hawk - npm Package Compare versions

Comparing version 4.1.0 to 4.1.1

lib/server.js

		@@ -313,2 +313,7 @@ 'use strict';


		// 1 2 3 4
		internals.bewitRegex = /^(\/.)([\?&])bewit\=([^&$])(?:&(.+))?$/;


		exports.authenticateBewit = function (req, credentialsFunc, options, callback) {
		@@ -331,4 +336,7 @@

		// 1 2 3 4
		const resource = request.url.match(/^(\/.)([\?&])bewit\=([^&$])(?:&(.+))?$/);
		if (request.url.length > Utils.limits.maxMatchLength) {
		return callback(Boom.badRequest('Resource path exceeds max length'));
		}

		const resource = request.url.match(internals.bewitRegex);
		if (!resource) {
		@@ -335,0 +343,0 @@ return callback(Utils.unauthorized());

lib/utils.js

		@@ -20,2 +20,7 @@ 'use strict';

		exports.limits = {
		maxMatchLength: 4096 // Limit the length of uris and headers to avoid a DoS attack on string matching
		};


		// Extract host and port from request
		@@ -35,2 +40,6 @@

		if (hostHeader.length > exports.limits.maxMatchLength) {
		return null;
		}

		const hostParts = hostHeader.match(internals.hostHeaderRegex);
		@@ -105,2 +114,6 @@ if (!hostParts) {

		internals.authHeaderRegex = /^(\w+)(?:\s+(.*))?$/; // Header: scheme[ something]
		internals.attributeRegex = /^[ \w\!#\$%&'\\+,\-\.\/\:;<\=>\?@\[\]\^`\{\\|\}~]+$/; // !#$%&'()+,-./:;<=>?@[]^_`{\|}~ and space, a-z, A-Z, 0-9


		// Parse Hawk HTTP Authorization header
		@@ -116,3 +129,7 @@

		const headerParts = header.match(/^(\w+)(?:\s+(.*))?$/); // Header: scheme[ something]
		if (header.length > exports.limits.maxMatchLength) {
		return Boom.badRequest('Header length too long');
		}

		const headerParts = header.match(internals.authHeaderRegex);
		if (!headerParts) {
		@@ -143,5 +160,5 @@ return Boom.badRequest('Invalid header syntax');

		// Allowed attribute value characters: !#$%&'()*+,-./:;<=>?@[]^_`{\|}~ and space, a-z, A-Z, 0-9
		// Allowed attribute value characters

		if ($2.match(/^[ \w\!#\$%&'\*\+,\-\.\/\:;<\=>\?@\[\]\^`\{\\|\}~]+$/) === null) {
		if ($2.match(internals.attributeRegex) === null) {
		errorMessage = 'Bad attribute value: ' + $1;
		@@ -148,0 +165,0 @@ return;

package.json

		{
		"name": "hawk",
		"description": "HTTP Hawk Authentication Scheme",
		"version": "4.1.0",
		"version": "4.1.1",
		"author": "Eran Hammer <eran@hammer.io> (http://hueniverse.com)",
		@@ -6,0 +6,0 @@ "repository": "git://github.com/hueniverse/hawk",

test/server.js

		@@ -974,2 +974,29 @@ 'use strict';

		describe('authenticateBewit()', () => {

		it('errors on uri too long', (done) => {

		let long = '/';
		for (let i = 0; i < 5000; ++i) {
		long += 'x';
		}

		const req = {
		method: 'GET',
		url: long,
		host: 'example.com',
		port: 8080,
		authorization: 'Hawk id="1", ts="1353788437", nonce="k3j4h2", mac="zy79QQ5/EYFmQqutVnYb73gAc/U=", ext="hello"'
		};

		Hawk.server.authenticateBewit(req, credentialsFunc, {}, (err, credentials, bewit) => {

		expect(err).to.exist();
		expect(err.output.statusCode).to.equal(400);
		expect(err.message).to.equal('Resource path exceeds max length');
		done();
		});
		});
		});

		describe('authenticateMessage()', () => {
		@@ -976,0 +1003,0 @@

test/utils.js

		@@ -98,4 +98,32 @@ 'use strict';
		});

		it('errors on header too long', (done) => {

		let long = '';
		for (let i = 0; i < 5000; ++i) {
		long += 'x';
		}

		expect(Hawk.utils.parseHost({ headers: { host: long } })).to.be.null();
		done();
		});
		});

		describe('parseAuthorizationHeader()', () => {

		it('errors on header too long', (done) => {

		let long = 'Scheme a="';
		for (let i = 0; i < 5000; ++i) {
		long += 'x';
		}
		long += '"';

		const err = Hawk.utils.parseAuthorizationHeader(long, ['a']);
		expect(err).to.be.instanceof(Error);
		expect(err.message).to.equal('Header length too long');
		done();
		});
		});

		describe('version()', () => {
		@@ -102,0 +130,0 @@

New alerts