Merge pull request #138 from GluuFederation/137_sanitize_inputs

fix(routes.js): remove received input from error output msg

README.md

@@ -1,5 +1,9 @@
 # Inbound identity using Passport
 
+
+[![codecov](https://codecov.io/gh/GluuFederation/gluu-passport/branch/master/graph/badge.svg)](https://codecov.io/gh/GluuFederation/gluu-passport)
+
+
 Find the docs of this project at:
 
 - [Inbound SAML using Passport](https://gluu.org/docs/ce/authn-guide/passport/)

package.json

@@ -82,7 +82,7 @@
     "nock": "^13.0.2",
     "nyc": "^15.1.0",
     "rewire": "^5.0.0",
-    "sinon": "^9.0.2",
+    "sinon": "^9.2.1",
     "standard-version": "^9.0.0",
     "standardx": "^5.0.0",
     "supertest": "^4.0.2"
@@ -108,4 +108,4 @@
       "path": "./node_modules/cz-conventional-changelog"
     }
   }
-}
+}

server/routes.js

@@ -76,7 +76,7 @@ router.get('/auth/meta/idp/:idp',
           if (!fs.existsSync(safeFileFullPath)) {
             var EnoentError = `Requested metadata for ${metaFileName} not found`
             logger.log2('error', EnoentError)
-            res.status(404).send(EnoentError)
+            res.status(404).send('Requested metadata not found')
           } else {
             res.status(500).send(`An error occurred: ${err}`)
             logger.log2('error', err)
@@ -98,7 +98,8 @@ function validateProvider (req, res, next) {
     req.passportAuthenticateParams = providerConfData.passportAuthnParams
     next()
   } else {
-    webutil.handleError(req, res, `${provider} is not recognized as external identity provider`)
+    webutil.handleError(
+      req, res, 'The selected provider is not recognized as external identity provider')
   }
 }
 

test/routes.test.js

@@ -0,0 +1,38 @@
+const chai = require('chai')
+const assert = chai.assert
+const got = require('got')
+const sinon = require('sinon')
+const webUtils = require('../server/utils/web-utils')
+const InitMock = require('./testdata/init-mock')
+const initMock = new InitMock()
+
+afterEach(() => {
+  // Restore the default sandbox here
+  sinon.restore()
+})
+
+describe('Error message should not have inputs', () => {
+  before(() => {
+    initMock.errorHandlerEndpoint()
+  })
+  // initMock.errorHandlerEndpoint()
+  it('metadata request error should not have metaFileName', async () => {
+    const unexistantIdp = 'idonotexist'
+    const response = await got(
+        `http://127.0.0.1:8090/passport/auth/meta/idp/${unexistantIdp}`,
+        { throwHttpErrors: false }
+    )
+    assert.notInclude(response.body, unexistantIdp)
+  })
+  it('providers get routes should not throw error with provider name', async () => {
+    const webUtilsSpy = sinon.spy(webUtils, 'handleError')
+    const provider = 'idontexist'
+    const token = 'whateveRt0k3n'
+    await got(
+      `http://127.0.0.1:8090/passport/auth/${provider}/${token}`,
+      { throwHttpErrors: false }
+    )
+    sinon.assert.calledOnce(webUtilsSpy)
+    assert.notInclude(webUtilsSpy.getCall(0).lastArg, provider)
+  })
+})

test/testdata/init-mock.js

@@ -20,6 +20,7 @@ class InitMock {
       '_7673.FFB2.0429.E289.BE8F.91B6.5255.82BF'
     this._pct = 'd0a71780-877f-4edb-b002-592f61d9df72_F978.5DC2.' +
       '97F8.BA28.3B17.C447.C3FA.153D'
+    this._oxauthErrorHandlerPath = '/oxauth/auth/passport/passportlogin.htm'
   }
 
   get gluuUrl () {
@@ -28,6 +29,18 @@ class InitMock {
 
   // @todo: generate getters if needed
 
+  errorHandlerEndpoint () {
+    /**
+     * Dummy response
+     */
+    nock(this._gluuUrl, {
+      reqheaders: { host: this._gluuHostName }
+    })
+      .get(uri => uri.includes(`${this._oxauthErrorHandlerPath}?failure=`))
+      .reply(404, 'dummy response')
+      .persist()
+  }
+
   /**
    * Mock first UMA request, expected to return 401.
    * And headers w/ ticket and UMA config endpoint