From b364c451bf14d742ee5272c248aefde364dfc160 Mon Sep 17 00:00:00 2001 From: Steven Lambert Date: Thu, 4 Feb 2021 14:12:06 -0700 Subject: [PATCH] fix: do not allow postMessage with axe version of x.y.z --- lib/core/utils/respondable.js | 5 +-- test/core/base/audit.js | 66 +++++++++++++++++++--------------- test/core/export.js | 2 +- test/core/public/configure.js | 11 ++++-- test/core/public/get-rules.js | 29 +++++++++++---- test/core/public/run-rules.js | 17 ++++++--- test/core/utils/respondable.js | 50 ++++++++++---------------- test/karma.conf.js | 3 +- test/version.js | 5 --- 9 files changed, 102 insertions(+), 86 deletions(-) delete mode 100644 test/version.js diff --git a/lib/core/utils/respondable.js b/lib/core/utils/respondable.js index b6b621c5e8..2b98c31b42 100644 --- a/lib/core/utils/respondable.js +++ b/lib/core/utils/respondable.js @@ -47,10 +47,7 @@ function verify(postedMessage) { var messageSource = _getSource(); return ( // Check the version matches - postedMessage._source === messageSource || - // Allow free communication with axe test - postedMessage._source === 'axeAPI.x.y.z' || - messageSource === 'axeAPI.x.y.z' + postedMessage._source === messageSource ); } return false; diff --git a/test/core/base/audit.js b/test/core/base/audit.js index c00f932ac1..0747e11984 100644 --- a/test/core/base/audit.js +++ b/test/core/base/audit.js @@ -4,6 +4,7 @@ describe('Audit', function() { var Audit = axe._thisWillBeDeletedDoNotUse.base.Audit; var Rule = axe._thisWillBeDeletedDoNotUse.base.Rule; + var ver = axe.version.substring(0, axe.version.lastIndexOf('.')); var a, getFlattenedTree; var isNotCalled = function(err) { throw err || new Error('Reject should not be called'); @@ -115,7 +116,9 @@ describe('Audit', function() { audit._constructHelpUrls(); assert.deepEqual(audit.data.rules.target, { helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/target?application=axeAPI' }); }); it('should use changed branding', function() { @@ -131,7 +134,9 @@ describe('Audit', function() { audit._constructHelpUrls(); assert.deepEqual(audit.data.rules.target, { helpUrl: - 'https://dequeuniversity.com/rules/thing/x.y/target?application=axeAPI' + 'https://dequeuniversity.com/rules/thing/' + + ver + + '/target?application=axeAPI' }); }); it('should use changed application', function() { @@ -147,7 +152,9 @@ describe('Audit', function() { audit._constructHelpUrls(); assert.deepEqual(audit.data.rules.target, { helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/target?application=thing' + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/target?application=thing' }); }); @@ -159,7 +166,9 @@ describe('Audit', function() { selector: 'bob', metadata: { helpUrl: - 'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI' + 'https://dequeuniversity.com/rules/myproject/' + + ver + + '/target1?application=axeAPI' } }); audit.addRule({ @@ -170,7 +179,9 @@ describe('Audit', function() { assert.equal( audit.data.rules.target1.helpUrl, - 'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI' + 'https://dequeuniversity.com/rules/myproject/' + + ver + + '/target1?application=axeAPI' ); assert.isUndefined(audit.data.rules.target2); @@ -180,11 +191,15 @@ describe('Audit', function() { assert.equal( audit.data.rules.target1.helpUrl, - 'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI' + 'https://dequeuniversity.com/rules/myproject/' + + ver + + '/target1?application=axeAPI' ); assert.equal( audit.data.rules.target2.helpUrl, - 'https://dequeuniversity.com/rules/thing/x.y/target2?application=axeAPI' + 'https://dequeuniversity.com/rules/thing/' + + ver + + '/target2?application=axeAPI' ); }); it('understands prerelease type version numbers', function() { @@ -205,24 +220,7 @@ describe('Audit', function() { 'https://dequeuniversity.com/rules/axe/3.2/target?application=axeAPI' ); }); - it('sets x.y as version for invalid versions', function() { - var tempVersion = axe.version; - var audit = new Audit(); - audit.addRule({ - id: 'target', - matches: 'function () {return "hello";}', - selector: 'bob' - }); - axe.version = 