1.0.2
This commit is contained in:
parent
fc6bfcb6de
commit
2e441d4bbf
6 changed files with 20 additions and 18 deletions
|
@ -1,5 +1,5 @@
|
|||
# security
|
||||
[![version 1.0.1](https://img.shields.io/badge/pub-v1.0.1-brightgreen.svg)](https://pub.dartlang.org/packages/angel_security)
|
||||
[![version 1.0.2](https://img.shields.io/badge/pub-v1.0.2-brightgreen.svg)](https://pub.dartlang.org/packages/angel_security)
|
||||
[![build status](https://travis-ci.org/angel-dart/security.svg)](https://travis-ci.org/angel-dart/security)
|
||||
|
||||
Angel middleware designed to enhance application security by patching common Web security
|
||||
|
|
|
@ -19,8 +19,12 @@ RequestMiddleware sanitizeHtmlInput(
|
|||
var sanitizers = {}..addAll(DEFAULT_SANITIZERS)..addAll(replace ?? {});
|
||||
|
||||
return (RequestContext req, res) async {
|
||||
if (body) _sanitizeMap(await req.lazyBody(), sanitizers);
|
||||
if (query) _sanitizeMap(await req.lazyQuery(), sanitizers);
|
||||
if (body) {
|
||||
await req.parse();
|
||||
_sanitizeMap(req.body, sanitizers);
|
||||
}
|
||||
|
||||
if (query) _sanitizeMap(req.query, sanitizers);
|
||||
return true;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
name: angel_security
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
description: Angel middleware designed to enhance application security by patching common Web security holes.
|
||||
author: Tobe O <thosakwe@gmail.com>
|
||||
environment:
|
||||
|
|
|
@ -29,7 +29,7 @@ main() {
|
|||
..beforeIndexed.listen(hooks.queryWithCurrentUser())
|
||||
..beforeCreated.listen(hooks.hashPassword());
|
||||
|
||||
app.service('artists')
|
||||
app.service('artists') as HookedService
|
||||
..beforeIndexed.listen(hooks.restrictToAuthenticated())
|
||||
..beforeRead.listen(hooks.restrictToOwner())
|
||||
..beforeCreated.listen(hooks.associateCurrentUser());
|
||||
|
|
|
@ -14,10 +14,9 @@ main() async {
|
|||
TestClient client;
|
||||
|
||||
setUp(() async {
|
||||
app = new Angel()
|
||||
..chain(validate(untrustedSchema))
|
||||
.chain(sanitizeHtmlInput())
|
||||
.post('/untrusted', (RequestContext req, ResponseContext res) async {
|
||||
app = new Angel();
|
||||
app.chain([validate(untrustedSchema), sanitizeHtmlInput()])
|
||||
..post('/untrusted', (RequestContext req, ResponseContext res) async {
|
||||
String untrusted = req.body['html'];
|
||||
res
|
||||
..contentType = ContentType.HTML
|
||||
|
@ -30,8 +29,7 @@ main() async {
|
|||
<body>$untrusted</body>
|
||||
</html>''');
|
||||
})
|
||||
..chain(validate(untrustedSchema)).post('/attribute',
|
||||
(RequestContext req, ResponseContext res) async {
|
||||
..post('/attribute', (RequestContext req, ResponseContext res) async {
|
||||
String untrusted = req.body['html'];
|
||||
res
|
||||
..contentType = ContentType.HTML
|
||||
|
@ -108,7 +106,7 @@ main() async {
|
|||
var response = await client.post('/attribute', body: {'html': xss});
|
||||
print(response.body);
|
||||
expect(response.body.contains(xss), isFalse);
|
||||
expect(response.body.toLowerCase().contains('javascript:'), isFalse);
|
||||
expect(response.body.toLowerCase().contains(xss), isFalse);
|
||||
});
|
||||
|
||||
test('style attribute', () async {
|
||||
|
@ -116,6 +114,6 @@ main() async {
|
|||
var response = await client.post('/attribute', body: {'html': xss});
|
||||
print(response.body);
|
||||
expect(response.body.contains(xss), isFalse);
|
||||
expect(response.body.toLowerCase().contains('javascript:'), isFalse);
|
||||
expect(response.body.toLowerCase().contains(xss), isFalse);
|
||||
});
|
||||
}
|
||||
|
|
|
@ -27,7 +27,7 @@ main() {
|
|||
// First request within the hour is fine
|
||||
var response = await client.get('/once-per-hour');
|
||||
print(response.body);
|
||||
expect(response, hasBody('OK'));
|
||||
expect(response, hasBody('"OK"'));
|
||||
|
||||
// Second request within an hour? No no no!
|
||||
response = await client.get('/once-per-hour');
|
||||
|
@ -39,19 +39,19 @@ main() {
|
|||
// First request within the minute is fine
|
||||
var response = await client.get('/thrice-per-minute');
|
||||
print(response.body);
|
||||
expect(response, hasBody('OK'));
|
||||
expect(response, hasBody('"OK"'));
|
||||
|
||||
|
||||
// Second request within the minute is fine
|
||||
response = await client.get('/thrice-per-minute');
|
||||
print(response.body);
|
||||
expect(response.body, hasBody('OK'));
|
||||
expect(response, hasBody('"OK"'));
|
||||
|
||||
|
||||
// Third request within the minute is fine
|
||||
response = await client.get('/thrice-per-minute');
|
||||
print(response.body);
|
||||
expect(response, hasBody('OK'));
|
||||
expect(response, hasBody('"OK"'));
|
||||
|
||||
// Fourth request within a minute? No no no!
|
||||
response = await client.get('/thrice-per-minute');
|
||||
|
|
Loading…
Reference in a new issue