Merge pull request #319 from hindessm/restrict-library-entry-names

Prohibit library entry names from containing '../'.

test/red/library_spec.js

@@ -120,6 +120,27 @@ describe("library", function() {
                         });
                 });
         });
+
+        it('returns 403 for malicious access attempt', function(done) {
+            // without the userDir override the malicious url would be
+            // http://127.0.0.1:1880/library/flows/../../package to
+            // obtain package.json from the node-red root.
+            request(RED.httpAdmin)
+                .get('/library/flows/../../../../../package')
+                .expect(403)
+                .end(done);
+        });
+
+        it('returns 403 for malicious access attempt', function(done) {
+            // without the userDir override the malicious url would be
+            // http://127.0.0.1:1880/library/flows/../../package to
+            // obtain package.json from the node-red root.
+            request(RED.httpAdmin)
+                .post('/library/flows/../../../../../package')
+                .expect(403)
+                .end(done);
+        });
+
     });
 
     describe("type", function() {
@@ -188,5 +209,29 @@ describe("library", function() {
                 });
         });
 
+
+        it('returns 403 for malicious access attempt', function(done) {
+            request(RED.httpAdmin)
+                .get('/library/test/../../../../../../../../../../etc/passwd')
+                .expect(403)
+                .end(done);
+        });
+
+        it('returns 403 for malicious access attempt', function(done) {
+            request(RED.httpAdmin)
+                .get('/library/test/..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd')
+                .expect(403)
+                .end(done);
+        });
+
+        it('returns 403 for malicious access attempt', function(done) {
+            request(RED.httpAdmin)
+                .post('/library/test/../../../../../../../../../../etc/passwd')
+                .set('Content-Type', 'text/plain')
+                .send('root:x:0:0:root:/root:/usr/bin/tclsh')
+                .expect(403)
+                .end(done);
+        });
+
     });
 });

test/red/storage/index_spec.js

@@ -83,19 +83,19 @@ describe("red/storage/index", function() {
                     calledFlagGetAllFlows = true;
                 },
                 getFlow : function(fn) {
-                    fn.should.be.true;
+                    fn.should.equal("name");
                 },
                 saveFlow : function(fn, data) {
-                    fn.should.be.true;
+                    fn.should.equal("name");
                     data.should.be.true;
                 },
                 getLibraryEntry : function(type, path) {
                     type.should.be.true;
-                    path.should.be.true;
+                    path.should.equal("name");
                 },
                 saveLibraryEntry : function(type, path, meta, body) {
                     type.should.be.true;
-                    path.should.be.true;
+                    path.should.equal("name");
                     meta.should.be.true;
                     body.should.be.true;
                 }
@@ -112,10 +112,10 @@ describe("red/storage/index", function() {
         storage.getCredentials(); 
         storage.saveCredentials(true);
         storage.getAllFlows();
-        storage.getFlow(true);
-        storage.saveFlow(true, true);
-        storage.getLibraryEntry(true, true);
-        storage.saveLibraryEntry(true, true, true, true);
+        storage.getFlow("name");
+        storage.saveFlow("name", true);
+        storage.getLibraryEntry(true, "name");
+        storage.saveLibraryEntry(true, "name", true, true);
         
         calledInit.should.be.true;
         calledFlagGetFlows.should.be.true;