2014-07-17 08:34:26 +01:00
|
|
|
/**
|
|
|
|
* Copyright 2014 IBM Corp.
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
**/
|
2014-07-23 14:51:11 +01:00
|
|
|
|
2014-07-17 08:34:26 +01:00
|
|
|
var should = require("should");
|
2014-07-23 14:51:11 +01:00
|
|
|
var sinon = require('sinon');
|
|
|
|
var request = require('supertest');
|
|
|
|
var http = require('http');
|
|
|
|
var express = require('express');
|
|
|
|
|
|
|
|
var fs = require('fs-extra');
|
|
|
|
var path = require('path');
|
|
|
|
var when = require('when');
|
|
|
|
|
|
|
|
var app = express();
|
|
|
|
var RED = require("../../red/red.js");
|
|
|
|
var server = require("../../red/server.js");
|
|
|
|
var nodes = require("../../red/nodes");
|
|
|
|
|
|
|
|
describe("library", function() {
|
|
|
|
var userDir = path.join(__dirname,".testUserHome");
|
|
|
|
before(function(done) {
|
|
|
|
fs.remove(userDir,function(err) {
|
|
|
|
fs.mkdir(userDir,function() {
|
|
|
|
sinon.stub(nodes, 'load', function() {
|
|
|
|
return when.promise(function(resolve,reject){
|
|
|
|
resolve([]);
|
|
|
|
});
|
|
|
|
});
|
|
|
|
RED.init(http.createServer(function(req,res){app(req,res)}),
|
|
|
|
{userDir: userDir});
|
|
|
|
server.start().then(function () { done(); });
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
after(function(done) {
|
|
|
|
fs.remove(userDir,done);
|
|
|
|
server.stop();
|
|
|
|
nodes.load.restore();
|
|
|
|
});
|
|
|
|
|
|
|
|
afterEach(function(done) {
|
|
|
|
fs.remove(userDir,function(err) {
|
|
|
|
fs.mkdir(userDir,done);
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
describe("flows", function() {
|
|
|
|
it('returns empty result', function(done) {
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.get('/library/flows')
|
|
|
|
.expect(200)
|
|
|
|
.end(function(err,res) {
|
|
|
|
if (err) {
|
|
|
|
throw err;
|
|
|
|
}
|
|
|
|
res.body.should.not.have.property('f');
|
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it('returns 404 for non-existent entry', function(done) {
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.get('/library/flows/foo')
|
|
|
|
.expect(404)
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('can store and retrieve item', function(done) {
|
|
|
|
var flow = '[]';
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.post('/library/flows/foo')
|
|
|
|
.set('Content-Type', 'text/plain')
|
|
|
|
.send(flow)
|
|
|
|
.expect(204).end(function (err, res) {
|
|
|
|
if (err) {
|
|
|
|
throw err;
|
|
|
|
}
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.get('/library/flows/foo')
|
|
|
|
.expect(200)
|
|
|
|
.end(function(err,res) {
|
|
|
|
if (err) {
|
|
|
|
throw err;
|
|
|
|
}
|
|
|
|
res.text.should.equal(flow);
|
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it('lists a stored item', function(done) {
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.post('/library/flows/bar')
|
|
|
|
.expect(204)
|
|
|
|
.end(function () {
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.get('/library/flows')
|
|
|
|
.expect(200)
|
|
|
|
.end(function(err,res) {
|
|
|
|
if (err) {
|
|
|
|
throw err;
|
|
|
|
}
|
|
|
|
res.body.should.have.property('f');
|
|
|
|
should.deepEqual(res.body.f,['bar']);
|
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
2014-07-29 13:51:21 +01:00
|
|
|
|
|
|
|
it('returns 403 for malicious access attempt', function(done) {
|
|
|
|
// without the userDir override the malicious url would be
|
|
|
|
// http://127.0.0.1:1880/library/flows/../../package to
|
|
|
|
// obtain package.json from the node-red root.
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.get('/library/flows/../../../../../package')
|
|
|
|
.expect(403)
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('returns 403 for malicious access attempt', function(done) {
|
|
|
|
// without the userDir override the malicious url would be
|
|
|
|
// http://127.0.0.1:1880/library/flows/../../package to
|
|
|
|
// obtain package.json from the node-red root.
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.post('/library/flows/../../../../../package')
|
|
|
|
.expect(403)
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
|
2014-07-23 14:51:11 +01:00
|
|
|
});
|
|
|
|
|
|
|
|
describe("type", function() {
|
|
|
|
before(function() {
|
|
|
|
RED.library.register('test');
|
|
|
|
});
|
|
|
|
|
|
|
|
it('returns empty result', function(done) {
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.get('/library/test')
|
|
|
|
.expect(200)
|
|
|
|
.end(function(err,res) {
|
|
|
|
if (err) {
|
|
|
|
throw err;
|
|
|
|
}
|
|
|
|
res.body.should.not.have.property('f');
|
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it('returns 404 for non-existent entry', function(done) {
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.get('/library/test/foo')
|
|
|
|
.expect(404)
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('can store and retrieve item', function(done) {
|
|
|
|
var flow = '[]';
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.post('/library/test/foo')
|
|
|
|
.set('Content-Type', 'text/plain')
|
|
|
|
.send(flow)
|
|
|
|
.expect(204).end(function (err, res) {
|
|
|
|
if (err) {
|
|
|
|
throw err;
|
|
|
|
}
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.get('/library/test/foo')
|
|
|
|
.expect(200)
|
|
|
|
.end(function(err,res) {
|
|
|
|
if (err) {
|
|
|
|
throw err;
|
|
|
|
}
|
|
|
|
res.text.should.equal(flow);
|
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it('lists a stored item', function(done) {
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.post('/library/test/bar')
|
|
|
|
.expect(204)
|
|
|
|
.end(function () {
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.get('/library/test')
|
|
|
|
.expect(200)
|
|
|
|
.end(function(err,res) {
|
|
|
|
if (err) {
|
|
|
|
throw err;
|
|
|
|
}
|
|
|
|
should.deepEqual(res.body,[{ fn: 'bar'}]);
|
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
2014-07-17 08:34:26 +01:00
|
|
|
|
2014-07-29 13:51:21 +01:00
|
|
|
|
|
|
|
it('returns 403 for malicious access attempt', function(done) {
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.get('/library/test/../../../../../../../../../../etc/passwd')
|
|
|
|
.expect(403)
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('returns 403 for malicious access attempt', function(done) {
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.get('/library/test/..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd')
|
|
|
|
.expect(403)
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('returns 403 for malicious access attempt', function(done) {
|
|
|
|
request(RED.httpAdmin)
|
|
|
|
.post('/library/test/../../../../../../../../../../etc/passwd')
|
|
|
|
.set('Content-Type', 'text/plain')
|
|
|
|
.send('root:x:0:0:root:/root:/usr/bin/tclsh')
|
|
|
|
.expect(403)
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
|
2014-07-17 08:34:26 +01:00
|
|
|
});
|
|
|
|
});
|