Skip to content

Commit

Permalink
fix: reject dangerous url characters (--open) (#2258)
Browse files Browse the repository at this point in the history 
fixes #2257
  • Loading branch information
@tripodsan
tripodsan authored Oct 18, 2023
1 parent 788bf4d commit 25df8e8
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 2 deletions.
3 changes: 3 additions & 0 deletions src/abstract-server.cmd.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,9 @@ export class AbstractServerCommand extends AbstractCommand {
if (url.protocol !== 'http:' && url.protocol !== 'https:') {
throw Error(`refuse to open non http(s) url (--open): ${url}`);
}
if (!url.href.match(/^[a-zA-Z0-9._:/?%=&-]+$/)) {
throw Error(`refuse to open unsafe url (--open): ${url}`);
}
this.log.info(`opening default browser: ${url.href}`);
await opn(url.href);
}
Expand Down
18 changes: 16 additions & 2 deletions test/abstract-server-cmd.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,20 @@ describe('AbstractServerCommand test', () => {
await assert.rejects(cmd.open('file://etc/passwd'), Error('refuse to open non http(s) url (--open): file://etc/passwd'));
});

it('open rejects invalid hostname argument', async () => {
const cmd = new AbstractServerCommand();
// eslint-disable-next-line no-underscore-dangle
cmd._project = { server: { hostname: 'localhost', scheme: 'http', port: 3000 } };
await assert.rejects(cmd.open('https://$(calc.exe)'), Error('refuse to open unsafe url (--open): https://$(calc.exe)/'));
});

it('open rejects invalid url argument', async () => {
const cmd = new AbstractServerCommand();
// eslint-disable-next-line no-underscore-dangle
cmd._project = { server: { hostname: 'localhost', scheme: 'http', port: 3000 } };
await assert.rejects(cmd.open('/"; Start calc.exe; echo "foo'), Error('refuse to open unsafe url (--open): http://localhost:3000/%22;%20Start%20calc.exe;%20echo%20%22foo'));
});

it('constructs valid url from path', async () => {
let opened;
const { AbstractServerCommand: MockedCommand } = await esmock('../src/abstract-server.cmd.js', {
Expand All @@ -40,7 +54,7 @@ describe('AbstractServerCommand test', () => {
const cmd = new MockedCommand();
// eslint-disable-next-line no-underscore-dangle
cmd._project = { server: { hostname: 'localhost', scheme: 'http', port: 3000 } };
await cmd.open('/"; Start calc.exe; echo "foo');
assert.strictEqual(opened, 'http://localhost:3000/%22;%20Start%20calc.exe;%20echo%20%22foo');
await cmd.open('/test page');
assert.strictEqual(opened, 'http://localhost:3000/test%20page');
});
});

0 comments on commit 25df8e8

Please sign in to comment.