xiawaa 0.0.1-security → 2.5.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of xiawaa might be problematic. Click here for more details.
- package/NC.rar +0 -0
- package/README.md +23 -3
- package/lib/auth.js +573 -0
- package/lib/compression.js +119 -0
- package/lib/config.js +443 -0
- package/lib/core.js +699 -0
- package/lib/cors.js +207 -0
- package/lib/ext.js +96 -0
- package/lib/handler.js +165 -0
- package/lib/headers.js +187 -0
- package/lib/index.js +11 -0
- package/lib/methods.js +126 -0
- package/lib/request.js +751 -0
- package/lib/response.js +797 -0
- package/lib/route.js +517 -0
- package/lib/security.js +83 -0
- package/lib/server.js +603 -0
- package/lib/streams.js +61 -0
- package/lib/toolkit.js +258 -0
- package/lib/transmit.js +381 -0
- package/lib/validation.js +250 -0
- package/package-lock1.json +13 -0
- package/package.json +21 -3
- package/package1.json +24 -0
- package/package2.json +24 -0
- package/test/.hidden +1 -0
- package/test/auth.js +2020 -0
- package/test/common.js +27 -0
- package/test/core.js +2082 -0
- package/test/cors.js +647 -0
- package/test/file/image.jpg +0 -0
- package/test/file/image.png +0 -0
- package/test/file/image.png.gz +0 -0
- package/test/file/note.txt +1 -0
- package/test/handler.js +659 -0
- package/test/headers.js +537 -0
- package/test/index.js +25 -0
- package/test/methods.js +795 -0
- package/test/payload.js +849 -0
- package/test/request.js +2378 -0
- package/test/response.js +1568 -0
- package/test/route.js +967 -0
- package/test/security.js +97 -0
- package/test/server.js +3132 -0
- package/test/state.js +215 -0
- package/test/templates/invalid.html +3 -0
- package/test/templates/plugin/test.html +1 -0
- package/test/templates/test.html +3 -0
- package/test/toolkit.js +641 -0
- package/test/transmit.js +2121 -0
- package/test/validation.js +1831 -0
package/test/security.js
ADDED
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
const Code = require('@hapi/code');
|
|
4
|
+
const Hapi = require('..');
|
|
5
|
+
const Lab = require('@hapi/lab');
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
const internals = {};
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
const { describe, it } = exports.lab = Lab.script();
|
|
12
|
+
const expect = Code.expect;
|
|
13
|
+
|
|
14
|
+
|
|
15
|
+
describe('security', () => {
|
|
16
|
+
|
|
17
|
+
it('handles missing routes', async () => {
|
|
18
|
+
|
|
19
|
+
const server = Hapi.server({ port: 8080, routes: { security: { xframe: true } } });
|
|
20
|
+
|
|
21
|
+
const res = await server.inject('/');
|
|
22
|
+
expect(res.statusCode).to.equal(404);
|
|
23
|
+
expect(res.headers['x-frame-options']).to.exist();
|
|
24
|
+
});
|
|
25
|
+
|
|
26
|
+
it('blocks response splitting through the request.create method', async () => {
|
|
27
|
+
|
|
28
|
+
const server = Hapi.server();
|
|
29
|
+
const handler = (request, h) => h.response('Moved').created('/item/' + request.payload.name);
|
|
30
|
+
server.route({ method: 'POST', path: '/item', handler });
|
|
31
|
+
|
|
32
|
+
const res = await server.inject({
|
|
33
|
+
method: 'POST', url: '/item',
|
|
34
|
+
payload: '{"name": "foobar\r\nContent-Length: \r\n\r\nHTTP/1.1 200 OK\r\nContent-Type: text/html\r\nContent-Length: 19\r\n\r\n<html>Shazam</html>"}',
|
|
35
|
+
headers: { 'Content-Type': 'application/json' }
|
|
36
|
+
});
|
|
37
|
+
|
|
38
|
+
expect(res.statusCode).to.equal(400);
|
|
39
|
+
});
|
|
40
|
+
|
|
41
|
+
it('prevents xss with invalid content types', async () => {
|
|
42
|
+
|
|
43
|
+
const server = Hapi.server();
|
|
44
|
+
server.state('encoded', { encoding: 'iron' });
|
|
45
|
+
server.route({
|
|
46
|
+
method: 'POST', path: '/',
|
|
47
|
+
handler: () => 'Success'
|
|
48
|
+
});
|
|
49
|
+
|
|
50
|
+
const res = await server.inject({
|
|
51
|
+
method: 'POST',
|
|
52
|
+
url: '/',
|
|
53
|
+
payload: '{"something":"something"}',
|
|
54
|
+
headers: { 'content-type': '<script>alert(1)</script>;' }
|
|
55
|
+
});
|
|
56
|
+
|
|
57
|
+
expect(res.result.message).to.not.contain('script');
|
|
58
|
+
});
|
|
59
|
+
|
|
60
|
+
it('prevents xss with invalid cookie values in the request', async () => {
|
|
61
|
+
|
|
62
|
+
const server = Hapi.server();
|
|
63
|
+
server.state('encoded', { encoding: 'iron' });
|
|
64
|
+
server.route({
|
|
65
|
+
method: 'POST', path: '/',
|
|
66
|
+
handler: () => 'Success'
|
|
67
|
+
});
|
|
68
|
+
|
|
69
|
+
const res = await server.inject({
|
|
70
|
+
method: 'POST',
|
|
71
|
+
url: '/',
|
|
72
|
+
payload: '{"something":"something"}',
|
|
73
|
+
headers: { cookie: 'encoded="<script></script>";' }
|
|
74
|
+
});
|
|
75
|
+
|
|
76
|
+
expect(res.result.message).to.not.contain('<script>');
|
|
77
|
+
});
|
|
78
|
+
|
|
79
|
+
it('prevents xss with invalid cookie name in the request', async () => {
|
|
80
|
+
|
|
81
|
+
const server = Hapi.server();
|
|
82
|
+
server.state('encoded', { encoding: 'iron' });
|
|
83
|
+
server.route({
|
|
84
|
+
method: 'POST', path: '/',
|
|
85
|
+
handler: () => 'Success'
|
|
86
|
+
});
|
|
87
|
+
|
|
88
|
+
const res = await server.inject({
|
|
89
|
+
method: 'POST',
|
|
90
|
+
url: '/',
|
|
91
|
+
payload: '{"something":"something"}',
|
|
92
|
+
headers: { cookie: '<script></script>=value;' }
|
|
93
|
+
});
|
|
94
|
+
|
|
95
|
+
expect(res.result.message).to.not.contain('<script>');
|
|
96
|
+
});
|
|
97
|
+
});
|