fix: fix an issue if you had no allowed PUT/DELETE paths for static
uploads
This commit is contained in:
parent
da30c60896
commit
a9f3fd9167
4 changed files with 122 additions and 21 deletions
|
|
@ -82,8 +82,11 @@ Deno.test({
|
|||
let test_server_info: EPHEMERAL_SERVER | null = null;
|
||||
const cwd = Deno.cwd();
|
||||
|
||||
const PREVIOUS_PUT_PATHS_ALLOWED = Deno.env.get('SERVERUS_PUT_PATHS_ALLOWED');
|
||||
const PREVIOUS_DELETE_PATHS_ALLOWED = Deno.env.get('SERVERUS_DELETE_PATHS_ALLOWED');
|
||||
try {
|
||||
Deno.chdir('./tests/www');
|
||||
Deno.env.delete('SERVERUS_PUT_PATHS_ALLOWED');
|
||||
test_server_info = await get_ephemeral_listen_server();
|
||||
|
||||
const response = await fetch(`http://${test_server_info.hostname}:${test_server_info.port}/test.txt`, {
|
||||
|
|
@ -94,9 +97,85 @@ Deno.test({
|
|||
|
||||
asserts.assert(response.ok);
|
||||
asserts.assert(response.headers);
|
||||
asserts.assertEquals(response.headers.get('Allow'), ['DELETE', 'GET', 'HEAD', 'OPTIONS', 'PUT'].join(','));
|
||||
asserts.assertEquals(response.headers.get('Allow'), ['GET', 'HEAD', 'OPTIONS'].join(','));
|
||||
|
||||
await test_server_info.server.stop();
|
||||
|
||||
Deno.env.set('SERVERUS_PUT_PATHS_ALLOWED', '.');
|
||||
Deno.env.set('SERVERUS_DELETE_PATHS_ALLOWED', '.');
|
||||
|
||||
test_server_info = await get_ephemeral_listen_server();
|
||||
|
||||
const expanded_response = await fetch(`http://${test_server_info.hostname}:${test_server_info.port}/test.txt`, {
|
||||
method: 'OPTIONS'
|
||||
});
|
||||
|
||||
await expanded_response.text();
|
||||
|
||||
asserts.assert(expanded_response.ok);
|
||||
asserts.assert(expanded_response.headers);
|
||||
asserts.assertEquals(expanded_response.headers.get('Allow'), ['DELETE', 'GET', 'HEAD', 'OPTIONS', 'PUT'].join(','));
|
||||
} finally {
|
||||
Deno.chdir(cwd);
|
||||
if (PREVIOUS_PUT_PATHS_ALLOWED) {
|
||||
Deno.env.set('SERVERUS_PUT_PATHS_ALLOWED', PREVIOUS_PUT_PATHS_ALLOWED);
|
||||
} else {
|
||||
Deno.env.delete('SERVERUS_PUT_PATHS_ALLOWED');
|
||||
}
|
||||
if (PREVIOUS_DELETE_PATHS_ALLOWED) {
|
||||
Deno.env.set('SERVERUS_DELETE_PATHS_ALLOWED', PREVIOUS_DELETE_PATHS_ALLOWED);
|
||||
} else {
|
||||
Deno.env.delete('SERVERUS_DELETE_PATHS_ALLOWED');
|
||||
}
|
||||
if (test_server_info) {
|
||||
await test_server_info?.server?.stop();
|
||||
}
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
Deno.test({
|
||||
name: 'DISallow PUT to static files if SERVERUS_PUT_PATHS_ALLOWED is UNset',
|
||||
permissions: {
|
||||
env: true,
|
||||
read: true,
|
||||
write: true,
|
||||
net: true
|
||||
},
|
||||
|
||||
sanitizeResources: false,
|
||||
sanitizeOps: false,
|
||||
|
||||
fn: async () => {
|
||||
let test_server_info: EPHEMERAL_SERVER | null = null;
|
||||
const cwd = Deno.cwd();
|
||||
|
||||
const PREVIOUS_PUT_PATHS_ALLOWED = Deno.env.get('SERVERUS_PUT_PATHS_ALLOWED');
|
||||
try {
|
||||
Deno.chdir('./tests/www');
|
||||
Deno.env.delete('SERVERUS_PUT_PATHS_ALLOWED');
|
||||
|
||||
test_server_info = await get_ephemeral_listen_server();
|
||||
|
||||
const put_body = new FormData();
|
||||
put_body.append('file', new File(['this is a test PUT upload'], 'test_put_upload.txt'));
|
||||
|
||||
// Sending a single file
|
||||
const put_response = await fetch(`http://${test_server_info.hostname}:${test_server_info.port}/files/test_put_upload.txt`, {
|
||||
method: 'PUT',
|
||||
body: put_body
|
||||
});
|
||||
|
||||
asserts.assert(!put_response.ok);
|
||||
asserts.assertEquals(put_response.status, 400);
|
||||
} finally {
|
||||
Deno.chdir(cwd);
|
||||
if (PREVIOUS_PUT_PATHS_ALLOWED) {
|
||||
Deno.env.set('SERVERUS_PUT_PATHS_ALLOWED', PREVIOUS_PUT_PATHS_ALLOWED);
|
||||
} else {
|
||||
Deno.env.delete('SERVERUS_PUT_PATHS_ALLOWED');
|
||||
}
|
||||
|
||||
