library-mirrors/jquery
1
0
Fork 0
mirror of https://github.com/jquery/jquery.git synced 2024-11-23 02:54:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Tests: Strip untypical callback parameter characters from mock.php

Browse Source 
Only allow alphanumeric characters & underscores for callback parameters.
The change is done both for the PHP server as well as the Node.js-based version.
This is only test code so we're not fixing any security issue but it happens
often enough that the whole jQuery repository directory structure is deployed
onto the server with PHP enabled that it makes is easy to introduce security
issues if this cleanup is not done.

Ref gh-4764
Closes gh-4871
This commit is contained in:
Michał Gołębiowski-Owczarek 2021-04-13 22:13:48 +02:00 committed by GitHub
parent 50e8e84621
commit a70274632d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
test/data/mock.php
View File

@ -1,7 +1,12 @@
<?php <?php
/** /**
* Keep in sync with /test/middleware-mockserver.js * Keep in sync with /test/middleware-mockserver.js
*/ */
function cleanCallback( $callback ) {
return preg_replace( '/[^a-z0-9_]/i', '', $callback );
}
class MockServer { class MockServer {
protected function contentType( $req ) { protected function contentType( $req ) {
$type = $req->query['contentType']; $type = $req->query['contentType'];
@ -65,7 +70,8 @@ class MockServer {
array_values( $req->headers ) array_values( $req->headers )
); );
echo $req->query['callback'] . "(" . json_encode( [ 'headers' => $headers ] ) . ")"; echo cleanCallback( $req->query['callback'] ) .
"(" . json_encode( [ 'headers' => $headers ] ) . ")";
} else { } else {
echo 'QUnit.assert.ok( true, "mock executed" );'; echo 'QUnit.assert.ok( true, "mock executed" );';
} }
@ -105,17 +111,17 @@ QUnit.assert.ok( true, "mock executed");';
} else { } else {
$callback = $_POST['callback']; $callback = $_POST['callback'];
} }
if ( isset( $req->query['array'] ) ) { $json = isset( $req->query['array'] ) ?
echo $callback . '([ {"name": "John", "age": 21}, {"name": "Peter", "age": 25 } ])'; '[ { "name": "John", "age": 21 }, { "name": "Peter", "age": 25 } ]' :
} else { '{ "data": { "lang": "en", "length": 25 } }';
echo $callback . '({ "data": {"lang": "en", "length": 25} })'; echo cleanCallback( $callback ) . '(' . $json . ')';
}
} }
protected function xmlOverJsonp( $req ) { protected function xmlOverJsonp( $req ) {
$callback = $_REQUEST['callback']; $callback = $_REQUEST['callback'];
$cleanCallback = cleanCallback( $callback );
$text = json_encode( file_get_contents( __DIR__ . '/with_fries.xml' ) ); $text = json_encode( file_get_contents( __DIR__ . '/with_fries.xml' ) );
echo "$callback($text)\n"; echo "$cleanCallback($text)\n";
} }
protected function error( $req ) { protected function error( $req ) {
@ -243,7 +249,7 @@ QUnit.assert.ok( true, "mock executed");';
} }
if ( isset( $req->query['callback'] ) ) { if ( isset( $req->query['callback'] ) ) {
$callback = $req->query['callback']; $callback = $req->query['callback'];
echo $callback . '( {"status": 404, "msg": "Not Found"} )'; echo cleanCallback( $callback ) . '( {"status": 404, "msg": "Not Found"} )';
} else { } else {
echo 'QUnit.assert.ok( false, "Mock return erroneously executed" );'; echo 'QUnit.assert.ok( false, "Mock return erroneously executed" );';
} }

15
test/middleware-mockserver.js
View File

@ -7,6 +7,10 @@ var cspLog = "";
/** /**
* Keep in sync with /test/mock.php * Keep in sync with /test/mock.php
*/ */
function cleanCallback( callback ) {
return callback.replace( /[^a-z0-9_]/gi, "" );
}
var mocks = { var mocks = {
contentType: function( req, resp ) { contentType: function( req, resp ) {
resp.writeHead( 200, { resp.writeHead( 200, {
@ -73,7 +77,7 @@ var mocks = {
} }
if ( req.query.callback ) { if ( req.query.callback ) {
resp.end( req.query.callback + "(" + JSON.stringify( { resp.end( cleanCallback( req.query.callback ) + "(" + JSON.stringify( {
headers: req.headers headers: req.headers
} ) + ")" ); } ) + ")" );
} else { } else {
@ -126,14 +130,14 @@ var mocks = {
{ data: { lang: "en", length: 25 } } { data: { lang: "en", length: 25 } }
); );
callback.then( function( cb ) { callback.then( function( cb ) {
resp.end( cb + "(" + json + ")" ); resp.end( cleanCallback( cb ) + "(" + json + ")" );
}, next ); }, next );
}, },
xmlOverJsonp: function( req, resp ) { xmlOverJsonp: function( req, resp ) {
var callback = req.query.callback; var callback = req.query.callback;
var body = fs.readFileSync( __dirname + "/data/with_fries.xml" ).toString(); var body = fs.readFileSync( __dirname + "/data/with_fries.xml" ).toString();
resp.writeHead( 200 ); resp.writeHead( 200 );
resp.end( callback + "(" + JSON.stringify( body ) + ")\n" ); resp.end( cleanCallback( callback ) + "(" + JSON.stringify( body ) + ")\n" );
}, },
error: function( req, resp ) { error: function( req, resp ) {
if ( req.query.json ) { if ( req.query.json ) {
@ -256,10 +260,11 @@ var mocks = {
if ( req.query.withScriptContentType ) { if ( req.query.withScriptContentType ) {
resp.writeHead( 404, { "Content-Type": "application/javascript" } ); resp.writeHead( 404, { "Content-Type": "application/javascript" } );
} else { } else {
resp.writeHead( 404 ); resp.writeHead( 404, { "Content-Type": "text/html; charset=UTF-8" } );
} }
if ( req.query.callback ) { if ( req.query.callback ) {
resp.end( req.query.callback + "( {\"status\": 404, \"msg\": \"Not Found\"} )" ); resp.end( cleanCallback( req.query.callback ) +
"( {\"status\": 404, \"msg\": \"Not Found\"} )" );
} else { } else {
resp.end( "QUnit.assert.ok( false, \"Mock return erroneously executed\" );" ); resp.end( "QUnit.assert.ok( false, \"Mock return erroneously executed\" );" );
} }