fix: server encoding attributes

seznam · Mar 15, 2024 · 34e7115 · 34e7115
1 parent 48ede61
commit 34e7115
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 10 deletions.
diff --git a/.changeset/old-parents-hunt.md b/.changeset/old-parents-hunt.md
@@ -0,0 +1,5 @@
+---
+"@ima/server": patch
+---
+
+Encode all url specific values of $IMA attributes and urlParser method throws TypeError for unsopported protocols.
diff --git a/packages/server/lib/factory/__tests__/serverAppFactorySpec.js b/packages/server/lib/factory/__tests__/serverAppFactorySpec.js
@@ -88,6 +88,7 @@ describe('Server App Factory', () => {
       $Server: {
         concurrency: 1,
         staticConcurrency: 100,
+        protocol: 'http',
         cache: {
           enabled: true,
         },
@@ -314,7 +315,7 @@ describe('Server App Factory', () => {
     it('should render 500 ima app page', async () => {
       jest
         .spyOn(router, 'route')
-        .mockReturnValue(Promise.reject(new Error('Error')));
+        .mockReturnValue(Promise.reject(new Error('Custom error messages')));
 
       const response = await serverApp.requestHandlerMiddleware(REQ, RES);
 

diff --git a/packages/server/lib/factory/__tests__/urlParserFactorySpec.js b/packages/server/lib/factory/__tests__/urlParserFactorySpec.js
@@ -297,10 +297,10 @@ describe('urlParserFactory', () => {
 
       it(`should always use environment.$Server.protocol, when defined for ${originalUrl}`, () => {
         ENVIRONMENT.$Server = {
-          protocol: 'env-protocol',
+          protocol: 'http',
         };
 
-        expect(getProtocol(originalUrl, protocol)).toBe('env-protocol:');
+        expect(getProtocol(originalUrl, protocol)).toBe('http:');
 
         ENVIRONMENT.$Server = {};
       });
@@ -372,10 +372,10 @@ describe('urlParserFactory', () => {
 
       it(`should always use environment.$Server.protocol, when defined for header key '${headerKey}'`, () => {
         ENVIRONMENT.$Server = {
-          protocol: 'env-protocol',
+          protocol: 'http',
         };
 
-        expect(getHeadersProtocol(header, headerKey)).toBe('env-protocol:');
+        expect(getHeadersProtocol(header, headerKey)).toBe('http:');
 
         ENVIRONMENT.$Server = {};
       });

diff --git a/packages/server/lib/factory/responseUtilsFactory.js b/packages/server/lib/factory/responseUtilsFactory.js
@@ -46,7 +46,9 @@ module.exports = function responseUtilsFactory({ applicationFolder }) {
       $IMA.SPA = ${response?.SPA ?? false};
       $IMA.$PublicPath = "${process.env.IMA_PUBLIC_PATH ?? ''}";
       $IMA.$RequestID = "${requestID}";
-      $IMA.$Language = "${settings.$Language}";
+      $IMA.$Language = "${
+        settings.$Language && encodeHTMLEntities(settings.$Language)
+      }";
       $IMA.$Env = "${settings.$Env}";
       $IMA.$Debug = ${settings.$Debug};
       $IMA.$Version = "${settings.$Version}";
@@ -55,9 +57,12 @@ module.exports = function responseUtilsFactory({ applicationFolder }) {
         settings.$Protocol && encodeHTMLEntities(settings.$Protocol)
       }";
       $IMA.$Host = "${settings.$Host && encodeHTMLEntities(settings.$Host)}";
-      $IMA.$Path = "${settings.$Path}";
-      $IMA.$Root = "${settings.$Root}";
-      $IMA.$LanguagePartPath = "${settings.$LanguagePartPath}";
+      $IMA.$Path = "${settings.$Path && encodeHTMLEntities(settings.$Path)}";
+      $IMA.$Root = "${settings.$Root && encodeHTMLEntities(settings.$Root)}";
+      $IMA.$LanguagePartPath = "${
+        settings.$LanguagePartPath &&
+        encodeHTMLEntities(settings.$LanguagePartPath)
+      }";
     })(typeof window !== 'undefined' && window !== null ? window : global);
     `;
   }

diff --git a/packages/server/lib/factory/urlParserFactory.js b/packages/server/lib/factory/urlParserFactory.js
@@ -6,6 +6,9 @@ const { URL } = require('url');
 
 const { GenericError } = require('@ima/core');
 
+const HTTP_PROTOCOL = 'http';
+const HTTPS_PROTOCOL = 'https';
+
 module.exports = function urlParserFactory({ applicationFolder, environment }) {
   const IMA_CONFIG_JS_PATH = path.resolve(applicationFolder, './ima.config.js');
 
@@ -93,7 +96,8 @@ module.exports = function urlParserFactory({ applicationFolder, environment }) {
     let protocol = null;
 
     if (httpsHeader) {
-      protocol = httpsHeader.toLowerCase() === 'on' ? 'https' : 'http';
+      protocol =
+        httpsHeader.toLowerCase() === 'on' ? HTTPS_PROTOCOL : HTTP_PROTOCOL;
     }
 
     return protocol;
@@ -113,6 +117,12 @@ module.exports = function urlParserFactory({ applicationFolder, environment }) {
           : environment.$Server.protocol;
     }
 
+    if (![HTTP_PROTOCOL, HTTPS_PROTOCOL].includes(protocol)) {
+      throw new TypeError(
+        `Invalid protocol: You set unsupported protocol "${protocol}". Allowed protocols are only ${HTTP_PROTOCOL} and ${HTTPS_PROTOCOL}. You can set protocol in environment.$Server.protocol or update proxy configuration.`
+      );
+    }
+
     return `${protocol}:`;
   }