'in-3.0-valid'; - audit._constructHelpUrls(); - - axe.version = tempVersion; - assert.equal( - audit.data.rules.target.helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI' - ); - }); it('matches major release versions', function() { var tempVersion = axe.version; var audit = new Audit(); @@ -256,7 +254,9 @@ describe('Audit', function() { audit._constructHelpUrls(); assert.deepEqual(audit.data.rules.target, { helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI&lang=de' + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/target?application=axeAPI&lang=de' }); }); }); @@ -296,7 +296,9 @@ describe('Audit', function() { }); assert.deepEqual(audit.data.rules.target, { helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/target?application=thing' + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/target?application=thing' }); }); it('should call _constructHelpUrls even when nothing changed', function() { @@ -311,7 +313,9 @@ describe('Audit', function() { audit.setBranding(undefined); assert.deepEqual(audit.data.rules.target, { helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/target?application=axeAPI' }); }); it('should not replace custom set branding', function() { @@ -322,7 +326,9 @@ describe('Audit', function() { selector: 'bob', metadata: { helpUrl: - 'https://dequeuniversity.com/rules/customer-x/x.y/target?application=axeAPI' + 'https://dequeuniversity.com/rules/customer-x/' + + ver + + '/target?application=axeAPI' } }); audit.setBranding({ @@ -331,7 +337,9 @@ describe('Audit', function() { }); assert.equal( audit.data.rules.target.helpUrl, - 'https://dequeuniversity.com/rules/customer-x/x.y/target?application=axeAPI' + 'https://dequeuniversity.com/rules/customer-x/' + + ver + + '/target?application=axeAPI' ); }); }); diff --git a/test/core/export.js b/test/core/export.js index 22d9b7bf57..df147d1f0c 100644 --- a/test/core/export.js +++ b/test/core/export.js @@ -5,6 +5,6 @@ describe('export', function() { assert.isDefined(window.axe); }); it('should define version', function() { - assert.equal(axe.version, 'x.y.z'); + assert.isNotNull(axe.version); }); }); diff --git a/test/core/public/configure.js b/test/core/public/configure.js index 0123cd77f9..b731fbccec 100644 --- a/test/core/public/configure.js +++ b/test/core/public/configure.js @@ -4,6 +4,7 @@ describe('axe.configure', function() { // var Check = axe._thisWillBeDeletedDoNotUse.base.Check; var fixture = document.getElementById('fixture'); var axeVersion = axe.version; + var ver = axe.version.substring(0, axe.version.lastIndexOf('.')); afterEach(function() { fixture.innerHTML = ''; @@ -96,7 +97,7 @@ describe('axe.configure', function() { assert.lengthOf(axe._audit.rules, 1); assert.equal( axe._audit.data.rules.bob.helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/bob?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + ver + '/bob?application=axeAPI' ); axe.configure({ branding: { @@ -106,7 +107,9 @@ describe('axe.configure', function() { }); assert.equal( axe._audit.data.rules.bob.helpUrl, - 'https://dequeuniversity.com/rules/thung/x.y/bob?application=thing' + 'https://dequeuniversity.com/rules/thung/' + + ver + + '/bob?application=thing' ); }); @@ -129,7 +132,9 @@ describe('axe.configure', function() { assert.equal( axe._audit.data.rules.bob.helpUrl, - 'https://dequeuniversity.com/rules/thung/x.y/bob?application=thing' + 'https://dequeuniversity.com/rules/thung/' + + ver + + '/bob?application=thing' ); }); diff --git a/test/core/public/get-rules.js b/test/core/public/get-rules.js index ff875a898a..13a6c147ea 100644 --- a/test/core/public/get-rules.js +++ b/test/core/public/get-rules.js @@ -1,5 +1,6 @@ describe('axe.getRules', function() { 'use strict'; + var ver = axe.version.substring(0, axe.version.lastIndexOf('.')); beforeEach(function() { axe._load({ @@ -46,7 +47,9 @@ describe('axe.getRules', function() { assert.equal(retValue[0].help, 'halp'); assert.equal( retValue[0].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/awesomeRule1?application=axeAPI' ); assert.deepEqual(retValue[0].tags, ['tag1']); @@ -55,7 +58,9 @@ describe('axe.getRules', function() { assert.equal(retValue[1].help, 'halp me!'); assert.equal( retValue[1].