Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix ci after location patch #5552

Merged
merged 1 commit into from
Mar 20, 2024
Merged

Fix ci after location patch #5552

merged 1 commit into from
Mar 20, 2024

Conversation

wesleytodd
Copy link
Member

CI started failing with the previous push due to old supertest versions installed only in ci not correctly url encoding before making the request. By encoding it ourselves in the test supertest works as expected in both versions.

@wesleytodd wesleytodd force-pushed the fix-ci-after-location-patch branch from 86f60dd to 2135b33 Compare March 20, 2024 16:37
@wesleytodd wesleytodd force-pushed the fix-ci-after-location-patch branch from 2135b33 to 499a8c1 Compare March 20, 2024 17:34
@wesleytodd
Copy link
Member Author

New habits are hard to break. I used template literal strings which obviously didn't work in old versions. Should be fixed now.

jonchurch
jonchurch reviewed Mar 20, 2024
View reviewed changes
test/res.location.js
@@ -58,7 +58,7 @@ describe('res', function(){
});

request(app)
.get('/?q=http://google.com\\@apple.com')
.get('/?q=http://google.com' + encodeURIComponent('\\@apple.com'))
Copy link
Member

@jonchurch jonchurch Mar 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know you tested locally, but I have no idea why this works, I guess we are converting the encoded @ (%40) back to a @ before location setting? A percent encoded @ should not trigger this vuln Im pretty sure.

encodeURIComponent('\\@apple.com') //  => "%5C%40apple.com"

This comment is specifically about being unsure how the input ends up matching the expected Location in the test. Who converts that %40 back into the @ we assert against? maybe it's supertest when doing the string compare? Is it Node.js itself doing that before express receives the request.query property? I don't know

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No idea, do we need to know? It fixes it afaict in all supported versions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I shouldn't say no idea. I mean that I looked and it appears old supertest does not encode correctly (not at all IIRC). Encoding ourselves does it and new super test doesnt double escape or anything. This is not something I can spend more time so if you think we need to debug supertest to figure out why then go for it and approve when you are done.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a bug report because we did not have test coverage of accepting URL instances. You requested changes on this. Can you approve it instead? I would like to merge this so we can also put out #5554

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do want to understand why this still passes the test, but I wont block on it bc it is test only changes.

@wesleytodd wesleytodd mentioned this pull request Mar 20, 2024
Closed
@wesleytodd
Copy link
Member Author

I am not sure why appveyor and coveralls did not trigger here but I am going to merge anyway.

@wesleytodd wesleytodd merged commit 11f2b1d into master Mar 20, 2024
48 checks passed
@wesleytodd wesleytodd deleted the fix-ci-after-location-patch branch March 20, 2024 22:11
@davidshen84 davidshen84 mentioned this pull request Mar 25, 2024
Merged
This was referenced Mar 26, 2024
Open
Open
Open
Open
Open
Open
This was referenced Mar 28, 2024
Merged
Merged
@ajfisher ajfisher mentioned this pull request Mar 29, 2024
Merged
@liaocanada liaocanada mentioned this pull request Mar 29, 2024
Merged
@somabc somabc mentioned this pull request Mar 29, 2024
Merged
github-actions bot pushed a commit to brafdlog/caspion that referenced this pull request Apr 2, 2024
@semantic-release-bot
chore(release): 1.26.0 [skip ci]
ada789f 
# [1.26.0](v1.25.2...v1.26.0) (2024-04-02)

### Upgrade

* Bump express from 4.18.2 to 4.19.2 (#552) ([bd280ba](bd280ba)), closes [#552](#552) [expressjs/express#5552](expressjs/express#5552) [expressjs/express#5556](expressjs/express#5556) [expressjs/express#5527](expressjs/express#5527) [expressjs/express#5511](expressjs/express#5511) [expressjs/express#5510](expressjs/express#5510) [expressjs/express#5541](expressjs/express#5541) [expressjs/express#5551](expressjs/express#5551) [expressjs/express#5541](expressjs/express#5541) [expressjs/express#5032](expressjs/express#5032) [expressjs/express#5034](expressjs/express#5034) [expressjs/express#5027](expressjs/express#5027) [expressjs/express#5124](expressjs/express#5124) [expressjs/express#5119](expressjs/express#5119) [expressjs/express#5117](expressjs/express#5117) [expressjs/express#5113](expressjs/express#5113) [expressjs/express#5130](expressjs/express#5130) [expressjs/express#5131](expressjs/express#5131) [expressjs/express#5028](expressjs/express#5028) [expressjs/express#5137](expressjs/express#5137) [#5541](https://github.com/brafdlog/caspion/issues/5541)
* Bump express from 4.19.2 in /ui-react (#551) ([8d6032d](8d6032d)), closes [#551](#551) [expressjs/express#5552](expressjs/express#5552) [expressjs/express#5556](expressjs/express#5556) [expressjs/express#5527](expressjs/express#5527) [expressjs/express#5511](expressjs/express#5511) [expressjs/express#5510](expressjs/express#5510) [expressjs/express#5541](expressjs/express#5541) [expressjs/express#5551](expressjs/express#5551) [expressjs/express#5541](expressjs/express#5541) [expressjs/express#5032](expressjs/express#5032) [expressjs/express#5034](expressjs/express#5034) [expressjs/express#5027](expressjs/express#5027) [expressjs/express#5124](expressjs/express#5124) [expressjs/express#5119](expressjs/express#5119) [expressjs/express#5117](expressjs/express#5117) [expressjs/express#5113](expressjs/express#5113) [expressjs/express#5130](expressjs/express#5130) [expressjs/express#5131](expressjs/express#5131) [expressjs/express#5028](expressjs/express#5028) [expressjs/express#5137](expressjs/express#5137) [#5541](https://github.com/brafdlog/caspion/issues/5541)
@mnathsnyk mnathsnyk mentioned this pull request May 16, 2024
Open
@X-oss-byte X-oss-byte mentioned this pull request May 18, 2024
Open
@regreaves regreaves mentioned this pull request May 18, 2024
Open
@waybie waybie mentioned this pull request May 19, 2024
Open
@ntnguyencse ntnguyencse mentioned this pull request May 19, 2024
Closed
@john-jinghai-ma john-jinghai-ma mentioned this pull request May 19, 2024
Open
@178masato 178masato mentioned this pull request May 19, 2024
Open
@Samax-DevOps Samax-DevOps mentioned this pull request Nov 11, 2024
Open
@MikeTeddyOmondi MikeTeddyOmondi mentioned this pull request Nov 11, 2024
Open
@rish2497 rish2497 mentioned this pull request Nov 11, 2024
Open
@HyunMinH HyunMinH mentioned this pull request Nov 11, 2024
Open
@regreaves regreaves mentioned this pull request Nov 11, 2024
Open
@Kritune-Dev Kritune-Dev mentioned this pull request Nov 12, 2024
Open
@Waterclone Waterclone mentioned this pull request Nov 12, 2024
Open
@Emmanuel97423 Emmanuel97423 mentioned this pull request Nov 12, 2024
Open
@surajit03 surajit03 mentioned this pull request Nov 12, 2024
Open
@ManuelDevWeb ManuelDevWeb mentioned this pull request Nov 12, 2024
Open
@BriceLgs BriceLgs mentioned this pull request Nov 12, 2024
Open
@Dmitry-White Dmitry-White mentioned this pull request Nov 12, 2024
Open
@ali8889 ali8889 mentioned this pull request Nov 12, 2024
Open
@BackinR2D2 BackinR2D2 mentioned this pull request Nov 12, 2024
Open
@etherio97 etherio97 mentioned this pull request Nov 12, 2024
Open
@OlajideTechie OlajideTechie mentioned this pull request Nov 12, 2024
Open
@lilocruz lilocruz mentioned this pull request Nov 12, 2024
Open
@audreynieketien audreynieketien mentioned this pull request Nov 12, 2024
Open
@reinaldoalmeida reinaldoalmeida mentioned this pull request Nov 12, 2024
Open
@bryanpinheiro bryanpinheiro mentioned this pull request Nov 12, 2024
Open
@pizzahutmachine pizzahutmachine mentioned this pull request Nov 12, 2024
Open
@NOUIY NOUIY mentioned this pull request Nov 12, 2024
Open
@officialmofabs officialmofabs mentioned this pull request Nov 12, 2024
Open
@devarmenchik1408 devarmenchik1408 mentioned this pull request Nov 13, 2024
Open
@eriklopess eriklopess mentioned this pull request Nov 13, 2024
Open
@pradumchintamani pradumchintamani mentioned this pull request Nov 13, 2024
Open
@paladinmansouri paladinmansouri mentioned this pull request Nov 13, 2024
Open
@LeoMuchuki LeoMuchuki mentioned this pull request Nov 13, 2024
Open
This was referenced Nov 13, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonchurch jonchurch jonchurch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wesleytodd @jonchurch