From 3cf58368abfabb5e82a17ed373fade0e6017c54d Mon Sep 17 00:00:00 2001
From: Manuel Trezza <5673677+mtrezza@users.noreply.github.com>
Date: Fri, 17 Jun 2022 20:33:22 +0200
Subject: [PATCH 1/2] fix
---
spec/ParseFile.spec.js | 29 +++++++++++++++++++++++++++++
src/Routers/FilesRouter.js | 12 +++++++++---
2 files changed, 38 insertions(+), 3 deletions(-)
diff --git a/spec/ParseFile.spec.js b/spec/ParseFile.spec.js
index af1de35ee7..a5963e1b2f 100644
--- a/spec/ParseFile.spec.js
+++ b/spec/ParseFile.spec.js
@@ -654,6 +654,35 @@ describe('Parse.File testing', () => {
});
});
+ describe('getting files', () => {
+ it('can get invalid file', async () => {
+ const getFile = async () => {
+ try {
+ await request({ url: 'http://localhost:8378/1/files/invalid-id/invalid-file.txt' });
+ } catch (e) {
+ throw new Parse.Error(e.data.code, e.data.error);
+ }
+ };
+ await expectAsync(getFile()).toBeRejectedWith(
+ new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Invalid appId.')
+ );
+ const { status, data } = await request({ url: 'http://localhost:8378/1/health' });
+ expect(status).toEqual(200);
+ expect(data).toEqual({ status: 'ok' });
+ });
+
+ it('can get invalid metadata', async () => {
+ const metadata = await request({
+ url: `http://localhost:8378/1/files/invalid-id/metadata/invalid-file.txt`,
+ });
+ expect(metadata.status).toBe(200);
+ expect(metadata.data).toEqual({});
+ const { status, data } = await request({ url: 'http://localhost:8378/1/health' });
+ expect(status).toEqual(200);
+ expect(data).toEqual({ status: 'ok' });
+ });
+ });
+
xdescribe('Gridstore Range tests', () => {
it('supports range requests', done => {
const headers = {
diff --git a/src/Routers/FilesRouter.js b/src/Routers/FilesRouter.js
index c0c7e00f13..bdd86ae59b 100644
--- a/src/Routers/FilesRouter.js
+++ b/src/Routers/FilesRouter.js
@@ -66,6 +66,12 @@ export class FilesRouter {
getHandler(req, res) {
const config = Config.get(req.params.appId);
+ if (!config) {
+ res.status(403);
+ const err = new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Invalid application ID.');
+ res.json({ code: err.code, error: err.message });
+ return;
+ }
const filesController = config.filesController;
const filename = req.params.filename;
const contentType = mime.getType(filename);
@@ -250,10 +256,10 @@ export class FilesRouter {
}
async metadataHandler(req, res) {
- const config = Config.get(req.params.appId);
- const { filesController } = config;
- const { filename } = req.params;
try {
+ const config = Config.get(req.params.appId);
+ const { filesController } = config;
+ const { filename } = req.params;
const data = await filesController.getMetadata(filename);
res.status(200);
res.json(data);
From 4af79a451f4305a3d2a0520373c2c1ff237206f1 Mon Sep 17 00:00:00 2001
From: Manuel Trezza <5673677+mtrezza@users.noreply.github.com>
Date: Sat, 18 Jun 2022 00:40:35 +0200
Subject: [PATCH 2/2] refactor fix
---
spec/ParseFile.spec.js | 51 +++++++++++++++++++++++++-----------------
1 file changed, 30 insertions(+), 21 deletions(-)
diff --git a/spec/ParseFile.spec.js b/spec/ParseFile.spec.js
index a5963e1b2f..281ce45cc2 100644
--- a/spec/ParseFile.spec.js
+++ b/spec/ParseFile.spec.js
@@ -655,31 +655,40 @@ describe('Parse.File testing', () => {
});
describe('getting files', () => {
- it('can get invalid file', async () => {
- const getFile = async () => {
- try {
- await request({ url: 'http://localhost:8378/1/files/invalid-id/invalid-file.txt' });
- } catch (e) {
- throw new Parse.Error(e.data.code, e.data.error);
- }
- };
- await expectAsync(getFile()).toBeRejectedWith(
- new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Invalid appId.')
- );
- const { status, data } = await request({ url: 'http://localhost:8378/1/health' });
- expect(status).toEqual(200);
- expect(data).toEqual({ status: 'ok' });
+ it('does not crash on file request with invalid app ID', async () => {
+ const res1 = await request({
+ url: 'http://localhost:8378/1/files/invalid-id/invalid-file.txt',
+ }).catch(e => e);
+ expect(res1.status).toBe(403);
+ expect(res1.data).toEqual({ code: 119, error: 'Invalid application ID.' });
+ // Ensure server did not crash
+ const res2 = await request({ url: 'http://localhost:8378/1/health' });
+ expect(res2.status).toEqual(200);
+ expect(res2.data).toEqual({ status: 'ok' });
+ });
+
+ it('does not crash on file request with invalid path', async () => {
+ const res1 = await request({
+ url: 'http://localhost:8378/1/files/invalid-id//invalid-path/%20/invalid-file.txt',
+ }).catch(e => e);
+ expect(res1.status).toBe(403);
+ expect(res1.data).toEqual({ error: 'unauthorized' });
+ // Ensure server did not crash
+ const res2 = await request({ url: 'http://localhost:8378/1/health' });
+ expect(res2.status).toEqual(200);
+ expect(res2.data).toEqual({ status: 'ok' });
});
- it('can get invalid metadata', async () => {
- const metadata = await request({
+ it('does not crash on file metadata request with invalid app ID', async () => {
+ const res1 = await request({
url: `http://localhost:8378/1/files/invalid-id/metadata/invalid-file.txt`,
});
- expect(metadata.status).toBe(200);
- expect(metadata.data).toEqual({});
- const { status, data } = await request({ url: 'http://localhost:8378/1/health' });
- expect(status).toEqual(200);
- expect(data).toEqual({ status: 'ok' });
+ expect(res1.status).toBe(200);
+ expect(res1.data).toEqual({});
+ // Ensure server did not crash
+ const res2 = await request({ url: 'http://localhost:8378/1/health' });
+ expect(res2.status).toEqual(200);
+ expect(res2.data).toEqual({ status: 'ok' });
});
});