Merge pull request #1778 from nodeSolidServer/fix/issue#1692

Fix/issue#1692
nodeSolidServer · Apr 3, 2024 · 0b6df62 · 0b6df62
2 parents f5652f3 + 81d8dfd
commit 0b6df62
Show file tree

Hide file tree

Showing 6 changed files with 168 additions and 347 deletions.
diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-16.14.0
+v18.19.0
diff --git a/lib/ldp.js b/lib/ldp.js
@@ -145,18 +145,26 @@ class LDP {
 
     const ldp = this
     debug.handlers('POST -- On parent: ' + containerPath)
-    // prepare slug
+    if (container) {
+      // Containers should not receive an extension
+      extension = ''
+    }
+    // pepare slug
     if (slug) {
-      if (this.isAuxResource(slug, extension)) throw error(403, 'POST is not allowed for auxiliary resources')
       slug = decodeURIComponent(slug)
+
+      if (container) {
+        // the name of a container cannot be a valid auxiliary resource document
+        while (this._containsInvalidSuffixes(slug + '/')) {
+          const idx = slug.lastIndexOf('.')
+          slug = slug.substr(0, idx)
+        }
+      } else if (this.isAuxResource(slug, extension)) throw error(403, 'POST to auxiliary resources is not allowed')
+
       if (slug.match(/\/|\||:/)) {
-        throw error(400, 'The name of new file POSTed may not contain : | or /')
+        throw error(400, 'The name of a POSTed new file may not contain ":" (colon), "|" (pipe), or "/" (slash)')
       }
     }
-    // Containers should not receive an extension
-    if (container) {
-      extension = ''
-    }
 
     // always return a valid URL.
     const resourceUrl = await ldp.getAvailableUrl(hostname, containerPath, { slug, extension, container })
@@ -327,11 +335,25 @@ class LDP {
     } catch (err) { }
   }
 
+  /**
+   * This function is used to make sure a resource or container which contains
+   * reserved suffixes for auxiliary documents cannot be created.
+   * @param {string} path - the uri to check for invalid suffixes
+   * @returns {boolean} true is fail - if the path contains reserved suffixes
+   */
+  _containsInvalidSuffixes (path) {
+    return AUXILIARY_RESOURCES.some(suffix => path.endsWith(suffix + '/'))
+  }
+
   // check whether a document (or container) has the same name as another document (or container)
   async checkItemName (url) {
     let testName, testPath
     const { hostname, pathname } = this.resourceMapper._parseUrl(url) // (url.url || url)
     let itemUrl = this.resourceMapper.resolveUrl(hostname, pathname)
+    // make sure the resource being created does not attempt invalid resource creation
+    if (this._containsInvalidSuffixes(itemUrl)) {
+      throw error(400, `${itemUrl} contained reserved suffixes in path`)
+    }
     const container = itemUrl.endsWith('/')
     try {
       const testUrl = container ? itemUrl.slice(0, -1) : itemUrl + '/'