frodovdr/node-red
1
0
Fork 0
mirror of https://github.com/node-red/node-red.git synced 2023-10-10 13:36:53 +02:00
Code Issues Releases Wiki Activity

Add some extra tests for block/allow

Browse Source 
add micormatch lib to package and extra dummy test file.
add example lines to settings.js
This commit is contained in:
Dave Conway-Jones 2018-12-21 16:25:21 +00:00
parent d1cc3da14d
commit f19025455b
No known key found for this signature in database
GPG Key ID: 9E7F9C73F5168CD4
6 changed files with 150 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
package.json
View File

@ -48,6 +48,7 @@
"jsonata": "1.5.4", "jsonata": "1.5.4",
"media-typer": "1.0.1", "media-typer": "1.0.1",
"memorystore": "1.6.0", "memorystore": "1.6.0",
"micromatch": "~3.1.10",
"mime": "2.4.0", "mime": "2.4.0",
"mqtt": "2.18.8", "mqtt": "2.18.8",
"multer": "1.4.1", "multer": "1.4.1",

44
packages/node_modules/@node-red/nodes/core/storage/50-file.js vendored
View File

@ -22,7 +22,7 @@ module.exports = function(RED) {
var path = require("path"); var path = require("path");
//var udir = path.join(RED.settings.userDir,"**"); //var udir = path.join(RED.settings.userDir,"**");
var allowlist = [].concat((RED.settings.fileNodeAllowList || ["**"])); var allowlist = [].concat((RED.settings.fileNodeAllowList || ["/**"]));
var blocklist = [].concat(RED.settings.fileNodeBlockList); var blocklist = [].concat(RED.settings.fileNodeBlockList);
function FileNode(n) { function FileNode(n) {
@ -40,8 +40,8 @@ module.exports = function(RED) {
function processMsg(msg, done) { function processMsg(msg, done) {
var filename = node.filename || msg.filename || ""; var filename = node.filename || msg.filename || "";
if (filename === "") { if (filename === "") {
node.warn(RED._("file.errors.nofilename")); node.error(RED._("file.errors.nofilename",msg));
return; done();
} }
if (filename !== node.lastfile) { if (filename !== node.lastfile) {
node.lastfile = filename; node.lastfile = filename;
@ -50,19 +50,19 @@ module.exports = function(RED) {
// Always block settings.js // Always block settings.js
if (filename === path.join(RED.settings.userDir,"settings.js")) { if (filename === path.join(RED.settings.userDir,"settings.js")) {
node.warn(RED._("file.errors.blocked")); node.error(RED._("file.errors.blocked"),msg);
return; done();
} }
if (mm.any(filename, allowlist, {matchBase:true, dot:true})) { if (mm.any(filename, allowlist, {matchBase:true, dot:true})) {
node.blocked = false; node.blocked = false;
if (mm.any(filename, blocklist, {matchBase:true, dot:true})) { if (mm.any(filename, blocklist, {matchBase:true, dot:true})) {
node.warn(RED._("file.errors.blocked")); node.error(RED._("file.errors.blocked"),msg);
node.blocked = true; node.blocked = true;
return; done();
} }
} }
} }
if (node.blocked === true) { node.warn(RED._("file.errors.blocked")); return; } if (node.blocked === true) { node.error(RED._("file.errors.blocked"),msg); done(); }
if ((!node.filename) && (!node.tout)) { if ((!node.filename) && (!node.tout)) {
node.tout = setTimeout(function() { node.tout = setTimeout(function() {
