Skip to content
This repository has been archived by the owner on Jul 15, 2019. It is now read-only.

Commit

Permalink
enhanced test cases
Browse files Browse the repository at this point in the history
  • Loading branch information
adon committed Nov 9, 2015
1 parent 10059f1 commit fe7ad57
Show file tree
Hide file tree
Showing 2 changed files with 86 additions and 21 deletions.
2 changes: 1 addition & 1 deletion src/lib/urlResolver.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ var _resolvePathDoubleDots = /^(?:\.|%2[eE]){2}$/, _resolvePathSingleDot = /^(?:
// Ref: https://url.spec.whatwg.org/#path-state
function _resolvePath(path, scheme) {
var i = 1, j = 1, len = path.length, arrPathLen = 0, symbol,
arrPath = [], buffer, slash = scheme === 'file:' ? '\\' : '/';
arrPath = [], buffer, slash = /*scheme === 'file:' ? '\\' :*/ '/';
while (j <= len) {
if (j === len /* EOF */ || (symbol = _resolvePathSymbol(path, j))) {
buffer = path.slice(i, j);
Expand Down
105 changes: 85 additions & 20 deletions tests/unit/url-filters-yUrlResolver.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,6 @@ Authors: Nera Liu <[email protected]>
urls.forEach(function(url){
expect(yUrlResolver(url, baseURL)).to.eql('unsafe:' + url);
});

});
it('relative baseURL samples', function() {
var baseURL = '/xyz';
Expand Down Expand Up @@ -99,6 +98,15 @@ Authors: Nera Liu <[email protected]>
expect(yUrlResolver(url, baseURL)).to.eql(absUrlsAnswers[i]);
});

baseURL = 'http://@yahoo.com:81';
expect(yUrlResolver('asdf', baseURL)).to.eql('http://yahoo.com:81/asdf');
expect(yUrlResolver('/asdf', baseURL)).to.eql('http://yahoo.com:81/asdf');
expect(yUrlResolver('?asdf', baseURL)).to.eql('http://yahoo.com:81/?asdf');
expect(yUrlResolver('#asdf', baseURL)).to.eql('http://yahoo.com:81/#asdf');
absUrls.forEach(function(url, i){
expect(yUrlResolver(url, baseURL)).to.eql(absUrlsAnswers[i]);
});

baseURL = 'http://yahoo.com:';
expect(yUrlResolver('asdf', baseURL)).to.eql('http://yahoo.com/asdf');
expect(yUrlResolver('/asdf', baseURL)).to.eql('http://yahoo.com/asdf');
Expand Down Expand Up @@ -179,7 +187,7 @@ Authors: Nera Liu <[email protected]>
});
});

it('use baseURL given no url', function() {
it('supply baseURL but no url', function() {
var baseURL = 'http://www.yahoo.com/';

expect(yUrlResolver('', baseURL)).to.eql(baseURL);
Expand All @@ -190,6 +198,11 @@ Authors: Nera Liu <[email protected]>
expect(yUrlResolver()).to.eql(baseURL);
});

it('supply invalid url and no baseURL', function() {
var yUrlResolver = xssFilters.urlFilters.yUrlResolver();
expect(yUrlResolver('javascript:alert(1)')).to.eql('unsafe:javascript:alert(1)');
});

it('inherit scheme', function() {
expect(yUrlResolver('//hk.yahoo.com?xyz', 'https://yahoo.com?asdf')).to.eql('https://hk.yahoo.com/?xyz');
expect(yUrlResolver('//hk.yahoo.com?xyz', 'http://yahoo.com?asdf')).to.eql('http://hk.yahoo.com/?xyz');
Expand All @@ -208,28 +221,80 @@ Authors: Nera Liu <[email protected]>
expect(yUrlResolver('#abc', baseURL)).to.eql('#abc');
expect(yUrlResolver('hello/world.html', baseURL)).to.eql('http://yahoo.com/hello/world.html');
expect(yUrlResolver('/hello/world.html', baseURL)).to.eql('http://yahoo.com/hello/world.html');
});

// path resolution
expect(yUrlResolver('../../hello/world.html', baseURL)).to.eql('http://yahoo.com/hello/world.html');
expect(yUrlResolver('/hello/hello2/../', baseURL)).to.eql('http://yahoo.com/hello/');
expect(yUrlResolver('/hello/hello2/..', baseURL)).to.eql('http://yahoo.com/hello/');
it('relative path resolution', function() {
var yUrlResolver = xssFilters.urlFilters.yUrlResolver();
yUrlResolver('', 'http:yahoo.com'); // set baseURL

expect(yUrlResolver('../../hello/world.html')).to.eql('http://yahoo.com/hello/world.html');

expect(yUrlResolver('/hello3/hello2/../../..')).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../../.%2e')).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../../%2e.')).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../../%2e%2e')).to.eql('http://yahoo.com/');

expect(yUrlResolver('/hello3/hello2/../../../')).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../../.%2E/')).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../../%2E./')).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../../%2E%2e/')).to.eql('http://yahoo.com/');

