wip

getodk · Sep 27, 2023 · bc02fdd · bc02fdd
1 parent 46339c1
commit bc02fdd
Showing 1 changed file with 14 additions and 5 deletions.
diff --git a/test/unit/util/html.js b/test/unit/util/html.js
@@ -25,13 +25,19 @@ describe('util/html', () => {
     });
   });
 
-  describe('safeNextPathFrom()', () => {
+  describe.only('safeNextPathFrom()', () => {
     [
       // odk-central-frontend
       [ '/account/edit',          '/#/account/edit' ],            // eslint-disable-line no-multi-spaces
       [ '/users',                 '/#/users' ],                   // eslint-disable-line no-multi-spaces
       [ '/users"><badTag ',       '/#/users%22%3E%3CbadTag' ],    // eslint-disable-line no-multi-spaces
 
+      // login URLs - in contrast to frontend
+      [ '/login',                          '/#/' ],    // eslint-disable-line no-multi-spaces
+      [ '/login/',                         '/#/' ],    // eslint-disable-line no-multi-spaces
+      [ '/login/foo/..',                   '/#/' ],    // eslint-disable-line no-multi-spaces
+      [ '/login/foo&sol;&period;&period;', '/#/' ],    // eslint-disable-line no-multi-spaces
+
       // query params
       [ '/users?"><badTag ',      '/#/users?%22%3E%3CbadTag' ],   // eslint-disable-line no-multi-spaces
       [ '/users?="><badTag ',     '/#/users?=%22%3E%3CbadTag' ],  // eslint-disable-line no-multi-spaces
@@ -48,10 +54,13 @@ describe('util/html', () => {
       [ '/users?"=1#"=><badTag ', '/#/users?%22=1#%22=%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
 
       // enketo-express
-      [ '/-/xyz',                 'http://localhost:8989/-/xyz' ],                       // eslint-disable-line no-multi-spaces
-      [ '/-/xyz?"><b',            'http://localhost:8989/-/xyz?%22%3E%3Cb' ],            // eslint-disable-line no-multi-spaces
-      [ '/-/xyz#"><b',            'http://localhost:8989/-/xyz#%22%3E%3Cb' ],            // eslint-disable-line no-multi-spaces
-      [ '/-/xyz?"><b#"><b',       'http://localhost:8989/-/xyz?%22%3E%3Cb#%22%3E%3Cb' ], // eslint-disable-line no-multi-spaces
+      [ '/-/xyz',                          'http://localhost:8989/-/xyz' ],                       // eslint-disable-line no-multi-spaces
+      [ '/-/xyz?"><b',                     'http://localhost:8989/-/xyz?%22%3E%3Cb' ],            // eslint-disable-line no-multi-spaces
+      [ '/-/xyz#"><b',                     'http://localhost:8989/-/xyz#%22%3E%3Cb' ],            // eslint-disable-line no-multi-spaces
+      [ '/-/xyz?"><b#"><b',                'http://localhost:8989/-/xyz?%22%3E%3Cb#%22%3E%3Cb' ], // eslint-disable-line no-multi-spaces
+      // with path traversal
+      [ '/-/../version.txt',               '/#/version.txt' ],                                    // eslint-disable-line no-multi-spaces
+      [ '/-/&period;&period;/version.txt', '/#/version.txt' ],                                    // eslint-disable-line no-multi-spaces
 
       // bad domain
       [ 'http://example.com',                  '/#/' ], // eslint-disable-line no-multi-spaces