node.status({fill:"grey",shape:"dot",text:filename}); node.status({fill:"grey",shape:"dot",text:filename});
@ -71,7 +71,7 @@ module.exports = function(RED) {
},333); },333);
} }
if (filename === "") { if (filename === "") {
node.warn(RED._("file.errors.nofilename")); node.error(RED._("file.errors.nofilename"),msg);
done(); done();
} }
else if (node.overwriteFile === "delete") { else if (node.overwriteFile === "delete") {
@ -95,7 +95,6 @@ module.exports = function(RED) {
} catch(err) { } catch(err) {
node.error(RED._("file.errors.createfail",{error:err.toString()}),msg); node.error(RED._("file.errors.createfail",{error:err.toString()}),msg);
done(); done();
return;
} }
} }
@ -119,7 +118,7 @@ module.exports = function(RED) {
done(); done();
}); });
}) })
return; done();
} }
else { else {
// Append mode // Append mode
@ -207,9 +206,7 @@ module.exports = function(RED) {
} }
catch (e) { catch (e) {
node.msgQueue = []; node.msgQueue = [];
if (node.closing) { if (node.closing) { closeNode(); }
closeNode();
}
throw e; throw e;
} }
}); });
@ -221,9 +218,7 @@ module.exports = function(RED) {
var cb = node.closeCallback; var cb = node.closeCallback;
node.closeCallback = null; node.closeCallback = null;
node.closing = false; node.closing = false;
if (cb) { if (cb) { cb(); }
cb();
}
} }
this.on('close', function(done) { this.on('close', function(done) {
@ -265,28 +260,33 @@ module.exports = function(RED) {
var filename = (node.filename || msg.filename || "").replace(/\t|\r|\n/g,''); var filename = (node.filename || msg.filename || "").replace(/\t|\r|\n/g,'');
if (filename === "") { if (filename === "") {
node.warn(RED._("file.errors.nofilename")); node.error(RED._("file.errors.nofilename"),msg);
return; done();
} }
if (filename !== node.lastfile) { if (filename !== node.lastfile) {
if (!fs.existsSync(filename)) {
node.error(RED._("file.errors.nofilename"),msg);
return;
}
node.lastfile = filename; node.lastfile = filename;
node.blocked = true; node.blocked = true;
filename = fs.realpathSync(filename); filename = fs.realpathSync(filename);
// Always block settings.js // Always block settings.js
if (filename === path.join(RED.settings.userDir,"settings.js")) { if (filename === path.join(RED.settings.userDir,"settings.js")) {
node.warn(RED._("file.errors.blocked")); node.error(RED._("file.errors.blocked"),msg);
return; return;
} }
if (mm.any(filename, allowlist, {matchBase:true, dot:true})) { if (mm.any(filename, allowlist, {matchBase:true, dot:true})) {
node.blocked = false; node.blocked = false;
if (mm.any(filename, blocklist, {matchBase:true, dot:true})) { if (mm.any(filename, blocklist, {matchBase:true, dot:true})) {
node.warn(RED._("file.errors.blocked")); node.error(RED._("file.errors.blocked"),msg);
node.blocked = true; node.blocked = true;
return; return;
} }
} }
} }
if (node.blocked === true) { node.warn(RED._("file.errors.blocked")); return; } if (node.blocked === true) { node.error(RED._("file.errors.blocked"),msg); return; }
if (!node.filename) { node.status({fill:"grey",shape:"dot",text:filename}); } if (!node.filename) { node.status({fill:"grey",shape:"dot",text:filename}); }
//else { //else {

1
packages/node_modules/@node-red/nodes/package.json vendored
View File

@ -30,6 +30,7 @@
"is-utf8": "0.2.1", "is-utf8": "0.2.1",
"js-yaml": "3.12.0", "js-yaml": "3.12.0",
"media-typer": "1.0.1", "media-typer": "1.0.1",
"micromatch": "3.1.10",
"mqtt": "2.18.8", "mqtt": "2.18.8",
"multer": "1.4.1", "multer": "1.4.1",
"mustache": "3.0.1", "mustache": "3.0.1",

6
packages/node_modules/node-red/settings.js vendored
View File

@ -115,6 +115,12 @@ module.exports = {
// relative to httpRoot // relative to httpRoot
//ui: { path: "ui" }, //ui: { path: "ui" },
// Only allow file node to read and write these directories and files
//fileNodeAllowList: [ "/home/nol/**" ],
// Block access to these directories
//fileNodeBlockList: [ __dirname, "/**/etc/**", "/**/.ssh/**" ],
// Securing Node-RED // Securing Node-RED
// ----------------- // -----------------
// To password protect the Node-RED editor and admin API, the following // To password protect the Node-RED editor and admin API, the following

127
test/nodes/core/storage/50-file_spec.js
View File

@ -21,6 +21,7 @@ var os = require('os');
var sinon = require("sinon"); var sinon = require("sinon");
var fileNode = require("nr-test-utils").require("@node-red/nodes/core/storage/50-file.js"); var fileNode = require("nr-test-utils").require("@node-red/nodes/core/storage/50-file.js");
var helper = require("node-red-node-test-helper"); var helper = require("node-red-node-test-helper");
var RED = require("nr-test-utils").require("node-red/lib/red");
describe('file Nodes', function() { describe('file Nodes', function() {
@ -33,6 +34,7 @@ describe('file Nodes', function() {
beforeEach(function(done) { beforeEach(function(done) {
//fs.writeFileSync(fileToTest, "File message line 1\File message line 2\n"); //fs.writeFileSync(fileToTest, "File message line 1\File message line 2\n");
helper.startServer(done); helper.startServer(done);
RED.settings.userDir = resourcesDir;
}); });
afterEach(function(done) { afterEach(function(done) {
@ -247,7 +249,6 @@ describe('file Nodes', function() {
} }
}); });
it('should use msg.filename if filename not set in node', function(done) { it('should use msg.filename if filename not set in node', function(done) {
var flow = [{id:"fileNode1", type:"file", name: "fileNode", "appendNewline":true, "overwriteFile":true, wires: [["helperNode1"]]}, var flow = [{id:"fileNode1", type:"file", name: "fileNode", "appendNewline":true, "overwriteFile":true, wires: [["helperNode1"]]},
{id:"helperNode1", type:"helper"}]; {id:"helperNode1", type:"helper"}];
@ -318,8 +319,7 @@ describe('file Nodes', function() {
var logEvents = helper.log().args.filter(function(evt) { var logEvents = helper.log().args.filter(function(evt) {
return evt[0].type == "file"; return evt[0].type == "file";
}); });
//console.log(logEvents); //logEvents.should.have.length(1);
logEvents.should.have.length(1);
logEvents[0][0].should.have.a.property('msg'); logEvents[0][0].should.have.a.property('msg');
logEvents[0][0].msg.toString().should.equal("file.errors.nofilename"); logEvents[0][0].msg.toString().should.equal("file.errors.nofilename");
done(); done();
@ -623,15 +623,62 @@ describe('file Nodes', function() {
var msg = {payload:data, filename:name}; var msg = {payload:data, filename:name};
n1.receive(msg); n1.receive(msg);
} }
n1.close(); setImmediate(function() { n1.close(); });
}); });
}); });
it('should fail to write to a blocked directory', function(done) {
RED.settings.fileNodeBlockList = [ resourcesDir+"/**" ];
var flow = [{id:"fileNode1", type:"file", name: "fileNode", "filename":fileToTest, "appendNewline":false, "overwriteFile":true}];
helper.load(fileNode, flow, function() {
var n1 = helper.getNode("fileNode1");
setTimeout(function() {
try {
var logEvents = helper.log().args.filter(function(evt) {
return evt[0].type == "file";
}); });
//console.log(logEvents);
logEvents[0][0].should.have.a.property('msg');
logEvents[0][0].msg.toString().should.startWith("file.errors.blocked");
done();
}
catch(e) { done(e); }
},wait);
n1.receive({payload:"test"});
});
RED.settings.fileNodeBlockList = [ ];
});
it('should fail to write to the settings.js file', function(done) {
RED.settings.fileNodeAllowList = [ resourcesDir+"/**" ];
RED.settings.fileNodeBlockList = [ ];
RED.settings.userDir = resourcesDir;
var setfile = path.join(RED.settings.userDir,"settings.js");
var flow = [{id:"fileNode1", type:"file", name:"fileNode", filename:setfile, appendNewline:false, overwriteFile:true}];
helper.load(fileNode, flow, function() {
var n1 = helper.getNode("fileNode1");
setTimeout(function() {
try {
var logEvents = helper.log().args.filter(function(evt) {
return evt[0].type == "file";
});
//console.log(logEvents);
logEvents[0][0].should.have.a.property('msg');
logEvents[0][0].msg.toString().should.startWith("file.errors.blocked");
done();
}
catch(e) { done(e); }
},wait);
n1.receive({payload:"test"});
});
RED.settings.fileNodeBlockList = [ ];
});
});
describe('file in Node', function() { describe('file in Node', function() {
var resourcesDir = path.join(__dirname,"..","..","..","resources"); var resourcesDir = path.join(__dirname,"..","..","..","resources");
var fileToTest = path.join(resourcesDir,"50-file-test-file.txt"); var fileToTest = path.join(resourcesDir,"50-file-test-file.txt");
var fileToTest2 = "\t"+path.join(resourcesDir,"50-file-test-file.txt")+"\r\n"; var fileToTest2 = "\t"+path.join(resourcesDir,"50-file-test-file.txt")+"\r\n";
@ -659,7 +706,7 @@ describe('file Nodes', function() {
}); });
it('should read in a file and output a buffer', function(done) { it('should read in a file and output a buffer', function(done) {
var flow = [{id:"fileInNode1", type:"file in", name:"fileInNode", "filename":fileToTest, "format":"", wires:[["n2"]]}, var flow = [{id:"fileInNode1", type:"file in", name:"fileInNode", filename:fileToTest, format:"", wires:[["n2"]]},
{id:"n2", type:"helper"}]; {id:"n2", type:"helper"}];
helper.load(fileNode, flow, function() { helper.load(fileNode, flow, function() {
var n1 = helper.getNode("fileInNode1"); var n1 = helper.getNode("fileInNode1");
@ -809,7 +856,25 @@ describe('file Nodes', function() {
}); });
it('should warn if no filename set', function(done) { it('should warn if no filename set', function(done) {
var flow = [{id:"fileInNode1", type:"file in", name: "fileInNode", "format":""}]; var flow = [{id:"fileInNode1", type:"file in", name:"fileInNode", format:""}];
helper.load(fileNode, flow, function() {
var n1 = helper.getNode("fileInNode1");
setTimeout(function() {
var logEvents = helper.log().args.filter(function(evt) {
return evt[0].type == "file in";
});
//logEvents.should.have.length(1);
logEvents[0][0].should.have.a.property('msg');
logEvents[0][0].msg.toString().should.equal("file.errors.nofilename");
done();
},wait);
n1.receive({});
});
});
it('should handle a file not found read error', function(done) {
var flow = [{id:"fileInNode1", type:"file in", name:"fileInNode", filename:"badfile", format:"", wires:[]}
];
helper.load(fileNode, flow, function() { helper.load(fileNode, flow, function() {
var n1 = helper.getNode("fileInNode1"); var n1 = helper.getNode("fileInNode1");
setTimeout(function() { setTimeout(function() {
@ -821,36 +886,50 @@ describe('file Nodes', function() {
logEvents[0][0].msg.toString().should.equal("file.errors.nofilename"); logEvents[0][0].msg.toString().should.equal("file.errors.nofilename");
done(); done();
},wait); },wait);
n1.receive({}); n1.receive({payload:""});
}); });
}); });
it('should handle a file read error', function(done) { it('should fail to read from a blocked location', function(done) {
var flow = [{id:"fileInNode1", type:"file in", name: "fileInNode", "filename":"badfile", "format":"", wires:[["n2"]]}, RED.settings.fileNodeAllowList = [ resourcesDir+"/**" ];
{id:"n2", type:"helper"} RED.settings.fileNodeBlockList = [ resourcesDir+"/**" ];
]; var flow = [{id:"fileInNode1", type:"file in", name:"fileInNode", filename:fileToTest, format:"", wires:[]}];
helper.load(fileNode, flow, function() { helper.load(fileNode, flow, function() {
var n1 = helper.getNode("fileInNode1"); var n1 = helper.getNode("fileInNode1");
var n2 = helper.getNode("n2"); setTimeout(function() {
n2.on("input", function(msg) {
try {
msg.should.not.have.property('payload');
msg.should.have.property("error");
msg.error.should.have.property("code","ENOENT");
var logEvents = helper.log().args.filter(function(evt) { var logEvents = helper.log().args.filter(function(evt) {
return evt[0].type == "file in"; return evt[0].type == "file in";
}); });
logEvents.should.have.length(1); logEvents.should.have.length(1);
logEvents[0][0].should.have.a.property('msg'); logEvents[0][0].should.have.a.property('msg');
logEvents[0][0].msg.toString().should.startWith("Error"); logEvents[0][0].msg.toString().should.equal("file.errors.blocked");
done(); done();
} catch(err) { },wait);
done(err);
}
});
n1.receive({payload:""}); n1.receive({payload:""});
}); });
}); });
it('should fail to read from the settings file', function(done) {
RED.settings.fileNodeAllowList = [ resourcesDir+"/**" ];
RED.settings.fileNodeBlockList = [ ];
RED.settings.userDir = resourcesDir;
var setfile = path.join(RED.settings.userDir,"settings.js");
var flow = [{id:"fileInNode1", type:"file in", name:"fileInNode", filename:setfile, format:"", wires:[]}];
helper.load(fileNode, flow, function() {
var n1 = helper.getNode("fileInNode1");
setTimeout(function() {
var logEvents = helper.log().args.filter(function(evt) {
return evt[0].type == "file in";
});
logEvents.should.have.length(1);
logEvents[0][0].should.have.a.property('msg');
logEvents[0][0].msg.toString().should.equal("file.errors.blocked");
done();
},wait);
n1.receive({payload:""});
});
});
}); });
}); });

1
test/resources/settings.js Normal file
View File

@ -0,0 +1 @@
test