import * as httpMocks from 'node-mocks-http'; import { HEADERS } from '@verdaccio/core'; import { getPublicUrl } from '../src'; describe('host', () => { // this scenario is usual when reverse proxy is setup // without the host header test('get empty string with missing host header', () => { const req = httpMocks.createRequest({ method: 'GET', url: '/', }); expect( getPublicUrl(undefined, { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual('/'); }); test('get a valid host', () => { const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', }, url: '/', }); expect( getPublicUrl(undefined, { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); }); test('check a valid host header injection', () => { const req = httpMocks.createRequest({ method: 'GET', headers: { host: `">`, }, hostname: `">`, url: '/', }); expect(function () { getPublicUrl('', { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }); }).toThrow('invalid host'); }); test('get a valid host with prefix', () => { const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', }, url: '/', }); expect( getPublicUrl('/prefix/', { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); }); test('get a valid host with prefix no trailing', () => { const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', }, url: '/', }); expect( getPublicUrl('/prefix-no-trailing', { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); }); test('get a valid host with null prefix', () => { const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', }, url: '/', }); expect( getPublicUrl(undefined, { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); }); }); describe('X-Forwarded-Proto', () => { test('with a valid X-Forwarded-Proto https', () => { const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', [HEADERS.FORWARDED_PROTO]: 'https', }, url: '/', }); expect( getPublicUrl(undefined, { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); }); test('with a invalid X-Forwarded-Proto https', () => { const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', [HEADERS.FORWARDED_PROTO]: 'invalidProto', }, url: '/', }); expect( getPublicUrl(undefined, { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); }); test('with a HAProxy X-Forwarded-Proto https', () => { const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', [HEADERS.FORWARDED_PROTO]: 'https,https', }, url: '/', }); expect( getPublicUrl(undefined, { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); }); test('with a HAProxy X-Forwarded-Proto different protocol', () => { const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', [HEADERS.FORWARDED_PROTO]: 'http,https', }, url: '/', }); expect( getPublicUrl(undefined, { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); }); }); describe('env variable', () => { test('with a valid X-Forwarded-Proto https and env variable', () => { process.env.VERDACCIO_PUBLIC_URL = ''; const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', [HEADERS.FORWARDED_PROTO]: 'https', }, url: '/', }); expect( getPublicUrl(undefined, { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); delete process.env.VERDACCIO_PUBLIC_URL; }); test('with a valid X-Forwarded-Proto https and env variable with prefix', () => { process.env.VERDACCIO_PUBLIC_URL = ''; const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', [HEADERS.FORWARDED_PROTO]: 'https', }, url: '/', }); expect( getPublicUrl(undefined, { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); delete process.env.VERDACCIO_PUBLIC_URL; }); test('with a invalid X-Forwarded-Proto https and env variable', () => { process.env.VERDACCIO_PUBLIC_URL = ''; const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', [HEADERS.FORWARDED_PROTO]: 'invalidProtocol', }, url: '/', }); expect( getPublicUrl(undefined, { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); delete process.env.VERDACCIO_PUBLIC_URL; }); test('with a invalid X-Forwarded-Proto https and invalid url with env variable', () => { process.env.VERDACCIO_PUBLIC_URL = ''; const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', [HEADERS.FORWARDED_PROTO]: 'invalidProtocol', }, url: '/', }); expect( getPublicUrl(undefined, { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); delete process.env.VERDACCIO_PUBLIC_URL; }); test('with a invalid X-Forwarded-Proto https and host injection with host', () => { process.env.VERDACCIO_PUBLIC_URL = '">'; const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', [HEADERS.FORWARDED_PROTO]: 'invalidProtocol', }, url: '/', }); expect( getPublicUrl(undefined, { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); delete process.env.VERDACCIO_PUBLIC_URL; }); test('with the VERDACCIO_FORWARDED_PROTO undefined', () => { process.env.VERDACCIO_FORWARDED_PROTO = undefined; const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', [HEADERS.FORWARDED_PROTO]: 'https', }, url: '/', }); expect( getPublicUrl('/test/', { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual(''); delete process.env.VERDACCIO_FORWARDED_PROTO; }); test('with the VERDACCIO_FORWARDED_PROTO environment variable set to "set-cookie"', () => { process.env.VERDACCIO_FORWARDED_PROTO = 'set-cookie'; const req = httpMocks.createRequest({ method: 'GET', headers: { host: '', cookie: 'name=value; name2=value2;', 'set-cookie': [ 'cookieName1=value; expires=Tue, 19 Jan 2038 03:14:07 GMT;', 'cookieName2=value; expires=Tue, 19 Jan 2038 03:14:07 GMT;', ], }, url: '/', }); expect(() => getPublicUrl('/test/', { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toThrow('invalid forwarded protocol header value. Reading header set-cookie'); delete process.env.VERDACCIO_FORWARDED_PROTO; }); test('with a invalid X-Forwarded-Proto https and host injection with invalid host', () => { process.env.VERDACCIO_PUBLIC_URL = '">'; const req = httpMocks.createRequest({ method: 'GET', headers: { host: 'some', [HEADERS.FORWARDED_PROTO]: 'invalidProtocol', }, url: '/', }); expect( getPublicUrl(undefined, { host: req.hostname, headers: req.headers as any, protocol: req.protocol, }) ).toEqual('http://some/'); delete process.env.VERDACCIO_PUBLIC_URL; }); });