node_modules/fast-uri/test/security.test.js - devtools/devtools-frontend.git - Git at Google

 'use strict'

 const test = require('tape')
 const fastURI = require('..')

 test('parse marks malformed authority and port inputs as errors', (t) => {
   const malformedCases = [
     {
       input: 'http://[::1]foo',
       expectedError: 'URI path must start with "/" when authority is present.'
     },
     {
       input: 'http://[::1]:80abc/path',
       expectedError: 'URI path must start with "/" when authority is present.'
     },
     {
       input: 'http://example.com:80abc/path',
       expectedError: 'URI path must start with "/" when authority is present.'
     },
     {
       input: 'http://[::1]:65536',
       expectedError: 'URI port is malformed.'
     }
   ]

   t.plan(malformedCases.length)

   malformedCases.forEach(({ input, expectedError }) => {
     t.equal(fastURI.parse(input).error, expectedError, input)
   })
 })

 test('normalize does not canonicalize malformed URLs into different valid URLs', (t) => {
   const malformedCases = [
     'http://[::1]foo',
     'http://[::1]:80abc/path',
     'http://example.com:80abc/path',
     'http://[::1]:65536'
   ]

   t.plan(malformedCases.length)

   malformedCases.forEach((input) => {
     t.equal(fastURI.normalize(input), input, input)
   })
 })

 test('equal returns false when either side is malformed', (t) => {
   const malformedPairs = [
     ['http://[::1]foo', 'http://[::1]/foo'],
     ['http://[::1]:80abc/path', 'http://[::1]/abc/path'],
     ['http://example.com:80abc/path', 'http://example.com/abc/path'],
     ['http://[::1]:65536', 'http://[::1]:65536/']
   ]

   t.plan(malformedPairs.length)

   malformedPairs.forEach(([left, right]) => {
     t.equal(fastURI.equal(left, right), false, `${left} != ${right}`)
   })
 })

 test('normalize preserves encoded authority delimiters in host', (t) => {
   const cases = [
     ['http://trusted.com%40evil.com/', 'http://trusted.com%40evil.com/'],
     ['http://example.com%3A8080/', 'http://example.com%3A8080/'],
     ['http://example.com%2Fevil.com/path', 'http://example.com%2Fevil.com/path'],
     ['http://example.com%23fragment/path', 'http://example.com%23fragment/path'],
     ['http://example.com%3Fq=evil/path', 'http://example.com%3Fq=evil/path'],
     ['http://user%3Apass%40evil.com/', 'http://user%3Apass%40evil.com/'],
     ['http://user@trusted.com%40evil.com/', 'http://user@trusted.com%40evil.com/'],
     ['https://trusted.com%40evil.com/', 'https://trusted.com%40evil.com/'],
     ['ws://trusted.com%40evil.com/chat', 'ws://trusted.com%40evil.com/chat'],
     ['wss://trusted.com%40evil.com/chat', 'wss://trusted.com%40evil.com/chat']
   ]

   t.plan(cases.length)

   cases.forEach(([input, expected]) => {
     t.equal(fastURI.normalize(input), expected, input)
   })
 })

 test('parse preserves encoded authority delimiters in host', (t) => {
   const cases = [
     ['http://trusted.com%40evil.com/', 'trusted.com%40evil.com'],
     ['http://example.com%3A8080/', 'example.com%3A8080'],
     ['http://user%3Apass%40evil.com/', 'user%3Apass%40evil.com']
   ]

   t.plan(cases.length)

   cases.forEach(([input, expectedHost]) => {
     t.equal(fastURI.parse(input).host, expectedHost, input)
   })
 })

 test('equal returns false when encoded delimiters differ from live delimiters', (t) => {
   const pairs = [
     ['http://trusted.com%40evil.com/', 'http://trusted.com@evil.com/'],
     ['http://example.com%3A8080/', 'http://example.com:8080/']
   ]

   t.plan(pairs.length)

   pairs.forEach(([left, right]) => {
     t.equal(fastURI.equal(left, right, {}), false, `${left} != ${right}`)
   })
 })

 test('resolve preserves encoded authority delimiters', (t) => {
   const result = fastURI.resolve('http://base.com/', '//trusted.com%40evil.com/path')
   const parsed = fastURI.parse(result)

   t.plan(1)
   t.notEqual(parsed.host, 'evil.com', '//trusted.com%40evil.com/path')
 })

 test('serialize escapes authority delimiters in host field', (t) => {
   const result = fastURI.serialize({ scheme: 'http', host: 'trusted.com@evil.com', path: '/' })
   const parsed = fastURI.parse(result)

   t.plan(1)
   t.notEqual(parsed.host, 'evil.com', 'host: trusted.com@evil.com')
 })

 test('normalize does not double-decode %2540 into a live @', (t) => {
   const result = fastURI.normalize('http://trusted.com%2540evil.com/')
   const parsed = fastURI.parse(result)

   t.plan(1)
   t.notEqual(parsed.host, 'trusted.com@evil.com', 'http://trusted.com%2540evil.com/')
 })
	'use strict'

	const test = require('tape')
	const fastURI = require('..')

