mirrors/pdf.js
1
0
Fork 0
mirror of https://github.com/mozilla/pdf.js.git synced 2025-04-19 22:58:07 +02:00
Code Activity
pdf.js/test
History
Rob Wu 17da8ee8fa Fix path traversal issue in createTemporaryNodeServer 
The test-only createTemporaryNodeServer helper featured a path traversal
vulnerability. This enables attackers with network access to the device
to read arbitrary files while unit tests are running that activate this
test server.

This patch fixes the issue by validation of paths.

To test this vulnerability before the patch:

1. Run the test-only server:

```
node -e 'console.log(require("./test/unit/test_utils.js").createTemporaryNodeServer().port)
```

2. From another terminal, send the following request (modify the port to
   the port reported in the previous step):

```
curl --path-as-is http://localhost:45755/../../package.json
```

Before the patch, the second step would traverse the directory, and
return results from the root of the PDF.js repository, instead of files
within test/pdfs/.

With the patch, the server refuses the request with HTTP status 400.
2024-11-23 21:32:24 +01:00
..
chromium Enable the import/no-commonjs ESLint plugin rule 2023-10-14 12:49:17 +02:00
font Use Python 3.13 in the GitHub workflows 2024-11-12 20:59:01 +01:00
fuzz Migrate to ESLint flat config 2024-11-12 16:15:17 +01:00
images [Editor] Avoid to have a selected stamp annotation on top of the secondary toolbar (bug 1911980) 2024-09-26 17:48:02 +02:00
integration Merge pull request #19069 from calixteman/stamp_test 2024-11-19 20:42:12 +01:00
pdfs Apply gradient when stroking text 2024-11-11 15:53:07 +01:00
resources Enable the declaration-block-no-redundant-longhand-properties Stylelint rule 2023-03-25 10:08:27 +01:00
stats Enable the import/no-commonjs ESLint plugin rule 2023-10-14 12:49:17 +02:00
types Install and use the most recent Node types for the types tests 2024-11-03 13:40:55 +01:00
unit Fix path traversal issue in createTemporaryNodeServer 2024-11-23 21:32:24 +01:00
.gitignore Ignore test snapshots directory. 2013-03-15 11:24:08 -07:00
add_test.mjs [ESM] Convert *most* of test-folder to use standard modules 2023-07-08 13:13:04 +02:00
annotation_layer_builder_overrides.css Use CSS nesting in the annotationLayer 2023-10-27 18:46:47 +02:00
downloadutils.mjs Modernize the rewriteWebArchiveUrl test helper function 2023-12-17 21:53:50 +01:00
draw_layer_test.css [Editor] Add a way to extract the outlines of a union of rectangles 2023-11-20 18:45:19 +01:00
driver.js Disable ref test 'issue18896' for Chrome because it takes too much time 2024-11-11 18:55:56 +01:00
integration-boot.mjs Don't ignore errors in the Jasmine suite start/end stages 2024-06-23 20:59:48 +02:00
test.mjs Add more optional chaining in the test/ directory 2024-09-22 13:00:57 +02:00
test_manifest.json Merge pull request #19024 from calixteman/disable_test_chrome 2024-11-11 19:11:30 +01:00
test_slave.html [api-minor] Move to Fluent for the localization (bug 1858715) 2023-10-19 11:20:41 +02:00
testutils.mjs Remove the rimraf dependency in favor of the built-in Node.js fs.rmSync in the test folder 2024-04-14 16:41:59 +02:00
text_layer_test.css Use CSS nesting in the textLayer 2023-10-27 17:38:01 +02:00
webserver.mjs Use the URL global instead of the deprecated url.parse 2024-08-27 18:19:25 +02:00
xfa_layer_builder_overrides.css Remove unnecessary alpha-value from CSS rgb colors 2023-10-06 09:50:03 +02:00