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/awesomeRule2?application=axeAPI' ); assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']); @@ -67,7 +72,9 @@ describe('axe.getRules', function() { assert.equal(retValue[0].help, 'halp me!'); assert.equal( retValue[0].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/awesomeRule2?application=axeAPI' ); assert.deepEqual(retValue[0].tags, ['tag1', 'tag2']); }); @@ -85,7 +92,9 @@ describe('axe.getRules', function() { assert.equal(retValue[0].help, 'halp'); assert.equal( retValue[0].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/awesomeRule1?application=axeAPI' ); assert.deepEqual(retValue[0].tags, ['tag1']); @@ -94,7 +103,9 @@ describe('axe.getRules', function() { assert.equal(retValue[1].help, 'halp me!'); assert.equal( retValue[1].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/awesomeRule2?application=axeAPI' ); assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']); }); @@ -106,7 +117,9 @@ describe('axe.getRules', function() { assert.equal(retValue[0].help, 'halp'); assert.equal( retValue[0].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/awesomeRule1?application=axeAPI' ); assert.deepEqual(retValue[0].tags, ['tag1']); @@ -115,7 +128,9 @@ describe('axe.getRules', function() { assert.equal(retValue[1].help, 'halp me!'); assert.equal( retValue[1].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/awesomeRule2?application=axeAPI' ); assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']); }); diff --git a/test/core/public/run-rules.js b/test/core/public/run-rules.js index be9bebbbfb..ebbd3574ff 100644 --- a/test/core/public/run-rules.js +++ b/test/core/public/run-rules.js @@ -1,5 +1,6 @@ describe('runRules', function() { 'use strict'; + var ver = axe.version.substring(0, axe.version.lastIndexOf('.')); // These tests can sometimes be flaky in IE, allow for up to 3 retries if (axe.testUtils.isIE11) { @@ -206,7 +207,9 @@ describe('runRules', function() { { id: 'div#target', helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/div#target?application=axeAPI', + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/div#target?application=axeAPI', pageLevel: false, impact: null, inapplicable: [], @@ -245,7 +248,9 @@ describe('runRules', function() { { id: 'first-div', helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/first-div?application=axeAPI', + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/first-div?application=axeAPI', pageLevel: false, impact: null, inapplicable: [], @@ -512,7 +517,9 @@ describe('runRules', function() { { id: 'div#target', helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/div#target?application=axeAPI', + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/div#target?application=axeAPI', pageLevel: false, foo: 'bar', stuff: 'blah', @@ -552,7 +559,9 @@ describe('runRules', function() { { id: 'first-div', helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/first-div?application=axeAPI', + 'https://dequeuniversity.com/rules/axe/' + + ver + + '/first-div?application=axeAPI', pageLevel: false, bar: 'foo', stuff: 'no', diff --git a/test/core/utils/respondable.js b/test/core/utils/respondable.js index 639eb7ad0f..30b95067e2 100644 --- a/test/core/utils/respondable.js +++ b/test/core/utils/respondable.js @@ -101,7 +101,7 @@ describe('axe.utils.respondable', function() { it('should pass messages that have all required properties', function(done) { eventData = { _respondable: true, - _source: 'axeAPI.2.0.0', + _source: 'axeAPI.' + axe.version, message: 'Help us Obi-Wan', _axeuuid: 'otherAxe' }; @@ -112,40 +112,28 @@ describe('axe.utils.respondable', function() { }); }); - it('should allow messages with _source axeAPI.x.y.z', function(done) { + it('should reject messages if the axe version is different', function(done) { + axe.version = '1.0.0'; eventData = { _respondable: true, - _source: 'axeAPI.x.y.z', + _source: 'axeAPI.2.0.0', message: 'Help us Obi-Wan', _axeuuid: 'otherAxe' }; - axe.utils.respondable(win, 