	test('parse marks malformed authority and port inputs as errors', (t) => {
	const malformedCases = [
	{
	input: 'http://[::1]foo',
	expectedError: 'URI path must start with "/" when authority is present.'
	},
	{
	input: 'http://[::1]:80abc/path',
	expectedError: 'URI path must start with "/" when authority is present.'
	},
	{
	input: 'http://example.com:80abc/path',
	expectedError: 'URI path must start with "/" when authority is present.'
	},
	{
	input: 'http://[::1]:65536',
	expectedError: 'URI port is malformed.'
	}
	]

	t.plan(malformedCases.length)

	malformedCases.forEach(({ input, expectedError }) => {
	t.equal(fastURI.parse(input).error, expectedError, input)
	})
	})

	test('normalize does not canonicalize malformed URLs into different valid URLs', (t) => {
	const malformedCases = [
	'http://[::1]foo',
	'http://[::1]:80abc/path',
	'http://example.com:80abc/path',
	'http://[::1]:65536'
	]

	t.plan(malformedCases.length)

	malformedCases.forEach((input) => {
	t.equal(fastURI.normalize(input), input, input)
	})
	})

	test('equal returns false when either side is malformed', (t) => {
	const malformedPairs = [
	['http://[::1]foo', 'http://[::1]/foo'],
	['http://[::1]:80abc/path', 'http://[::1]/abc/path'],
	['http://example.com:80abc/path', 'http://example.com/abc/path'],
	['http://[::1]:65536', 'http://[::1]:65536/']
	]

	t.plan(malformedPairs.length)

	malformedPairs.forEach(([left, right]) => {
	t.equal(fastURI.equal(left, right), false, `${left} != ${right}`)
	})
	})

	test('normalize preserves encoded authority delimiters in host', (t) => {
	const cases = [
	['http://trusted.com%40evil.com/', 'http://trusted.com%40evil.com/'],
	['http://example.com%3A8080/', 'http://example.com%3A8080/'],
	['http://example.com%2Fevil.com/path', 'http://example.com%2Fevil.com/path'],
	['http://example.com%23fragment/path', 'http://example.com%23fragment/path'],
	['http://example.com%3Fq=evil/path', 'http://example.com%3Fq=evil/path'],
	['http://user%3Apass%40evil.com/', 'http://user%3Apass%40evil.com/'],
	['http://user@trusted.com%40evil.com/', 'http://user@trusted.com%40evil.com/'],
	['https://trusted.com%40evil.com/', 'https://trusted.com%40evil.com/'],
	['ws://trusted.com%40evil.com/chat', 'ws://trusted.com%40evil.com/chat'],
	['wss://trusted.com%40evil.com/chat', 'wss://trusted.com%40evil.com/chat']
	]

	t.plan(cases.length)

	cases.forEach(([input, expected]) => {
	t.equal(fastURI.normalize(input), expected, input)
	})
	})

	test('parse preserves encoded authority delimiters in host', (t) => {
	const cases = [
	['http://trusted.com%40evil.com/', 'trusted.com%40evil.com'],
	['http://example.com%3A8080/', 'example.com%3A8080'],
	['http://user%3Apass%40evil.com/', 'user%3Apass%40evil.com']
	]

	t.plan(cases.length)

	cases.forEach(([input, expectedHost]) => {
	t.equal(fastURI.parse(input).host, expectedHost, input)
	})
	})

	test('equal returns false when encoded delimiters differ from live delimiters', (t) => {
	const pairs = [
	['http://trusted.com%40evil.com/', 'http://trusted.com@evil.com/'],
	['http://example.com%3A8080/', 'http://example.com:8080/']
	]

	t.plan(pairs.length)

	pairs.forEach(([left, right]) => {
	t.equal(fastURI.equal(left, right, {}), false, `${left} != ${right}`)
	})
	})

	test('resolve preserves encoded authority delimiters', (t) => {
	const result = fastURI.resolve('http://base.com/', '//trusted.com%40evil.com/path')
	const parsed = fastURI.parse(result)

	t.plan(1)
	t.notEqual(parsed.host, 'evil.com', '//trusted.com%40evil.com/path')
	})

	test('serialize escapes authority delimiters in host field', (t) => {
	const result = fastURI.serialize({ scheme: 'http', host: 'trusted.com@evil.com', path: '/' })
	const parsed = fastURI.parse(result)

	t.plan(1)
	t.notEqual(parsed.host, 'evil.com', 'host: trusted.com@evil.com')
	})

	test('normalize does not double-decode %2540 into a live @', (t) => {
	const result = fastURI.normalize('http://trusted.com%2540evil.com/')
	const parsed = fastURI.parse(result)

	t.plan(1)
	t.notEqual(parsed.host, 'trusted.com@evil.com', 'http://trusted.com%2540evil.com/')
	})