shaky fix for issue#1692

lib/handlers/put.js

@@ -6,12 +6,40 @@ const getContentType = require('../utils').getContentType
 const HTTPError = require('../http-error')
 const { stringToStream } = require('../utils')
 
+// TODO: ask alain a better way to get the suffix variables here
+const RESERVED_SUFFIXES = ['.acl', '.meta']
+
+/**
+ * This function is used to make sure a resource or container which contains
+ * reserved suffixes for auxiliary documents cannot be created.
+ * @param {string} path - the uri to check for invalid suffixes
+ * @returns {boolean} true is fail - if the path contains reserved suffixes
+ */
+function containsInvalidSuffixes (path) {
+  // if it is a container, no suffix so remove last slash
+  if (path.endsWith('/')) {
+    path = path.slice(0, -1)
+  } else {
+    // this is a resource, so it either ends with an extension, or just text
+    const lastFullStop = path.lastIndexOf('.')
+    if (lastFullStop !== -1) { // contains at least one full stop
+      path = path.slice(0, lastFullStop)
+    }
+  }
+  return RESERVED_SUFFIXES.some(suffix => path.includes(suffix))
+}
+
 async function handler (req, res, next) {
   debug(req.originalUrl)
   // deprecated kept for compatibility
   res.header('MS-Author-Via', 'SPARQL') // is this needed ?
   const contentType = req.get('content-type')
 
+  // make sure the resource being created does not attempt invalid resource creation
+  if (containsInvalidSuffixes(req.url)) {
+    next(new HTTPError(400, `${req.url} contained reserved suffixes in path`))
+  }
+
   // check whether a folder or resource with same name exists
   try {
     const ldp = req.app.locals.ldp

package.json

@@ -146,6 +146,7 @@
     "validate": "node ./test/validate-turtle.js",
     "nyc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 nyc --reporter=text-summary mocha --recursive test/integration/ test/unit/",
     "mocha": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/ test/unit/",
+    "mocha-http": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/http-test.js",
     "prepublishOnly": "npm test",
     "postpublish": "git push --follow-tags",
     "test": "npm run standard && npm run validate && npm run nyc",

test/integration/http-test.js

@@ -670,6 +670,23 @@ describe('HTTP APIs', function () {
           .expect(201, done)
       }
     )
+    it('should return a 400 error when trying to put a container that contains a reserved suffix',
+      function (done) {
+        server.put('/foo/bar.acl/test/')
+          .set('content-type', 'text/turtle')
+          .set('link', '<http://www.w3.org/ns/ldp#BasicContainer>; rel="type"')
+          .expect(400, done)
+      }
+    )
+    it('should return a 400 error when trying to put a resource that contains a reserved suffix',
+      function (done) {
+        server.put('/foo/bar.acl/test.ttl')
+          .send(putRequestBody)
+          .set('content-type', 'text/turtle')
+          .set('link', '<http://www.w3.org/ns/ldp#BasicContainer>; rel="type"')
+          .expect(400, done)
+      }
+    )
     // Cleanup
     after(function () {
       rm('/foo/')
@@ -846,7 +863,7 @@ describe('HTTP APIs', function () {
           if (err) return done(err)
           try {
             postLocation = res.headers.location
-            console.log('location ' + postLocation)
+            // console.log('location ' + postLocation)
             const createdDir = fs.statSync(path.join(__dirname, '../resources', postLocation.slice(0, -1)))
             assert(createdDir.isDirectory(), 'Container should have been created')
           } catch (err) {