koa-classic-server 2.6.1 → 3.0.0

package/__tests__/hideExtension.test.js

@@ -31,7 +31,7 @@ describe('hideExtension option tests', () => {
         beforeAll(() => {
             app = new Koa();
             app.use(koaClassicServer(rootDir, {
-                showDirContents: true,
+                dirListing: { enabled: true },
                 index: ['index.ejs'],
                 hideExtension: { ext: '.ejs' },
                 template: {
@@ -83,7 +83,7 @@ describe('hideExtension option tests', () => {
         beforeAll(() => {
             app = new Koa();
             app.use(koaClassicServer(rootDir, {
-                showDirContents: true,
+                dirListing: { enabled: true },
                 index: ['index.ejs'],
                 hideExtension: { ext: '.ejs' },
                 template: {
@@ -141,7 +141,7 @@ describe('hideExtension option tests', () => {
         beforeAll(() => {
             app = new Koa();
             app.use(koaClassicServer(rootDir, {
-                showDirContents: true,
+                dirListing: { enabled: true },
                 index: ['index.ejs'],
                 hideExtension: { ext: '.ejs', redirect: 302 }
             }));
@@ -159,15 +159,15 @@ describe('hideExtension option tests', () => {
     });
 
     // ==========================================
-    // Directory/file conflict (showDirContents: true)
+    // Directory/file conflict (dirListing: { enabled: true })
     // ==========================================
-    describe('Directory/file conflict with showDirContents: true', () => {
+    describe('Directory/file conflict with dirListing: { enabled: true }', () => {
         let app, server, request;
 
         beforeAll(() => {
             app = new Koa();
             app.use(koaClassicServer(rootDir, {
-                showDirContents: true,
+                dirListing: { enabled: true },
                 index: ['index.html'],
                 hideExtension: { ext: '.ejs' },
                 template: {
@@ -208,7 +208,7 @@ describe('hideExtension option tests', () => {
         beforeAll(() => {
             app = new Koa();
             app.use(koaClassicServer(rootDir, {
-                showDirContents: true,
+                dirListing: { enabled: true },
                 hideExtension: { ext: '.ejs' }
             }));
             server = app.listen();
@@ -232,7 +232,7 @@ describe('hideExtension option tests', () => {
         beforeAll(() => {
             app = new Koa();
             app.use(koaClassicServer(rootDir, {
-                showDirContents: true,
+                dirListing: { enabled: true },
                 hideExtension: { ext: '.ejs' },
                 template: {
                     ext: ['ejs'],
@@ -275,7 +275,7 @@ describe('hideExtension option tests', () => {
             });
 
             const middleware = koaClassicServer(rootDir, {
-                showDirContents: true,
+                dirListing: { enabled: true },
                 index: ['index.ejs'],
                 urlsReserved: ['/blog'],
                 hideExtension: { ext: '.ejs' },
@@ -335,7 +335,7 @@ describe('hideExtension option tests', () => {
             });
 
