From f5ab8267067d00b92bca5d8e7c31a1a5b0751e8d Mon Sep 17 00:00:00 2001 From: Manuel Trezza <5673677+mtrezza@users.noreply.github.com> Date: Fri, 17 Jun 2022 20:33:22 +0200 Subject: [PATCH 1/3] fix --- spec/ParseFile.spec.js | 29 +++++++++++++++++++++++++++++ src/Routers/FilesRouter.js | 12 +++++++++--- 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/spec/ParseFile.spec.js b/spec/ParseFile.spec.js index 410d15c81b..87b7cc6634 100644 --- a/spec/ParseFile.spec.js +++ b/spec/ParseFile.spec.js @@ -623,6 +623,35 @@ describe('Parse.File testing', () => { }); }); + describe('getting files', () => { + it('can get invalid file', async () => { + const getFile = async () => { + try { + await request({ url: 'http://localhost:8378/1/files/invalid-id/invalid-file.txt' }); + } catch (e) { + throw new Parse.Error(e.data.code, e.data.error); + } + }; + await expectAsync(getFile()).toBeRejectedWith( + new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Invalid appId.') + ); + const { status, data } = await request({ url: 'http://localhost:8378/1/health' }); + expect(status).toEqual(200); + expect(data).toEqual({ status: 'ok' }); + }); + + it('can get invalid metadata', async () => { + const metadata = await request({ + url: `http://localhost:8378/1/files/invalid-id/metadata/invalid-file.txt`, + }); + expect(metadata.status).toBe(200); + expect(metadata.data).toEqual({}); + const { status, data } = await request({ url: 'http://localhost:8378/1/health' }); + expect(status).toEqual(200); + expect(data).toEqual({ status: 'ok' }); + }); + }); + xdescribe('Gridstore Range tests', () => { it('supports range requests', done => { const headers = { diff --git a/src/Routers/FilesRouter.js b/src/Routers/FilesRouter.js index 2b0140fe7d..29b9ad4cc6 100644 --- a/src/Routers/FilesRouter.js +++ b/src/Routers/FilesRouter.js @@ -66,6 +66,12 @@ export class FilesRouter { getHandler(req, res) { const config = Config.get(req.params.appId); + if (!config) { + res.status(403); + const err = new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Invalid application ID.'); + res.json({ code: err.code, error: err.message }); + return; + } const filesController = config.filesController; const filename = req.params.filename; const contentType = mime.getType(filename); @@ -222,10 +228,10 @@ export class FilesRouter { } async metadataHandler(req, res) { - const config = Config.get(req.params.appId); - const { filesController } = config; - const { filename } = req.params; try { + const config = Config.get(req.params.appId); + const { filesController } = config; + const { filename } = req.params; const data = await filesController.getMetadata(filename); res.status(200); res.json(data); From 2f43f7c5b1a69a9881a9cf567d11e9a879a52dbd Mon Sep 17 00:00:00 2001 From: Manuel Trezza <5673677+mtrezza@users.noreply.github.com> Date: Sat, 18 Jun 2022 00:40:35 +0200 Subject: [PATCH 2/3] refactor fix --- spec/ParseFile.spec.js | 35 ++++++++++++++++------------------- 1 file changed, 16 insertions(+), 19 deletions(-) diff --git a/spec/ParseFile.spec.js b/spec/ParseFile.spec.js index 87b7cc6634..052df3ef80 100644 --- a/spec/ParseFile.spec.js +++ b/spec/ParseFile.spec.js @@ -625,30 +625,27 @@ describe('Parse.File testing', () => { describe('getting files', () => { it('can get invalid file', async () => { - const getFile = async () => { - try { - await request({ url: 'http://localhost:8378/1/files/invalid-id/invalid-file.txt' }); - } catch (e) { - throw new Parse.Error(e.data.code, e.data.error); - } - }; - await expectAsync(getFile()).toBeRejectedWith( - new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Invalid appId.') - ); - const { status, data } = await request({ url: 'http://localhost:8378/1/health' }); - expect(status).toEqual(200); - expect(data).toEqual({ status: 'ok' }); + const res1 = await request({ + url: 'http://localhost:8378/1/files/invalid-id/invalid-file.txt', + }).catch(e => e); + expect(res1.status).toBe(403); + expect(res1.data).toEqual({ code: 119, error: 'Invalid application ID.' }); + // Check whether server did not crash + const res2 = await request({ url: 'http://localhost:8378/1/health' }); + expect(res2.status).toEqual(200); + expect(res2.data).toEqual({ status: 'ok' }); }); it('can get invalid metadata', async () => { - const metadata = await request({ + const res1 = await request({ url: `http://localhost:8378/1/files/invalid-id/metadata/invalid-file.txt`, }); - expect(metadata.status).toBe(200); - expect(metadata.data).toEqual({}); - const { status, data } = await request({ url: 'http://localhost:8378/1/health' }); - expect(status).toEqual(200); - expect(data).toEqual({ status: 'ok' }); + expect(res1.status).toBe(200); + expect(res1.data).toEqual({}); + // Check whether server did not crash + const res2 = await request({ url: 'http://localhost:8378/1/health' }); + expect(res2.status).toEqual(200); + expect(res2.data).toEqual({ status: 'ok' }); }); }); From 86b53c4585b3966fbbf751871900a4caf2ada6c8 Mon Sep 17 00:00:00 2001 From: Manuel Trezza <5673677+mtrezza@users.noreply.github.com> Date: Sat, 18 Jun 2022 00:40:35 +0200 Subject: [PATCH 3/3] refactor fix --- spec/ParseFile.spec.js | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/spec/ParseFile.spec.js b/spec/ParseFile.spec.js index 052df3ef80..c4172472e7 100644 --- a/spec/ParseFile.spec.js +++ b/spec/ParseFile.spec.js @@ -624,25 +624,37 @@ describe('Parse.File testing', () => { }); describe('getting files', () => { - it('can get invalid file', async () => { + it('does not crash on file request with invalid app ID', async () => { const res1 = await request({ url: 'http://localhost:8378/1/files/invalid-id/invalid-file.txt', }).catch(e => e); expect(res1.status).toBe(403); expect(res1.data).toEqual({ code: 119, error: 'Invalid application ID.' }); - // Check whether server did not crash + // Ensure server did not crash const res2 = await request({ url: 'http://localhost:8378/1/health' }); expect(res2.status).toEqual(200); expect(res2.data).toEqual({ status: 'ok' }); }); - it('can get invalid metadata', async () => { + it('does not crash on file request with invalid path', async () => { + const res1 = await request({ + url: 'http://localhost:8378/1/files/invalid-id//invalid-path/%20/invalid-file.txt', + }).catch(e => e); + expect(res1.status).toBe(403); + expect(res1.data).toEqual({ error: 'unauthorized' }); + // Ensure server did not crash + const res2 = await request({ url: 'http://localhost:8378/1/health' }); + expect(res2.status).toEqual(200); + expect(res2.data).toEqual({ status: 'ok' }); + }); + + it('does not crash on file metadata request with invalid app ID', async () => { const res1 = await request({ url: `http://localhost:8378/1/files/invalid-id/metadata/invalid-file.txt`, }); expect(res1.status).toBe(200); expect(res1.data).toEqual({}); - // Check whether server did not crash + // Ensure server did not crash const res2 = await request({ url: 'http://localhost:8378/1/health' }); expect(res2.status).toEqual(200); expect(res2.data).toEqual({ status: 'ok' });