From be4f9eccde6e911798b732dc9d19d13812e4339b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Micha=C5=82=20Go=C5=82=C4=99biowski-Owczarek?= Date: Tue, 5 Nov 2024 22:54:34 +0100 Subject: [PATCH] Build: Make middleware-mockserver not crash on reading nonexistent files `fs.readFileSync` crashes when a non-existing file is passed to it. Some APIs of `middleware-mockserver` read a file the path of which depends on query parameters, making it possible to crash it by providing such a parameter. The old PHP server doesn't have these issues. To fix this, wrap all `fs.readFileSync` occurrences with a function that falls back to the string `"ERROR"`. Closes gh-5579 (cherry picked from commit d5ebb464debab6ac39fe065e93c8a7ae1de8547e) --- test/middleware-mockserver.cjs | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/test/middleware-mockserver.cjs b/test/middleware-mockserver.cjs index 55d8b814d..2a0fe19ed 100644 --- a/test/middleware-mockserver.cjs +++ b/test/middleware-mockserver.cjs @@ -6,6 +6,19 @@ const getRawBody = require( "raw-body" ); let cspLog = ""; +/** + * Like `readFileSync`, but on error returns "ERROR" + * without crashing. + * @param path + */ +function readFileSync( path ) { + try { + return fs.readFileSync( path ); + } catch ( _ ) { + return "ERROR"; + } +} + /** * Keep in sync with /test/mock.php */ @@ -142,7 +155,7 @@ const mocks = { }, xmlOverJsonp: function( req, resp ) { const callback = req.query.callback; - const body = fs.readFileSync( `${ __dirname }/data/with_fries.xml` ).toString(); + const body = readFileSync( `${ __dirname }/data/with_fries.xml` ).toString(); resp.writeHead( 200 ); resp.end( `${ cleanCallback( callback ) }(${ JSON.stringify( body ) })\n` ); }, @@ -224,8 +237,9 @@ const mocks = { }, testHTML: function( req, resp ) { resp.writeHead( 200, { "Content-Type": "text/html" } ); - const body = fs - .readFileSync( `${ __dirname }/data/test.include.html` ) + const body = readFileSync( + `${ __dirname }/data/test.include.html` + ) .toString() .replace( /{{baseURL}}/g, req.query.baseURL ); resp.end( body ); @@ -236,17 +250,19 @@ const mocks = { "Content-Security-Policy": "default-src 'self'; " + "report-uri /test/data/mock.php?action=cspLog" } ); - const body = fs.readFileSync( `${ __dirname }/data/csp.include.html` ).toString(); + const body = readFileSync( `${ __dirname }/data/csp.include.html` ).toString(); resp.end( body ); }, cspNonce: function( req, resp ) { - const testParam = req.query.test ? `-${ req.query.test }` : ""; + const testParam = req.query.test ? + `-${ req.query.test.replace( /[^a-z0-9]/gi, "" ) }` : + ""; resp.writeHead( 200, { "Content-Type": "text/html", "Content-Security-Policy": "script-src 'nonce-jquery+hardcoded+nonce'; " + "report-uri /test/data/mock.php?action=cspLog" } ); - const body = fs.readFileSync( + const body = readFileSync( `${ __dirname }/data/csp-nonce${ testParam }.html` ).toString(); resp.end( body ); }, -- 2.39.5