hawk - npm Package Compare versions
Comparing version 3.1.2 to 3.1.3
@@ -0,0 +0,0 @@ { |
@@ -0,0 +0,0 @@ { |
@@ -7,4 +7,7 @@ 'use strict' | ||
| function _typeof(obj) { return obj && typeof Symbol !== "undefined" && obj.constructor === Symbol ? "symbol" : typeof obj; } | ||
| var _typeof = function (obj) { | ||
| return obj && typeof Symbol !== 'undefined' && obj.constructor === Symbol ? 'symbol' : typeof obj; | ||
| }; | ||
| var Url = require('url'); | ||
@@ -11,0 +14,0 @@ var Hoek = require('hoek'); |
@@ -0,0 +0,0 @@ // Load modules |
@@ -0,0 +0,0 @@ /* |
@@ -0,0 +0,0 @@ // Load modules |
@@ -0,0 +0,0 @@ // Load modules |
@@ -0,0 +0,0 @@ // Export sub-modules |
@@ -311,2 +311,7 @@ // Load modules | ||
| // 1 2 3 4 | ||
| internals.bewitRegex = /^(\/.*)([\?&])bewit\=([^&$]*)(?:&(.+))?$/; | ||
| exports.authenticateBewit = function (req, credentialsFunc, options, callback) { | ||
@@ -329,4 +334,7 @@ | ||
| // 1 2 3 4 | ||
| var resource = request.url.match(/^(\/.*)([\?&])bewit\=([^&$]*)(?:&(.+))?$/); | ||
| if (request.url.length > Utils.limits.maxMatchLength) { | ||
| return callback(Boom.badRequest('Resource path exceeds max length')); | ||
| } | ||
| var resource = request.url.match(internals.bewitRegex); | ||
| if (!resource) { | ||
@@ -333,0 +341,0 @@ return callback(Boom.unauthorized(null, 'Hawk')); |
@@ -18,2 +18,7 @@ // Load modules | ||
| exports.limits = { | ||
| maxMatchLength: 4096 // Limit the length of uris and headers to avoid a DoS attack on string matching | ||
| }; | ||
| // Extract host and port from request | ||
@@ -33,2 +38,6 @@ | ||
| if (hostHeader.length > exports.limits.maxMatchLength) { | ||
| return null; | ||
| } | ||
| var hostParts = hostHeader.match(internals.hostHeaderRegex); | ||
@@ -68,4 +77,7 @@ if (!hostParts) { | ||
| if (!options.host || !options.port) { | ||
| var host = exports.parseHost(req, options.hostHeaderName); | ||
| var host; | ||
| if (!options.host || | ||
| !options.port) { | ||
| host = exports.parseHost(req, options.hostHeaderName); | ||
| if (!host) { | ||
@@ -101,2 +113,6 @@ return new Error('Invalid Host header'); | ||
| internals.authHeaderRegex = /^(\w+)(?:\s+(.*))?$/; // Header: scheme[ something] | ||
| internals.attributeRegex = /^[ \w\!#\$%&'\(\)\*\+,\-\.\/\:;<\=>\?@\[\]\^`\{\|\}~]+$/; // !#$%&'()*+,-./:;<=>?@[]^_`{|}~ and space, a-z, A-Z, 0-9 | ||
| // Parse Hawk HTTP Authorization header | ||
@@ -112,3 +128,7 @@ | ||
| var headerParts = header.match(/^(\w+)(?:\s+(.*))?$/); // Header: scheme[ something] | ||
| if (header.length > exports.limits.maxMatchLength) { | ||
| return Boom.badRequest('Header length too long'); | ||
| } | ||
| var headerParts = header.match(internals.authHeaderRegex); | ||
| if (!headerParts) { | ||
@@ -139,5 +159,5 @@ return Boom.badRequest('Invalid header syntax'); | ||
| // Allowed attribute value characters: !#$%&'()*+,-./:;<=>?@[]^_`{|}~ and space, a-z, A-Z, 0-9 | ||
| // Allowed attribute value characters | ||
| if ($2.match(/^[ \w\!#\$%&'\(\)\*\+,\-\.\/\:;<\=>\?@\[\]\^`\{\|\}~]+$/) === null) { | ||
| if ($2.match(internals.attributeRegex) === null) { | ||
| errorMessage = 'Bad attribute value: ' + $1; | ||
@@ -144,0 +164,0 @@ return; |
| { | ||
| "name": "hawk", | ||
| "description": "HTTP Hawk Authentication Scheme", | ||
| "version": "3.1.2", | ||
| "version": "3.1.3", | ||
| "author": "Eran Hammer <eran@hammer.io> (http://hueniverse.com)", | ||
@@ -6,0 +6,0 @@ "contributors": [], |
@@ -0,0 +0,0 @@  |
@@ -0,0 +0,0 @@ // Load modules |
@@ -0,0 +0,0 @@ // Load modules |
@@ -0,0 +0,0 @@ // Load modules |
@@ -0,0 +0,0 @@ // Load modules |
@@ -0,0 +0,0 @@ // Load modules |
@@ -973,2 +973,29 @@ // Load modules | ||
| describe('authenticateBewit()', function () { | ||
| it('errors on uri too long', function (done) { | ||
| var long = '/'; | ||
| for (var i = 0; i < 5000; ++i) { | ||
| long += 'x'; | ||
| } | ||
| var req = { | ||
| method: 'GET', | ||
| url: long, | ||
| host: 'example.com', | ||
| port: 8080, | ||
| authorization: 'Hawk id="1", ts="1353788437", nonce="k3j4h2", mac="zy79QQ5/EYFmQqutVnYb73gAc/U=", ext="hello"' | ||
| }; | ||
| Hawk.server.authenticateBewit(req, credentialsFunc, {}, function (err, credentials, bewit) { | ||
| expect(err).to.exist(); | ||
| expect(err.output.statusCode).to.equal(400); | ||
| expect(err.message).to.equal('Resource path exceeds max length'); | ||
| done(); | ||
| }); | ||
| }); | ||
| }); | ||
| describe('authenticateMessage()', function () { | ||
@@ -975,0 +1002,0 @@ |
@@ -0,0 +0,0 @@ // Load modules |
@@ -96,4 +96,32 @@ // Load modules | ||
| }); | ||
| it('errors on header too long', function (done) { | ||
| var long = ''; | ||
| for (var i = 0; i < 5000; ++i) { | ||
| long += 'x'; | ||
| } | ||
| expect(Hawk.utils.parseHost({ headers: { host: long } })).to.be.null(); | ||
| done(); | ||
| }); | ||
| }); | ||
| describe('parseAuthorizationHeader()', function () { | ||
| it('errors on header too long', function (done) { | ||
| var long = 'Scheme a="'; | ||
| for (var i = 0; i < 5000; ++i) { | ||
| long += 'x'; | ||
| } | ||
| long += '"'; | ||
| var err = Hawk.utils.parseAuthorizationHeader(long, ['a']); | ||
| expect(err).to.be.instanceof(Error); | ||
| expect(err.message).to.equal('Header length too long'); | ||
| done(); | ||
| }); | ||
| }); | ||
| describe('version()', function () { | ||
@@ -100,0 +128,0 @@ |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by2.79%
374517
- Lines of code
- increased by1.17%
5292