Comparing version 4.1.0 to 4.1.1
@@ -313,2 +313,7 @@ 'use strict'; | ||
// 1 2 3 4 | ||
internals.bewitRegex = /^(\/.*)([\?&])bewit\=([^&$]*)(?:&(.+))?$/; | ||
exports.authenticateBewit = function (req, credentialsFunc, options, callback) { | ||
@@ -331,4 +336,7 @@ | ||
// 1 2 3 4 | ||
const resource = request.url.match(/^(\/.*)([\?&])bewit\=([^&$]*)(?:&(.+))?$/); | ||
if (request.url.length > Utils.limits.maxMatchLength) { | ||
return callback(Boom.badRequest('Resource path exceeds max length')); | ||
} | ||
const resource = request.url.match(internals.bewitRegex); | ||
if (!resource) { | ||
@@ -335,0 +343,0 @@ return callback(Utils.unauthorized()); |
@@ -20,2 +20,7 @@ 'use strict'; | ||
exports.limits = { | ||
maxMatchLength: 4096 // Limit the length of uris and headers to avoid a DoS attack on string matching | ||
}; | ||
// Extract host and port from request | ||
@@ -35,2 +40,6 @@ | ||
if (hostHeader.length > exports.limits.maxMatchLength) { | ||
return null; | ||
} | ||
const hostParts = hostHeader.match(internals.hostHeaderRegex); | ||
@@ -105,2 +114,6 @@ if (!hostParts) { | ||
internals.authHeaderRegex = /^(\w+)(?:\s+(.*))?$/; // Header: scheme[ something] | ||
internals.attributeRegex = /^[ \w\!#\$%&'\(\)\*\+,\-\.\/\:;<\=>\?@\[\]\^`\{\|\}~]+$/; // !#$%&'()*+,-./:;<=>?@[]^_`{|}~ and space, a-z, A-Z, 0-9 | ||
// Parse Hawk HTTP Authorization header | ||
@@ -116,3 +129,7 @@ | ||
const headerParts = header.match(/^(\w+)(?:\s+(.*))?$/); // Header: scheme[ something] | ||
if (header.length > exports.limits.maxMatchLength) { | ||
return Boom.badRequest('Header length too long'); | ||
} | ||
const headerParts = header.match(internals.authHeaderRegex); | ||
if (!headerParts) { | ||
@@ -143,5 +160,5 @@ return Boom.badRequest('Invalid header syntax'); | ||
// Allowed attribute value characters: !#$%&'()*+,-./:;<=>?@[]^_`{|}~ and space, a-z, A-Z, 0-9 | ||
// Allowed attribute value characters | ||
if ($2.match(/^[ \w\!#\$%&'\(\)\*\+,\-\.\/\:;<\=>\?@\[\]\^`\{\|\}~]+$/) === null) { | ||
if ($2.match(internals.attributeRegex) === null) { | ||
errorMessage = 'Bad attribute value: ' + $1; | ||
@@ -148,0 +165,0 @@ return; |
{ | ||
"name": "hawk", | ||
"description": "HTTP Hawk Authentication Scheme", | ||
"version": "4.1.0", | ||
"version": "4.1.1", | ||
"author": "Eran Hammer <eran@hammer.io> (http://hueniverse.com)", | ||
@@ -6,0 +6,0 @@ "repository": "git://github.com/hueniverse/hawk", |
@@ -974,2 +974,29 @@ 'use strict'; | ||
describe('authenticateBewit()', () => { | ||
it('errors on uri too long', (done) => { | ||
let long = '/'; | ||
for (let i = 0; i < 5000; ++i) { | ||
long += 'x'; | ||
} | ||
const req = { | ||
method: 'GET', | ||
url: long, | ||
host: 'example.com', | ||
port: 8080, | ||
authorization: 'Hawk id="1", ts="1353788437", nonce="k3j4h2", mac="zy79QQ5/EYFmQqutVnYb73gAc/U=", ext="hello"' | ||
}; | ||
Hawk.server.authenticateBewit(req, credentialsFunc, {}, (err, credentials, bewit) => { | ||
expect(err).to.exist(); | ||
expect(err.output.statusCode).to.equal(400); | ||
expect(err.message).to.equal('Resource path exceeds max length'); | ||
done(); | ||
}); | ||
}); | ||
}); | ||
describe('authenticateMessage()', () => { | ||
@@ -976,0 +1003,0 @@ |
@@ -98,4 +98,32 @@ 'use strict'; | ||
}); | ||
it('errors on header too long', (done) => { | ||
let long = ''; | ||
for (let i = 0; i < 5000; ++i) { | ||
long += 'x'; | ||
} | ||
expect(Hawk.utils.parseHost({ headers: { host: long } })).to.be.null(); | ||
done(); | ||
}); | ||
}); | ||
describe('parseAuthorizationHeader()', () => { | ||
it('errors on header too long', (done) => { | ||
let long = 'Scheme a="'; | ||
for (let i = 0; i < 5000; ++i) { | ||
long += 'x'; | ||
} | ||
long += '"'; | ||
const err = Hawk.utils.parseAuthorizationHeader(long, ['a']); | ||
expect(err).to.be.instanceof(Error); | ||
expect(err.message).to.equal('Header length too long'); | ||
done(); | ||
}); | ||
}); | ||
describe('version()', () => { | ||
@@ -102,0 +130,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
402949
6108