fix: handle uploads of filenames that require uri encoding
This commit is contained in:
parent
a9f3fd9167
commit
278a39a47b
3 changed files with 94 additions and 2 deletions
|
|
@ -1,7 +1,7 @@
|
||||||
{
|
{
|
||||||
"name": "@andyburke/serverus",
|
"name": "@andyburke/serverus",
|
||||||
"description": "A flexible HTTP server for mixed content. Throw static files, markdown, Typescript and (hopefully, eventually) more into a directory and serverus can serve it up a bit more like old-school CGI.",
|
"description": "A flexible HTTP server for mixed content. Throw static files, markdown, Typescript and (hopefully, eventually) more into a directory and serverus can serve it up a bit more like old-school CGI.",
|
||||||
"version": "0.12.3",
|
"version": "0.12.4",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"exports": {
|
"exports": {
|
||||||
".": "./serverus.ts",
|
".": "./serverus.ts",
|
||||||
|
|
|
||||||
|
|
@ -124,7 +124,7 @@ export const HANDLERS: Partial<Record<HTTP_METHOD, HANDLER_METHOD>> = {
|
||||||
}
|
}
|
||||||
|
|
||||||
for await (const file of files) {
|
for await (const file of files) {
|
||||||
const filename: string = file.name ?? path.basename(normalized_path);
|
const filename: string = file.name ? decodeURIComponent(file.name) : path.basename(normalized_path);
|
||||||
const resolved_upload_name = path.resolve(path.join(upload_directory, filename));
|
const resolved_upload_name = path.resolve(path.join(upload_directory, filename));
|
||||||
|
|
||||||
if (!resolved_upload_name.startsWith(root)) {
|
if (!resolved_upload_name.startsWith(root)) {
|
||||||
|
|
|
||||||
|
|
@ -275,6 +275,98 @@ Deno.test({
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
Deno.test({
|
||||||
|
name: 'ensure filenames with HTML escapes work',
|
||||||
|
permissions: {
|
||||||
|
env: true,
|
||||||
|
read: true,
|
||||||
|
write: true,
|
||||||
|
net: true
|
||||||
|
},
|
||||||
|
|
||||||
|
sanitizeResources: false,
|
||||||
|
sanitizeOps: false,
|
||||||
|
|
||||||
|
fn: async () => {
|
||||||
|
let test_server_info: EPHEMERAL_SERVER | null = null;
|
||||||
|
const cwd = Deno.cwd();
|
||||||
|
|
||||||
|
const PREVIOUS_PUT_PATHS_ALLOWED = Deno.env.get('SERVERUS_PUT_PATHS_ALLOWED');
|
||||||
|
try {
|
||||||
|
Deno.chdir('./tests/www');
|
||||||
|
Deno.env.set('SERVERUS_PUT_PATHS_ALLOWED', path.join(Deno.cwd(), 'files'));
|
||||||
|
|
||||||
|
test_server_info = await get_ephemeral_listen_server();
|
||||||
|
|
||||||
|
const put_body = new FormData();
|
||||||
|
let test_file: File | undefined = new File(['this is a test upload with strange filename'], encodeURIComponent('2Q==(30).txt'));
|
||||||
|
put_body.append('file', test_file);
|
||||||
|
|
||||||
|
// Sending a single file
|
||||||
|
const put_response = await fetch(`http://${test_server_info.hostname}:${test_server_info.port}/files/2Q==(30).txt`, {
|
||||||
|
method: 'PUT',
|
||||||
|
body: put_body
|
||||||
|
});
|
||||||
|
|
||||||
|
asserts.assert(put_response.ok);
|
||||||
|
|
||||||
|
const put_response_body = await put_response.json();
|
||||||
|
asserts.assert(put_response_body);
|
||||||
|
asserts.assert(put_response_body.written);
|
||||||
|
asserts.assertEquals(
|
||||||
|
put_response_body.written?.[0],
|
||||||
|
`http://${test_server_info.hostname}:${test_server_info.port}/files/2Q==(30).txt`
|
||||||
|
);
|
||||||
|
|
||||||
|
put_body.delete('file');
|
||||||
|
test_file = undefined;
|
||||||
|
|
||||||
|
const get_response = await fetch(`http://${test_server_info.hostname}:${test_server_info.port}/files/2Q==(30).txt`, {
|
||||||
|
method: 'GET'
|
||||||
|
});
|
||||||
|
|
||||||
|
asserts.assert(get_response.ok);
|
||||||
|
asserts.assert(get_response.body);
|
||||||
|
|
||||||
|
const local_download_path = path.join(Deno.cwd(), 'files', '2Q==(30).txt-downloaded');
|
||||||
|
await ensureFile(local_download_path);
|
||||||
|
|
||||||
|
const file = await Deno.open(local_download_path, { truncate: true, write: true });
|
||||||
|
await get_response.body.pipeTo(file.writable);
|
||||||
|
|
||||||
|
const download_content = await Deno.readTextFile(local_download_path);
|
||||||
|
asserts.assert(download_content);
|
||||||
|
asserts.assertEquals(download_content, 'this is a test upload with strange filename');
|
||||||
|
|
||||||
|
await Deno.remove(local_download_path);
|
||||||
|
asserts.assert(!fs.existsSync(local_download_path));
|
||||||
|
|
||||||
|
const local_upload_path = path.join(Deno.cwd(), 'files', '2Q==(30).txt');
|
||||||
|
asserts.assert(fs.existsSync(local_upload_path));
|
||||||
|
|
||||||
|
const stat = await Deno.lstat(local_upload_path);
|
||||||
|
asserts.assert(stat);
|
||||||
|
asserts.assert(stat.isFile);
|
||||||
|
asserts.assertEquals(stat.size, 43);
|
||||||
|
asserts.assertEquals(stat.mode! & 0o777, 0o755);
|
||||||
|
|
||||||
|
await Deno.remove(local_upload_path);
|
||||||
|
asserts.assert(!fs.existsSync(local_upload_path));
|
||||||
|
} finally {
|
||||||
|
Deno.chdir(cwd);
|
||||||
|
if (PREVIOUS_PUT_PATHS_ALLOWED) {
|
||||||
|
Deno.env.set('SERVERUS_PUT_PATHS_ALLOWED', PREVIOUS_PUT_PATHS_ALLOWED);
|
||||||
|
} else {
|
||||||
|
Deno.env.delete('SERVERUS_PUT_PATHS_ALLOWED');
|
||||||
|
}
|
||||||
|
|
||||||
|
if (test_server_info) {
|
||||||
|
await test_server_info?.server?.stop();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
Deno.test({
|
Deno.test({
|
||||||
name: 'allow PUT to multiple files in a directory',
|
name: 'allow PUT to multiple files in a directory',
|
||||||
permissions: {
|
permissions: {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue