From 51163e91d546fe167c12cfc7604bf41fd9ee859e Mon Sep 17 00:00:00 2001 From: Zach Date: Fri, 22 Mar 2024 10:09:36 -0500 Subject: [PATCH] added invalid suffix check to ldp and test in http-test --- lib/ldp.js | 4 ++++ test/integration/http-test.js | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/lib/ldp.js b/lib/ldp.js index a6e7166a..5a9c9308 100644 --- a/lib/ldp.js +++ b/lib/ldp.js @@ -148,11 +148,15 @@ class LDP { // prepare slug if (slug) { if (this.isAuxResource(slug, extension)) throw error(403, 'POST is not allowed for auxiliary resources') + if (this._containsInvalidSuffixes(slug)) { + throw error(400, `${slug} is an invalid file path`) + } slug = decodeURIComponent(slug) if (slug.match(/\/|\||:/)) { throw error(400, 'The name of new file POSTed may not contain : | or /') } } + // Containers should not receive an extension if (container) { extension = '' diff --git a/test/integration/http-test.js b/test/integration/http-test.js index 03489e49..150c0e44 100644 --- a/test/integration/http-test.js +++ b/test/integration/http-test.js @@ -891,6 +891,13 @@ describe('HTTP APIs', function () { .set('content-type', 'text/turtle') .expect(403, done) }) + it('should error with 400 if slug contains invalid suffix', function (done) { + server.post('/post-tests/') + .set('slug', 'put-resource.acl.ttl') + .send(postRequest1Body) + .set('content-type', 'text-turtle') + .expect(400, done) + }) it('should error with 400 if the body is empty and no content type is provided', function (done) { server.post('/post-tests/') .set('slug', 'post-resource-empty-fail')