Skip to content

Commit 82ea0a5

Browse files
mkstix6mkstix6
authored
Defend against code injection (#30)
1 parent cc3afb7 commit 82ea0a5

File tree

3 files changed

+58
-4
lines changed

3 files changed

+58
-4
lines changed

app/app.js

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39,11 +39,19 @@ const getPactVersion = (json) => {
3939
}
4040
}
4141

42+
function isValidVersion(version) {
43+
return /^\d+\.\d+\.\d+$/.test(version);
44+
}
45+
4246
const getParser = (version) => {
43-
try {
44-
return require(`./parsers/${version}/pact-parser`);
45-
} catch(err) {
46-
throw new Error(`Could not find a parser for the pact specification version: ${version}`);
47+
if(isValidVersion(version)){
48+
try {
49+
return require(`./parsers/${version}/pact-parser`);
50+
} catch(err) {
51+
throw new Error(`Could not find a parser for the pact specification version: ${version}`);
52+
}
53+
} else {
54+
throw new Error(`Invalid pact-parser version supplied: ${version}`);
4755
}
4856
}
4957

tests/fixtures/invalid-version-pact.json

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
{
2+
"consumer": {
3+
"name": "consumerName"
4+
},
5+
"provider": {
6+
"name": "providerName"
7+
},
8+
"interactions": [
9+
{
10+
"description": "Interaction description",
11+
"providerState": "provider state",
12+
"request": {
13+
"method": "GET",
14+
"path": "/path1/path2",
15+
"query": "p1=p1&p2=p2",
16+
"headers": {
17+
"Accept": "application/json"
18+
}
19+
},
20+
"response": {
21+
"status": 200,
22+
"headers": {
23+
"Access-Control-Allow-Methods": "*",
24+
"Access-Control-Allow-Origin": "*",
25+
"Content-Type": "application/json; charset=UTF-8"
26+
},
27+
"body": {
28+
"data": 1
29+
}
30+
}
31+
}
32+
],
33+
"metadata": {
34+
"pactSpecification": {
35+
"version": "not-a-valid-version-pattern"
36+
}
37+
}
38+
}

tests/unit/app/app.js

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -118,4 +118,12 @@ describe('pmpact > app', () => {
118118
}
119119
});
120120

121+
it('should throw an error when pact version is of incorrect format', async () => {
122+
try {
123+
await app.parse('./tests/fixtures/invalid-version-pact.json');
124+
assert.ok(0, 'Should not resolve');
125+
} catch(err) {
126+
assert.ok(err.message.indexOf('Invalid pact-parser version supplied') !== -1);
127+
}
128+
});
121129
});

0 commit comments

Comments
 (0)