Build: Make middleware-mockserver not crash on reading nonexistent files

mgol · mgol · commit be4f9eccde6e · 2024-11-05T22:59:55.000+01:00
`fs.readFileSync` crashes when a non-existing file is passed to it. Some APIs of `middleware-mockserver` read a file the path of which depends on query parameters, making it possible to crash it by providing such a parameter. The old PHP server doesn't have these issues. To fix this, wrap all `fs.readFileSync` occurrences with a function that falls back to the string `"ERROR"`. Closes jquerygh-5579 (cherry picked from commit d5ebb46)
diff --git a/test/middleware-mockserver.cjs b/test/middleware-mockserver.cjs
@@ -6,6 +6,19 @@ const getRawBody = require( "raw-body" );
 
 let cspLog = "";
 
+/**
+ * Like `readFileSync`, but on error returns "ERROR"
+ * without crashing.
+ * @param path
+ */
+function readFileSync( path ) {
+	try {
+		return fs.readFileSync( path );
+	} catch ( _ ) {
+		return "ERROR";
+	}
+}
+
 /**
  * Keep in sync with /test/mock.php
  */
@@ -142,7 +155,7 @@ const mocks = {
 	},
 	xmlOverJsonp: function( req, resp ) {
 		const callback = req.query.callback;
-		const body = fs.readFileSync( `${ __dirname }/data/with_fries.xml` ).toString();
+		const body = readFileSync( `${ __dirname }/data/with_fries.xml` ).toString();
 		resp.writeHead( 200 );
 		resp.end( `${ cleanCallback( callback ) }(${ JSON.stringify( body ) })\n` );
 	},
@@ -224,8 +237,9 @@ const mocks = {
 	},
 	testHTML: function( req, resp ) {
 		resp.writeHead( 200, { "Content-Type": "text/html" } );
-		const body = fs
-			.readFileSync( `${ __dirname }/data/test.include.html` )
+		const body = readFileSync(
+				`${ __dirname }/data/test.include.html`
+			)
 			.toString()
 			.replace( /{{baseURL}}/g, req.query.baseURL );
 		resp.end( body );
@@ -236,17 +250,19 @@ const mocks = {
 			"Content-Security-Policy": "default-src 'self'; " +
 				"report-uri /test/data/mock.php?action=cspLog"
 		} );
-		const body = fs.readFileSync( `${ __dirname }/data/csp.include.html` ).toString();
+		const body = readFileSync( `${ __dirname }/data/csp.include.html` ).toString();
 		resp.end( body );
 	},
 	cspNonce: function( req, resp ) {
-		const testParam = req.query.test ? `-${ req.query.test }` : "";
+		const testParam = req.query.test ?
+			`-${ req.query.test.replace( /[^a-z0-9]/gi, "" ) }` :
+			"";
 		resp.writeHead( 200, {
 			"Content-Type": "text/html",
 			"Content-Security-Policy": "script-src 'nonce-jquery+hardcoded+nonce'; " +
 				"report-uri /test/data/mock.php?action=cspLog"
 		} );
-		const body = fs.readFileSync(
+		const body = readFileSync(
 			`${ __dirname }/data/csp-nonce${ testParam }.html` ).toString();
 		resp.end( body );
 	},