'Death star', null, true, function(data) { - assert.equal(data, 'Help us Obi-Wan'); - done(); + axe.utils.respondable(win, 'Death star', null, true, function() { + done(new Error('should not call callback')); }); - }); - - it('should allow messages if the axe version is x.y.z', function(done) { - axe.version = 'x.y.z'; - eventData = { - _respondable: true, - _source: 'axeAPI.2.0.0', - message: 'Help us Obi-Wan', - _axeuuid: 'otherAxe' - }; - axe.utils.respondable(win, 'Death star', null, true, function(data) { - assert.equal(data, 'Help us Obi-Wan'); + setTimeout(function() { done(); - }); + }, 100); }); - it('should reject messages if the axe version is different', function(done) { - axe.version = '1.0.0'; + it('should reject messages if the axe version is x.y.z', function(done) { eventData = { _respondable: true, - _source: 'axeAPI.2.0.0', + _source: 'axeAPI.x.y.z', message: 'Help us Obi-Wan', _axeuuid: 'otherAxe' }; @@ -162,7 +150,7 @@ describe('axe.utils.respondable', function() { it('should reject messages that are that are not strings', function(done) { eventData = { _respondable: true, - _source: 'axeAPI.2.0.0', + _source: 'axeAPI.' + axe.version, message: 'Help us Obi-Wan', _axeuuid: 'otherAxe' }; @@ -188,7 +176,7 @@ describe('axe.utils.respondable', function() { it('should reject messages that are invalid stringified objects', function(done) { eventData = { _respondable: true, - _source: 'axeAPI.2.0.0', + _source: 'axeAPI.' + axe.version, message: 'Help us Obi-Wan', _axeuuid: 'otherAxe' }; @@ -214,7 +202,7 @@ describe('axe.utils.respondable', function() { it('should reject messages that do not have a uuid', function(done) { eventData = { _respondable: true, - _source: 'axeAPI.2.0.0', + _source: 'axeAPI.' + axe.version, message: 'Help us Obi-Wan', _axeuuid: 'otherAxe' }; @@ -238,7 +226,7 @@ describe('axe.utils.respondable', function() { it('should reject messages that do not have a matching uuid', function(done) { eventData = { _respondable: true, - _source: 'axeAPI.2.0.0', + _source: 'axeAPI.' + axe.version, message: 'Help us Obi-Wan', _axeuuid: 'otherAxe' }; @@ -263,7 +251,7 @@ describe('axe.utils.respondable', function() { it('should reject messages that do not have `_respondable: true`', function(done) { eventData = { - _source: 'axeAPI.2.0.0', + _source: 'axeAPI.' + axe.version, message: 'Help us Obi-Wan', _axeuuid: 'otherAxe' }; @@ -280,7 +268,7 @@ describe('axe.utils.respondable', function() { it('should reject messages that do not have `_axeuuid`', function(done) { eventData = { _respondable: true, - _source: 'axeAPI.2.0.0', + _source: 'axeAPI.' + axe.version, message: 'Help us Obi-Wan' }; @@ -296,7 +284,7 @@ describe('axe.utils.respondable', function() { it('should reject messages from the same axe instance (`_axeuuid`)', function(done) { eventData = { _respondable: true, - _source: 'axeAPI.2.0.0', + _source: 'axeAPI.' + axe.version, message: 'Help us Obi-Wan' }; @@ -322,7 +310,7 @@ describe('axe.utils.respondable', function() { it('should throw if an error message was send', function(done) { eventData = { _respondable: true, - _source: 'axeAPI.2.0.0', + _source: 'axeAPI.' + axe.version, error: { name: 'ReferenceError', message: 'The exhaust port is open!', @@ -343,7 +331,7 @@ describe('axe.utils.respondable', function() { eventData = { _respondable: true, - _source: 'axeAPI.2.0.0', + _source: 'axeAPI.' + axe.version, error: { name: 'evil', message: 'The exhaust port is open!', diff --git a/test/karma.conf.js b/test/karma.conf.js index aa5667463f..1fdf04503c 100644 --- a/test/karma.conf.js +++ b/test/karma.conf.js @@ -89,8 +89,7 @@ module.exports = function(config) { }, 'axe.js', - 'test/testutils.js', - 'test/version.js' + 'test/testutils.js' ].concat(testPaths), proxies: { '/test': '/base/test', diff --git a/test/version.js b/test/version.js deleted file mode 100644 index 290b8dcd29..0000000000 --- a/test/version.js +++ /dev/null @@ -1,5 +0,0 @@ -/*global axe */ - -// This enables free communication between frames with -// to the current version of axe: -axe.version = 'x.y.z';