Validate PUBLISH topics

moscajs · Jul 19, 2017 · f1f1b0a · f1f1b0a
1 parent 0c9bfe8
commit f1f1b0a
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 0 deletions.
diff --git a/lib/handlers/publish.js b/lib/handlers/publish.js
@@ -17,6 +17,18 @@ var publishActions = [
   enqueuePublish
 ]
 function handlePublish (client, packet, done) {
+  var topic = packet.topic
+  var err
+  for (var i = 0; i < topic.length; i++) {
+    switch (topic.charCodeAt(i)) {
+      case 35:
+        err = new Error('# is not allowed in PUBLISH')
+        return done(err)
+      case 43:
+        err = new Error('+ is not allowed in PUBLISH')
+        return done(err)
+    }
+  }
   client.broker._series(client, publishActions, packet, done)
 }
 

diff --git a/test/basic.js b/test/basic.js
@@ -486,3 +486,68 @@ test('avoid wrong deduping of retain messages', function (t) {
 
   publisher.inStream.write(expected)
 })
+
+test('publish invalid topic with #', function (t) {
+  var s = connect(setup())
+
+  subscribe(t, s, '#', 0, function () {
+    s.outStream.once('data', function (packet) {
+      t.fail('no packet')
+      t.end()
+    })
+
+    s.inStream.write({
+      cmd: 'publish',
+      topic: 'hello/#',
+      payload: 'world'
+    })
+  })
+
+  eos(s.conn, function () {
+    t.equal(s.broker.connectedClients, 0, 'no connected clients')
+    t.end()
+  })
+})
+
+test('publish invalid topic with +', function (t) {
+  var s = connect(setup())
+
+  subscribe(t, s, '#', 0, function () {
+    s.outStream.once('data', function (packet) {
+      t.fail('no packet')
+    })
+
+    s.inStream.write({
+      cmd: 'publish',
+      topic: 'hello/+/eee',
+      payload: 'world'
+    })
+  })
+
+  eos(s.conn, function () {
+    t.equal(s.broker.connectedClients, 0, 'no connected clients')
+    t.end()
+  })
+})
+
+test('subscribe to invalid topic with hello/+foo', function (t) {
+  var s = connect(setup())
+
+  subscribe(t, s, 'hello/+foo', 0, function () {
+    s.outStream.once('data', function (packet) {
+      t.fail('no packet')
+      t.end()
+    })
+
+    s.inStream.write({
+      cmd: 'publish',
+      topic: 'hello/#',
+      payload: 'world'
+    })
+  })
+
+  eos(s.conn, function () {
+    t.equal(s.broker.connectedClients, 0, 'no connected clients')
+    t.end()
+  })
+})