expect(yUrlResolver('/hello3/hello2/../../../hello')).to.eql('http://yahoo.com/hello');
expect(yUrlResolver('/hello3/hello2/../../..?hello')).to.eql('http://yahoo.com/?hello');
expect(yUrlResolver('/hello3/hello2/../../..#hello')).to.eql('http://yahoo.com/#hello');

expect(yUrlResolver('/hello3/hello2/../../.')).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../../%2e')).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../../%2E')).to.eql('http://yahoo.com/');

expect(yUrlResolver('/hello3/hello2/../.././')).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../../%2e/')).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../../%2E/')).to.eql('http://yahoo.com/');

expect(yUrlResolver('/hello3/hello2/../../..', baseURL)).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../../../', baseURL)).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../../../hello', baseURL)).to.eql('http://yahoo.com/hello');
expect(yUrlResolver('/hello3/hello2/../../..?hello', baseURL)).to.eql('http://yahoo.com/?hello');
expect(yUrlResolver('/hello3/hello2/../../..#hello', baseURL)).to.eql('http://yahoo.com/#hello');

expect(yUrlResolver('/hello3/hello2/../../.', baseURL)).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../.././', baseURL)).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../.././hello', baseURL)).to.eql('http://yahoo.com/hello');
expect(yUrlResolver('/hello3/hello2/../../.?hello', baseURL)).to.eql('http://yahoo.com/?hello');
expect(yUrlResolver('/hello3/hello2/../../.#hello', baseURL)).to.eql('http://yahoo.com/#hello');

expect(yUrlResolver('/hello2/../hello/world.html', baseURL)).to.eql('http://yahoo.com/hello/world.html');
expect(yUrlResolver('/hello2/../hello/./world.html', baseURL)).to.eql('http://yahoo.com/hello/world.html');
expect(yUrlResolver('/hello3/hello2/../.././hello')).to.eql('http://yahoo.com/hello');
expect(yUrlResolver('/hello3/hello2/../../.?hello')).to.eql('http://yahoo.com/?hello');
expect(yUrlResolver('/hello3/hello2/../../.#hello')).to.eql('http://yahoo.com/#hello');

expect(yUrlResolver('/hello2/../hello/world.html')).to.eql('http://yahoo.com/hello/world.html');
expect(yUrlResolver('/hello2/../hello/./world.html')).to.eql('http://yahoo.com/hello/world.html');

expect(yUrlResolver('/hello/#/hello2/world.html')).to.eql('http://yahoo.com/hello/#/hello2/world.html');
expect(yUrlResolver('/hello/?hello2/world.html')).to.eql('http://yahoo.com/hello/?hello2/world.html');
expect(yUrlResolver('/hello/#/hello2?world.html')).to.eql('http://yahoo.com/hello/#/hello2?world.html');


yUrlResolver('', 'http:yahoo.com/hello9'); // set baseURL
expect(yUrlResolver('../../hello/world.html')).to.eql('http://yahoo.com/hello/world.html');
expect(yUrlResolver('hello3/hello2/../..')).to.eql('http://yahoo.com/');
expect(yUrlResolver('hello3/hello2/../../')).to.eql('http://yahoo.com/');

yUrlResolver('', 'http:yahoo.com/hello9/'); // set baseURL
expect(yUrlResolver('../../hello/world.html')).to.eql('http://yahoo.com/hello/world.html');
expect(yUrlResolver('hello3/hello2/../..')).to.eql('http://yahoo.com/hello9/');
expect(yUrlResolver('hello3/hello2/../../')).to.eql('http://yahoo.com/hello9/');
expect(yUrlResolver('hello3/hello2/../hello')).to.eql('http://yahoo.com/hello9/hello3/hello');
expect(yUrlResolver('hello3/hello2/../..?hello')).to.eql('http://yahoo.com/hello9/?hello');
expect(yUrlResolver('hello3/hello2/../..#hello')).to.eql('http://yahoo.com/hello9/#hello');

expect(yUrlResolver('/hello3/hello2/../..')).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../../')).to.eql('http://yahoo.com/');
expect(yUrlResolver('/hello3/hello2/../hello')).to.eql('http://yahoo.com/hello3/hello');
expect(yUrlResolver('/hello3/hello2/../..?hello')).to.eql('http://yahoo.com/?hello');
expect(yUrlResolver('/hello3/hello2/../..#hello')).to.eql('http://yahoo.com/#hello');

yUrlResolver('', 'http:yahoo.com/#hello?world/'); // set baseURL
expect(yUrlResolver('?hello')).to.eql('http://yahoo.com/?hello');
expect(yUrlResolver('#hello')).to.eql('#hello');
});


it('relative path resolution (turned off)', function() {
var yUrlResolver = xssFilters.urlFilters.yUrlResolver({resolvePath: false});
expect(yUrlResolver('hello/../world.html', 'http:yahoo.com')).to.eql('http://yahoo.com/hello/../world.html');
expect(yUrlResolver('../world.html', 'http://yahoo.com/hello1/hello2/')).to.eql('http://yahoo.com/hello1/hello2/../world.html');
});


it('mailto: scheme URLs and any relative paths', function() {
function absBypass(url, origin, scheme, path) { return origin + path; }
function relBypass(path) { return path; }
Expand Down

0 comments on commit fe7ad57

Please sign in to comment.