             app.use(koaClassicServer(rootDir, {
-                showDirContents: true,
+                dirListing: { enabled: true },
                 useOriginalUrl: false,
                 hideExtension: { ext: '.ejs' },
                 template: {
@@ -377,7 +377,7 @@ describe('hideExtension option tests', () => {
         beforeAll(() => {
             app = new Koa();
             app.use(koaClassicServer(rootDir, {
-                showDirContents: true,
+                dirListing: { enabled: true },
                 hideExtension: { ext: '.ejs' }
             }));
             server = app.listen();
@@ -404,7 +404,7 @@ describe('hideExtension option tests', () => {
         beforeAll(() => {
             app = new Koa();
             app.use(koaClassicServer(rootDir, {
-                showDirContents: true,
+                dirListing: { enabled: true },
                 hideExtension: { ext: '.ejs' }
             }));
             server = app.listen();
@@ -442,7 +442,7 @@ describe('hideExtension option tests', () => {
         beforeAll(() => {
             app = new Koa();
             app.use(koaClassicServer(rootDir, {
-                showDirContents: true,
+                dirListing: { enabled: true },
                 index: ['index.ejs'],
                 hideExtension: { ext: '.ejs' },
                 template: {
@@ -547,4 +547,61 @@ describe('hideExtension option tests', () => {
             }).not.toThrow();
         });
     });
+
+    // ==========================================
+    // Security: open-redirect via protocol-relative URL
+    // ==========================================
+    describe('Open-redirect guard on hideExtension Location header', () => {
+        let app, server, port;
+
+        beforeAll((done) => {
+            app = new Koa();
+            app.use(koaClassicServer(rootDir, {
+                dirListing: { enabled: true },
+                hideExtension: { ext: '.ejs' }
+            }));
+            server = app.listen(0, () => {
+                port = server.address().port;
+                done();
+            });
+        });
+
+        afterAll(() => { server.close(); });
+
+        // Send the request path as raw bytes so the leading "//" survives any
+        // client-side URL normalization. supertest/url.parse would collapse it.
+        function rawGet(path) {
+            const http = require('http');
+            return new Promise((resolve, reject) => {
+                const req = http.request({
+                    host: '127.0.0.1',
+                    port,
+                    method: 'GET',
+                    path
+                }, (res) => {
+                    res.resume();
+                    resolve({ status: res.statusCode, location: res.headers.location });
+                });
+                req.on('error', reject);
+                req.end();
+            });
+        }
+
+        test('GET //evil.com/foo.ejs → Location must not be protocol-relative', async () => {
+            const res = await rawGet('//evil.com/foo.ejs');
+            expect(res.status).toBe(301);
+            expect(res.location).toBeDefined();
+            // The Location must not start with "//" or "/\" (would navigate off-origin)
+            expect(res.location.startsWith('//')).toBe(false);
+            expect(res.location.startsWith('/\\')).toBe(false);
+            expect(res.location).toBe('/evil.com/foo');
+        });
+
+        test('GET ///a/b.ejs → leading slashes collapsed in Location', async () => {
+            const res = await rawGet('///a/b.ejs');
+            expect(res.status).toBe(301);
+            expect(res.location.startsWith('//')).toBe(false);
+            expect(res.location).toBe('/a/b');
+        });
+    });
 });

package/__tests__/index-option.test.js

@@ -1,12 +1,13 @@
 /**
  * Enhanced Index Option Tests
  *
- * Tests for the new index option that supports:
- * - String (backward compatible)
+ * Tests for the index option that supports:
  * - Array of strings
  * - Array of RegExp
  * - Mixed array (strings + RegExp)
  * - Priority handling (first match wins)
+ *
+ * v3.0.0: string format removed — passing a non-empty string throws an Error.
  */
 
 const Koa = require('koa');
@@ -39,21 +40,20 @@ describe('Enhanced Index Option Tests', () => {
         }
     });
 
-    describe('Backward Compatibility - String index', () => {
-        test('String: "index.html" should work as before', async () => {
-            // Create index.html
-            fs.writeFileSync(path.join(tempDir, 'index.html'), '<h1>Index HTML</h1>');
-
-            app = new Koa();
-            app.use(koaClassicServer(tempDir, { index: 'index.html' }));
-            server = app.listen();
+    describe('String index — removed in v3.0.0', () => {
+        test('Non-empty string should throw an Error', () => {
+            expect(() => {
+                new Koa().use(koaClassicServer(tempDir, { index: 'index.html' }));
+            }).toThrow('"index" option no longer accepts a string in v3.0.0');
+        });
 
-            const res = await supertest(server).get('/');
-            expect(res.status).toBe(200);
-            expect(res.text).toContain('Index HTML');
+        test('Throw message should include migration hint', () => {
+            expect(() => {
+                new Koa().use(koaClassicServer(tempDir, { index: 'default.htm' }));
+            }).toThrow('index: ["default.htm"]');
         });
 
-        test('Empty string should show directory listing', async () => {
+        test('Empty string should show directory listing (no throw)', async () => {
             fs.writeFileSync(path.join(tempDir, 'test.txt'), 'test');
 
             app = new Koa();
@@ -281,7 +281,8 @@ describe('Enhanced Index Option Tests', () => {
 
             const res = await supertest(server).get('/');
             expect(res.status).toBe(200);
-            expect(res.text).toContain('EJS content');
+            const body = res.text !== undefined ? res.text : res.body.toString('utf8');
+            expect(body).toContain('EJS content');
         });
     });
 
