larvit/plainpages
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add RequestContext primitive (todo §0); harden static serving (HEAD, control-char, stream-error logging)

Browse Source
This commit is contained in:
Lilleman auf Larv
2026-06-14 19:33:17 +02:00
parent b4c149db27
commit c544387d3a
12 changed files with 158 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/app.test.ts
View File

@@ -32,8 +32,26 @@ test("returns 404 for unknown routes", async () => {
assert.equal(res.status, 404);
});
test("resolveStaticPath blocks traversal, allows nested files", () => {
test("blocks encoded path traversal out of /public/ with 403", async () => {
const res = await fetch(base + "/public/..%2f..%2fapp.ts");
assert.equal(res.status, 403);
});
test("rejects a control char (NUL) in a static path with 403", async () => {
const res = await fetch(base + "/public/%00");
assert.equal(res.status, 403);
});
test("HEAD on a static file sends headers but no body", async () => {
const res = await fetch(base + "/public/css/style.css", { method: "HEAD" });
assert.equal(res.status, 200);
assert.ok(Number(res.headers.get("content-length")) > 0);
assert.equal((await res.text()).length, 0);
});
test("resolveStaticPath blocks traversal and control chars, allows nested files", () => {
assert.equal(resolveStaticPath("/srv/public", "../app.ts"), null);
assert.equal(resolveStaticPath("/srv/public", "a\x00b"), null);
assert.equal(resolveStaticPath("/srv/public", "css/style.css"), "/srv/public/css/style.css");
});