 2018
2 parents 4a63619 + a11e33d commit d75d827
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 17 deletions.
10 changes: 9 additions & 1 deletion routes/uploads.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,8 @@ var everyAuth = function(req, res, next) {

var uploadedFile = function(req, res, next) {
var slug = req.params[0],
ext = slug.match(/\.(.*)$/)[1],
file = _.isString(slug) && slug.match(/\.(.*)$/),
ext = _.isArray(file) ? file[1] : null,
type = extToType(ext),
Cls = typeToClass(type),
profile = req.principal,
Expand All @@ -72,6 +73,13 @@ var uploadedFile = function(req, res, next) {

Step(
function() {
if (!ext || !type) {
throw new HTTPError("Not allowed", 403);
}
this();
},
function(err) {
if (err) throw err;
Cls.search({_slug: slug}, this);
},
function(err, objs) {
Expand Down
77 changes: 61 additions & 16 deletions test/upload-file-test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,22 +188,52 @@ suite.addBatch({
assert.ifError(err);
}
},
"and we get the file from the web interface without logging in": {
topic: function(doc, feed, pair, cl) {
var cred = makeCred(cl, pair),
browser = new Browser(),
"and we visit the uploads path from the web interface": {
topic: function(doc) {
var callback = this.callback;

httputil.head("http://localhost:4815/uploads/", callback);
},
"it works": function(err, res) {
assert.ifError(err);
},
"it has a status code of 403": function(err, res) {
assert.isNumber(res.statusCode);
assert.equal(res.statusCode, 403);
}
},
"and we try to get the non-public file with wrong extension from the web interface": {
topic: function(doc) {
var callback = this.callback,
url = doc.fullImage.url.split(".")[0];

httputil.head(url, callback);
},
"it works": function(err, res) {
assert.ifError(err);
},
"it has a status code of 403": function(err, res) {
assert.isNumber(res.statusCode);
assert.equal(res.statusCode, 403);
}
},
"and we get the non-public file from the web interface without logging in": {
topic: function(doc) {
var browser = new Browser(),
callback = this.callback,
url = doc.fullImage.url;

browser.visit(url, function(err) {
callback(err, browser);
});
httputil.head(url, callback);
},
"it works": function(err, res) {
assert.ifError(err);
},
"it fails correctly": function(err, br) {
br.assert.status(403);
"it has a status code of 403": function(err, res) {
assert.isNumber(res.statusCode);
assert.equal(res.statusCode, 403);
}
},
"and we login and try to get the file": {
"and we login and try to get the non-public file": {
topic: function(doc, feed, pair, cl) {
var browser = new Browser(),
callback = this.callback,
Expand All @@ -223,19 +253,34 @@ suite.addBatch({
br.assert.success();
},
"and we get the file from the web interface while logged in": {
topic: function(br, doc, feed, pair, cl) {
var cred = makeCred(cl, pair),
browser = br,
topic: function(br, doc) {
var browser = br,
callback = this.callback,
url = doc.fullImage.url;

browser.visit(url, function(err) {
callback(err, browser);
// when is false sends a new param for next test
// and don't use br.assert because send a browser
// as the new parameter for next test
callback(err || browser.status !== 200 || null);
});
},
"it works": function(err, br) {
"it works": function(err) {
assert.ifError(err);
br.assert.success();
},
"and we try to get the file with wrong extension from the web interface": {
topic: function(br, doc) {
var browser = br,
callback = this.callback,
url = doc.fullImage.url.split(".")[0];

browser.visit(url, function() {
callback(null, browser);
});
},
"it has a status code of 403": function(err, br) {
br.assert.status(403);
}
}
}
},
Expand Down

0 comments on commit d75d827

Please sign in to comment.