@@ -362,7 +363,8 @@ describe('Enhanced Index Option Tests', () => {
 
             const res = await supertest(server).get('/');
             expect(res.status).toBe(200);
-            expect(res.text).toContain('pug content');
+            const body = res.text !== undefined ? res.text : res.body.toString('utf8');
+            expect(body).toContain('pug content');
         });
 
         test('Case-insensitive filesystem (Windows-like): matches any case', async () => {

package/__tests__/index.test.js

@@ -33,7 +33,7 @@ const filesAndDirArray = getFilesRecursivelySync(rootDir);
 const options0 = {  
   urlPrefix: '/public', // Il prefisso URL che il middleware dovrà intercettare
   method: ['GET'],// I metodi HTTP ammessi (default 'GET')
-  showDirContents: true,// Se mostrare il contenuto della directory in caso di richiesta ad una cartella
+  dirListing: { enabled: true },// Se mostrare il contenuto della directory in caso di richiesta ad una cartella
   //index: 'index.html', // Nome del file index da cercare all'interno di una directory (se presente)
 };
 
@@ -79,7 +79,7 @@ describe(` koaClassicServer options0: ${JSON.stringify(options0)}`, () => {
 //START option1
 const options1 = {
   method: ['GET'],
-  showDirContents: true,
+  dirListing: { enabled: true },
 };
 
 describe(` koaClassicServer options1: ${JSON.stringify(options1)}`, () => {
@@ -114,8 +114,8 @@ describe(` koaClassicServer options1: ${JSON.stringify(options1)}`, () => {
 //STASRT option2
 const options2 = {
   method: ['GET'],
-  showDirContents: false,
-  index: 'index.html',
+  dirListing: { enabled: false },
+  index: ['index.html'],
 };
 
 describe(` koaClassicServer options2: ${JSON.stringify(options2)}`, () => {
@@ -141,7 +141,7 @@ describe(` koaClassicServer options2: ${JSON.stringify(options2)}`, () => {
 //STASRT option3
 const options3 = {
   method: ['GET'],
-  showDirContents: false,
+  dirListing: { enabled: false },
   urlsReserved : Array('/percorso_riservato', '/percorso riservato con spazi')
 };
 
@@ -188,7 +188,7 @@ describe(` koaClassicServer options2: ${JSON.stringify(options2)}`, () => {
   // I metodi HTTP ammessi (default 'GET')
   method: ['GET'],
   // Se mostrare il contenuto della directory in caso di richiesta ad una cartella
-  showDirContents: true,
+  dirListing: { enabled: true },
   // Nome del file index da cercare all'interno di una directory (se presente)
   //index: 'index.html',
 }; */
@@ -213,7 +213,7 @@ function getFilesRecursivelySync(dir) {
       results = results.concat(getFilesRecursivelySync(fullPath));
     } else if (entry.isFile()) {
       // Se l'entry è un file, lo aggiungiamo all'array dei risultati
-      const mimeType = mime.lookup(entry.name) || 'false';//false --> mimetype non riconosciuto , cosi lo trasmette il server , da approfondire
+      const mimeType = mime.lookup(entry.name) || 'application/octet-stream'; // fallback for unknown MIME types
       entry.type = 'file';
       entry.mimeType = mimeType;
       results.push(entry);
@@ -263,9 +263,12 @@ function testAllPathByFileList(filesAndDirArray, getServer, options) {
             expect(res.status).toBe(200);
             const content = fs.readFileSync(entry.fullPath, 'utf8');
             expect(res.type).toBe(entry.mimeType);
-            expect(res.text).toBe(content);
+            // For binary content-types (e.g. application/octet-stream), supertest populates
+            // res.body (Buffer) instead of res.text — normalise to string for comparison
+            const responseBody = res.text !== undefined ? res.text : res.body.toString('utf8');
+            expect(responseBody).toBe(content);
           } else {//è una directory
-            if( options.showDirContents === false ){
+            if( options.dirListing && options.dirListing.enabled === false ){
               // FIX: Quando directory listing è disabilitato, restituisce 404
               expect(res.status).toBe(404);
               expect(res.type).toBe('text/html');
@@ -328,7 +331,8 @@ function testAllPathByFileList(filesAndDirArray, getServer, options) {
           if (entry.type === 'file') {
             const content = fs.readFileSync(entry.fullPath, 'utf8');
             expect(res.type).toBe(entry.mimeType);
-            expect(res.text).toBe(content);
+            const responseBody = res.text !== undefined ? res.text : res.body.toString('utf8');
+            expect(responseBody).toBe(content);
           } else {
             expect(res.type).toBe('text/html');
             expect(res.text).toContain('<!DOCTYPE html>');