if (test_server_info) {
|
||||
await test_server_info?.server?.stop();
|
||||
}
|
||||
|
|
@ -311,9 +390,11 @@ Deno.test({
|
|||
let test_server_info: EPHEMERAL_SERVER | null = null;
|
||||
const cwd = Deno.cwd();
|
||||
|
||||
const PREVIOUS_PUT_PATHS_ALLOWED = Deno.env.get('SERVERUS_PUT_PATHS_ALLOWED');
|
||||
const PREVIOUS_DELETE_PATHS_ALLOWED = Deno.env.get('SERVERUS_DELETE_PATHS_ALLOWED');
|
||||
try {
|
||||
Deno.chdir('./tests/www');
|
||||
Deno.env.set('SERVERUS_PUT_PATHS_ALLOWED', path.join(Deno.cwd(), 'files'));
|
||||
Deno.env.set('SERVERUS_DELETE_PATHS_ALLOWED', path.join(Deno.cwd(), 'files'));
|
||||
|
||||
test_server_info = await get_ephemeral_listen_server();
|
||||
|
|
@ -381,6 +462,11 @@ Deno.test({
|
|||
asserts.assert(!fs.existsSync(local_upload_path));
|
||||
} finally {
|
||||
Deno.chdir(cwd);
|
||||
if (PREVIOUS_PUT_PATHS_ALLOWED) {
|
||||
Deno.env.set('SERVERUS_PUT_PATHS_ALLOWED', PREVIOUS_PUT_PATHS_ALLOWED);
|
||||
} else {
|
||||
Deno.env.delete('SERVERUS_PUT_PATHS_ALLOWED');
|
||||
}
|
||||
if (PREVIOUS_DELETE_PATHS_ALLOWED) {
|
||||
Deno.env.set('SERVERUS_DELETE_PATHS_ALLOWED', PREVIOUS_DELETE_PATHS_ALLOWED);
|
||||
} else {
|
||||
|
|
@ -410,9 +496,11 @@ Deno.test({
|
|||
let test_server_info: EPHEMERAL_SERVER | null = null;
|
||||
const cwd = Deno.cwd();
|
||||
|
||||
const PREVIOUS_PUT_PATHS_ALLOWED = Deno.env.get('SERVERUS_PUT_PATHS_ALLOWED');
|
||||
const PREVIOUS_DELETE_PATHS_ALLOWED = Deno.env.get('SERVERUS_DELETE_PATHS_ALLOWED');
|
||||
try {
|
||||
Deno.chdir('./tests/www');
|
||||
Deno.env.set('SERVERUS_PUT_PATHS_ALLOWED', path.join(Deno.cwd(), 'files'));
|
||||
Deno.env.set('SERVERUS_DELETE_PATHS_ALLOWED', path.join(Deno.cwd(), 'files'));
|
||||
|
||||
test_server_info = await get_ephemeral_listen_server();
|
||||
|
|
@ -464,6 +552,11 @@ Deno.test({
|
|||
asserts.assert(!fs.existsSync(path.dirname(local_upload_path)));
|
||||
} finally {
|
||||
Deno.chdir(cwd);
|
||||
if (PREVIOUS_PUT_PATHS_ALLOWED) {
|
||||
Deno.env.set('SERVERUS_PUT_PATHS_ALLOWED', PREVIOUS_PUT_PATHS_ALLOWED);
|
||||
} else {
|
||||
Deno.env.delete('SERVERUS_PUT_PATHS_ALLOWED');
|
||||
}
|
||||
if (PREVIOUS_DELETE_PATHS_ALLOWED) {
|
||||
Deno.env.set('SERVERUS_DELETE_PATHS_ALLOWED', PREVIOUS_DELETE_PATHS_ALLOWED);
|
||||
} else {
|
||||
|
|
@ -495,8 +588,13 @@ Deno.test({
|
|||
|
||||
const static_file_handler = await import('../handlers/static.ts');
|
||||
const PREVIOUS_PRECHECKS = static_file_handler.PRECHECKS.PUT?.slice(0);
|
||||
const PREVIOUS_PUT_PATHS_ALLOWED = Deno.env.get('SERVERUS_PUT_PATHS_ALLOWED');
|
||||
const PREVIOUS_DELETE_PATHS_ALLOWED = Deno.env.get('SERVERUS_DELETE_PATHS_ALLOWED');
|
||||
|
||||
try {
|
||||
Deno.chdir('./tests/www');
|
||||
Deno.env.set('SERVERUS_PUT_PATHS_ALLOWED', path.join(Deno.cwd(), 'files'));
|
||||
Deno.env.set('SERVERUS_DELETE_PATHS_ALLOWED', path.join(Deno.cwd(), 'files'));
|
||||
test_server_info = await get_ephemeral_listen_server();
|
||||
|
||||
const PRECHECKS = static_file_handler.PRECHECKS.PUT = PREVIOUS_PRECHECKS ? [...PREVIOUS_PRECHECKS] : [];
|
||||
|
|
@ -584,6 +682,16 @@ Deno.test({
|
|||
if (PREVIOUS_PRECHECKS) {
|
||||
static_file_handler.PRECHECKS.PUT = PREVIOUS_PRECHECKS;
|
||||
}
|
||||
if (PREVIOUS_PUT_PATHS_ALLOWED) {
|
||||
Deno.env.set('SERVERUS_PUT_PATHS_ALLOWED', PREVIOUS_PUT_PATHS_ALLOWED);
|
||||
} else {
|
||||
Deno.env.delete('SERVERUS_PUT_PATHS_ALLOWED');
|
||||
}
|
||||
if (PREVIOUS_DELETE_PATHS_ALLOWED) {
|
||||
Deno.env.set('SERVERUS_DELETE_PATHS_ALLOWED', PREVIOUS_DELETE_PATHS_ALLOWED);
|
||||
} else {
|
||||
Deno.env.delete('SERVERUS_DELETE_PATHS_ALLOWED');
|
||||
}
|
||||
Deno.chdir(cwd);
|
||||
if (test_server_info) {
|
||||
await test_server_info?.server?.stop();
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue