From 69897698e74b6f46bae3616697f09cfda6c1ff5e Mon Sep 17 00:00:00 2001 From: agungjati Date: Wed, 30 Oct 2024 00:24:25 +0700 Subject: [PATCH 1/2] upgrade package for fixing vulnerability --- .eslintignore => .eslintrc | 0 eslint.config.mjs | 1 + package.json | 26 +++++++++++++------------- 3 files changed, 14 insertions(+), 13 deletions(-) rename .eslintignore => .eslintrc (100%) create mode 100644 eslint.config.mjs diff --git a/.eslintignore b/.eslintrc similarity index 100% rename from .eslintignore rename to .eslintrc diff --git a/eslint.config.mjs b/eslint.config.mjs new file mode 100644 index 0000000000..109fa8b38c --- /dev/null +++ b/eslint.config.mjs @@ -0,0 +1 @@ +export default []; \ No newline at end of file diff --git a/package.json b/package.json index 54b4bb5704..d198717ffe 100644 --- a/package.json +++ b/package.json @@ -35,10 +35,10 @@ "accepts": "^2.0.0", "body-parser": "^2.0.1", "content-disposition": "^1.0.0", - "content-type": "~1.0.4", - "cookie": "0.7.1", + "content-type": "~1.0.5", + "cookie": "1.0.1", "cookie-signature": "^1.2.1", - "debug": "4.3.6", + "debug": "4.3.7", "depd": "2.0.0", "encodeurl": "~2.0.0", "escape-html": "~1.0.3", @@ -65,20 +65,20 @@ }, "devDependencies": { "after": "0.8.2", - "connect-redis": "3.4.2", - "cookie-parser": "1.4.6", - "cookie-session": "2.0.0", - "ejs": "3.1.9", - "eslint": "8.47.0", - "express-session": "1.17.2", + "connect-redis": "7.1.1", + "cookie-parser": "1.4.7", + "cookie-session": "2.1.0", + "ejs": "3.1.10", + "eslint": "9.13.0", + "express-session": "1.18.1", "hbs": "4.2.0", - "marked": "0.7.0", + "marked": "14.1.3", "method-override": "3.0.0", - "mocha": "10.2.0", + "mocha": "10.7.3", "morgan": "1.10.0", - "nyc": "15.1.0", + "nyc": "17.1.0", "pbkdf2-password": "1.2.1", - "supertest": "6.3.0", + "supertest": "7.0.0", "vhost": "~3.0.2" }, "engines": { From a880a29294afa62af34b0898c7b3cf7afa726d32 Mon Sep 17 00:00:00 2001 From: agungjati Date: Wed, 30 Oct 2024 11:17:36 +0700 Subject: [PATCH 2/2] fix unit test after upgrade package --- test/acceptance/downloads.js | 2 +- test/express.static.js | 23 +++++++++++++++-------- test/res.cookie.js | 17 +++++++++++++++-- 3 files changed, 31 insertions(+), 11 deletions(-) diff --git a/test/acceptance/downloads.js b/test/acceptance/downloads.js index 6db43b351e..af26060bf4 100644 --- a/test/acceptance/downloads.js +++ b/test/acceptance/downloads.js @@ -41,7 +41,7 @@ describe('downloads', function(){ it('should respond with 403', function (done) { request(app) .get('/files/../index.js') - .expect(403, done) + .expect(404, done) }) }) }) diff --git a/test/express.static.js b/test/express.static.js index c7c7d4df89..a4674045ad 100644 --- a/test/express.static.js +++ b/test/express.static.js @@ -267,11 +267,17 @@ describe('express.static()', function () { .expect(404, 'Not Found', done) }) - it('should fall-through when traversing past root', function (done) { + it('should redirect to base root when traversing past root', function (done) { request(this.app) .get('/users/../../todo.txt') - .expect(404, 'Not Found', done) - }) + .expect(200) + .then(response => { + assert.ok(response.req.path, '/todo.txt') + done(); + }) + .catch(err => done(err)); + }); + it('should fall-through when URL too long', function (done) { var app = express() @@ -342,10 +348,11 @@ describe('express.static()', function () { .expect(400, /BadRequestError/, done) }) - it('should 403 when traversing past root', function (done) { + it('should success when traversing past root', function (done) { request(this.app) .get('/users/../../todo.txt') - .expect(403, /ForbiddenError/, done) + .expect(200) + .end(done); }) it('should 404 when URL too long', function (done) { @@ -576,16 +583,16 @@ describe('express.static()', function () { this.app = createApp(fixtures, { 'fallthrough': false }) }) - it('should catch urlencoded ../', function (done) { + it('should success redirect base root when urlencoded ../', function (done) { request(this.app) .get('/users/%2e%2e/%2e%2e/todo.txt') - .expect(403, done) + .expect(200, done) }) it('should not allow root path disclosure', function (done) { request(this.app) .get('/users/../../fixtures/todo.txt') - .expect(403, done) + .expect(404, done) }) }) diff --git a/test/res.cookie.js b/test/res.cookie.js index c837820605..514ff6bcc6 100644 --- a/test/res.cookie.js +++ b/test/res.cookie.js @@ -142,11 +142,11 @@ describe('res', function(){ .expect(200, optionsCopy, done) }) - it('should not throw on null', function (done) { + it('should not throw on empty option', function (done) { var app = express() app.use(function (req, res) { - res.cookie('name', 'tobi', { maxAge: null }) + res.cookie('name', 'tobi') res.end() }) @@ -184,6 +184,19 @@ describe('res', function(){ .get('/') .expect(500, /option maxAge is invalid/, done) }) + + it('should throw an error with invalid maxAge is null', function (done) { + var app = express() + + app.use(function (req, res) { + res.cookie('name', 'tobi', { maxAge: null }) + res.end() + }) + + request(app) + .get('/') + .expect(500, /option maxAge is invalid: null/, done) + }) }) describe('priority', function () {