File: fix-test-for-superagent-10.patch

package info (click to toggle)
node-send 1.2.0%2B~cs2.4.1-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 400 kB
  • sloc: javascript: 1,945; makefile: 4
file content (91 lines) | stat: -rw-r--r-- 2,781 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
 
Description: Fix tests for superagent 10.x: superagent now normalizes URLs client-side,
 so tests that check path traversal protection must use raw http.request
 instead of supertest to properly test server behavior
Author: Yadd <yadd@debian.org>
Bug-Debian: https://bugs.debian.org/1120182
Forwarded: no
Last-Update: 2025-11-06

--- a/test/send.js
+++ b/test/send.js
@@ -1250,9 +1250,7 @@
       })
 
       it('should restrict paths to within root', function (done) {
-        request(createServer({ root: fixtures }))
-          .get('/pets/../../send.js')
-          .expect(403, done)
+        rawRequest(createServer({ root: fixtures }), '/pets/../../send.js', 403, done)
       })
 
       it('should allow .. in root', function (done) {
@@ -1261,21 +1259,15 @@
             .pipe(res)
         })
 
-        request(app)
-          .get('/pets/../../send.js')
-          .expect(403, done)
+        rawRequest(app, '/pets/../../send.js', 403, done)
       })
 
       it('should not allow root transversal', function (done) {
-        request(createServer({ root: path.join(fixtures, 'name.d') }))
-          .get('/../name.dir/name.txt')
-          .expect(403, done)
+        rawRequest(createServer({ root: path.join(fixtures, 'name.d') }), '/../name.dir/name.txt', 403, done)
       })
 
       it('should not allow root path disclosure', function (done) {
-        request(createServer({ root: fixtures }))
-          .get('/pets/../../fixtures/name.txt')
-          .expect(403, done)
+        rawRequest(createServer({ root: fixtures }), '/pets/../../fixtures/name.txt', 403, done)
       })
     })
 
@@ -1286,9 +1278,7 @@
             .pipe(res)
         })
 
-        request(app)
-          .get('/../send.js')
-          .expect(403, done)
+        rawRequest(app, '/../send.js', 403, done)
       })
 
       it('should still serve files with dots in name', function (done) {
@@ -1328,3 +1318,33 @@
     assert.ok(!(header.toLowerCase() in res.headers), 'should not have header ' + header)
   }
 }
+
+function rawRequest (server, path, expectedStatus, done) {
+  // Use raw http.request to bypass supertest's URL normalization
+  server.listen(0, function () {
+    var addr = server.address()
+    var req = http.request({
+      hostname: 'localhost',
+      port: addr.port,
+      path: path,
+      method: 'GET'
+    }, function (res) {
+      var body = ''
+      res.on('data', function (chunk) { body += chunk })
+      res.on('end', function () {
+        server.close()
+        try {
+          assert.strictEqual(res.statusCode, expectedStatus)
+          done()
+        } catch (err) {
+          done(err)
+        }
+      })
+    })
+    req.on('error', function (err) {
+      server.close()
+      done(err)
+    })
+    req.end()
+  })
+}