From d5ebb464debab6ac39fe065e93c8a7ae1de8547e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Go=C5=82=C4=99biowski-Owczarek?= Date: Tue, 5 Nov 2024 22:54:34 +0100 Subject: [PATCH] Build: Make middleware-mockserver not crash on reading nonexistent files `fs.readFileSync` crashes when a non-existing file is passed to it. Some APIs of `middleware-mockserver` read a file the path of which depends on query parameters, making it possible to crash it by providing such a parameter. The old PHP server doesn't have these issues. To fix this, wrap all `fs.readFileSync` occurrences with a function that falls back to the string `"ERROR"`. Closes gh-5579 --- test/middleware-mockserver.cjs | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/test/middleware-mockserver.cjs b/test/middleware-mockserver.cjs index 73aaa5656..a07cb4798 100644 --- a/test/middleware-mockserver.cjs +++ b/test/middleware-mockserver.cjs @@ -7,6 +7,19 @@ const multiparty = require( "multiparty" ); let cspLog = ""; +/** + * Like `readFileSync`, but on error returns "ERROR" + * without crashing. + * @param path + */ +function readFileSync( path ) { + try { + return fs.readFileSync( path ); + } catch ( e ) { + return "ERROR"; + } +} + /** * Keep in sync with /test/mock.php */ @@ -143,7 +156,7 @@ const mocks = { }, xmlOverJsonp: function( req, resp ) { const callback = req.query.callback; - const body = fs.readFileSync( `${ __dirname }/data/with_fries.xml` ).toString(); + const body = readFileSync( `${ __dirname }/data/with_fries.xml` ).toString(); resp.writeHead( 200 ); resp.end( `${ cleanCallback( callback ) }(${ JSON.stringify( body ) })\n` ); }, @@ -238,8 +251,9 @@ const mocks = { }, testHTML: function( req, resp ) { resp.writeHead( 200, { "Content-Type": "text/html" } ); - const body = fs - .readFileSync( `${ __dirname }/data/test.include.html` ) + const body = readFileSync( + `${ __dirname }/data/test.include.html` + ) .toString() .replace( /{{baseURL}}/g, req.query.baseURL ); resp.end( body ); @@ -250,17 +264,19 @@ const mocks = { "Content-Security-Policy": "default-src 'self'; require-trusted-types-for 'script'; " + "report-uri /test/data/mock.php?action=cspLog" } ); - const body = fs.readFileSync( `${ __dirname }/data/csp.include.html` ).toString(); + const body = readFileSync( `${ __dirname }/data/csp.include.html` ).toString(); resp.end( body ); }, cspNonce: function( req, resp ) { - const testParam = req.query.test ? `-${ req.query.test }` : ""; + const testParam = req.query.test ? + `-${ req.query.test.replace( /[^a-z0-9]/gi, "" ) }` : + ""; resp.writeHead( 200, { "Content-Type": "text/html", "Content-Security-Policy": "script-src 'nonce-jquery+hardcoded+nonce'; " + "report-uri /test/data/mock.php?action=cspLog" } ); - const body = fs.readFileSync( + const body = readFileSync( `${ __dirname }/data/csp-nonce${ testParam }.html` ).toString(); resp.end( body ); }, @@ -270,7 +286,7 @@ const mocks = { "Content-Security-Policy": "script-src 'self'; " + "report-uri /test/data/mock.php?action=cspLog" } ); - const body = fs.readFileSync( + const body = readFileSync( `${ __dirname }/data/csp-ajax-script.html` ).toString(); resp.end( body ); }, @@ -290,7 +306,7 @@ const mocks = { "Content-Security-Policy": "require-trusted-types-for 'script'; " + "report-uri /test/data/mock.php?action=cspLog" } ); - const body = fs.readFileSync( `${ __dirname }/data/trusted-html.html` ).toString(); + const body = readFileSync( `${ __dirname }/data/trusted-html.html` ).toString(); resp.end( body ); }, trustedTypesAttributes: function( _req, resp ) { @@ -299,7 +315,7 @@ const mocks = { "Content-Security-Policy": "require-trusted-types-for 'script'; " + "report-uri /test/data/mock.php?action=cspLog" } ); - const body = fs.readFileSync( + const body = readFileSync( `${ __dirname }/data/trusted-types-attributes.html` ).toString(); resp.end( body ); },