jquery-ui/tests/runner/createTestServer.js
Michał Gołębiowski-Owczarek 85bed8ddd8
Build: Fix an XSS in the test server HTML serving logic
The test server has a rule for `/tests/unit/*/*.html` paths that serves
a proper local file. However, the parameters after `/unit/` so far accepted
many characters that have special meaning, leading to possibly reading a file
from outside of the Git repository. Fix that by only accepting alphanumeric
characters, `-` or `_`.

This should resolve one CodeQL alert.

Closes gh-2309
2024-10-28 16:47:29 +01:00

67 lines
1.6 KiB
JavaScript

import { readFile } from "node:fs/promises";
import bodyParser from "body-parser";
import express from "express";
import bodyParserErrorHandler from "express-body-parser-error-handler";
export async function createTestServer( report ) {
const app = express();
// Redirect home to test page
app.get( "/", ( _req, res ) => {
res.redirect( "/tests/" );
} );
// Redirect to trailing slash
app.use( ( req, res, next ) => {
if ( req.path === "/tests" ) {
const query = req.url.slice( req.path.length );
res.redirect( 301, `${ req.path }/${ query }` );
} else {
next();
}
} );
// Add a script tag to HTML pages to load the QUnit listeners
app.use( /\/tests\/unit\/([a-zA-Z0-9_-]+)\/\1\.html$/, async( req, res ) => {
const html = await readFile(
`tests/unit/${ req.params[ 0 ] }/${ req.params[ 0 ] }.html`,
"utf8"
);
res.send(
html.replace(
"</head>",
"<script src=\"/tests/runner/listeners.js\"></script></head>"
)
);
} );
// Bind the reporter
app.post(
"/api/report",
bodyParser.json( { limit: "50mb" } ),
async( req, res ) => {
if ( report ) {
const response = await report( req.body );
if ( response ) {
res.json( response );
return;
}
}
res.sendStatus( 204 );
}
);
// Handle errors from the body parser
app.use( bodyParserErrorHandler() );
// Serve static files
app.use( "/dist", express.static( "dist" ) );
app.use( "/src", express.static( "src" ) );
app.use( "/tests", express.static( "tests" ) );
app.use( "/ui", express.static( "ui" ) );
app.use( "/themes", express.static( "themes" ) );
app.use( "/external", express.static( "external" ) );
return app;
}