fix(repeater): preserve path traversal vulnerability (#143)

closes #142

Author: derevnjuk

package-lock.json

@@ -85,8 +85,6 @@
     "content-type": "^1.0.4",
     "form-data": "^4.0.0",
     "reflect-metadata": "^0.1.13",
-    "request": "^2.88.2",
-    "request-promise": "^4.2.6",
     "semver": "^7.3.7",
     "socks-proxy-agent": "^6.2.0-beta.0",
     "tslib": "~2.3.1",

package.json

@@ -1,4 +1,5 @@
 export { RepeatersManager } from './api';
+export { ExecuteRequestEventHandler } from './bus';
 export * from './lib';
 export * from './models';
 export * from './request-runner';

packages/repeater/src/index.ts

@@ -1,4 +1,2 @@
 export * from './Protocol';
 export * from './RepeaterStatus';
-
-export const Container: unique symbol = Symbol('DependencyContainer');

packages/repeater/src/models/index.ts

@@ -1,21 +1,24 @@
 import { Request } from './Request';
+import { Protocol } from '../models';
 
 describe('Request', () => {
   describe('constructor', () => {
     it('should throw Error on empty url', () => {
       expect(
         () =>
           new Request({
-            url: ''
+            url: '',
+            protocol: Protocol.HTTP
           })
-      ).toThrow('Url must be declared explicitly.');
+      ).toThrow('Invalid URL.');
     });
 
     it('should throw Error on invalid url', () => {
       expect(
         () =>
           new Request({
-            url: 'http::/foo.bar'
+            url: 'http::/foo.bar',
+            protocol: Protocol.HTTP
           })
       ).toThrow('Invalid URL.');
     });
@@ -25,7 +28,8 @@ describe('Request', () => {
         () =>
           new Request({
             url: 'http://foo.bar',
-            body: 42 as unknown as string
+            body: 42 as unknown as string,
+            protocol: Protocol.HTTP
           })
       ).toThrow('Body must be string.');
     });
@@ -35,7 +39,8 @@ describe('Request', () => {
         () =>
           new Request({
             url: 'http://foo.bar',
-            correlationIdRegex: '('
+            correlationIdRegex: '(',
+            protocol: Protocol.HTTP
           })
       ).toThrow('Correlation id must be regular expression.');
     });
@@ -44,7 +49,8 @@ describe('Request', () => {
       expect(
         () =>
           new Request({
-            url: 'http://foo.bar'
+            url: 'http://foo.bar',
+            protocol: Protocol.HTTP
           })
       ).not.toThrow();
     });
@@ -55,28 +61,19 @@ describe('Request', () => {
       expect(
         new Request({
           url: 'http://foo.bar',
-          method: 'post'
+          method: 'post',
+          protocol: Protocol.HTTP
         }).method
       ).toBe('POST');
     });
   });
 
-  describe('url', () => {
-    it('should normalize url', () => {
-      expect(
-        new Request({
-          url: 'HTTP://foo.BAR',
-          method: 'post'
-        }).url
-      ).toBe('http://foo.bar/');
-    });
-  });
-
   describe('setHeaders', () => {
     it('should append headers', () => {
       const request = new Request({
         url: 'http://foo.bar',
-        headers: { 'x-key': 'value' }
+        headers: { 'x-key': 'value' },
+        protocol: Protocol.HTTP
       });
 
       request.setHeaders({ 'x-a1': 'a1', 'x-a2': 'a2' });

packages/repeater/src/request-runner/Request.spec.ts

@@ -1,14 +1,17 @@
+import { Protocol } from '../models';
 import { URL } from 'url';
 
 export interface RequestOptions {
-  method?: string;
+  protocol: Protocol;
   url: string;
-  headers: Record<string, string | string[]>;
+  method?: string;
+  headers?: Record<string, string | string[]>;
   body?: string;
   correlationIdRegex?: string | RegExp;
 }
 
 export class Request {
+  public readonly protocol: Protocol;
   public readonly url: string;
   public readonly body?: string;
   public readonly correlationIdRegex?: RegExp;
@@ -19,27 +22,31 @@ export class Request {
     return this._method;
   }
 
-  private _headers: Record<string, string | string[]>;
+  private _headers?: Record<string, string | string[]>;
 
-  get headers(): Readonly<Record<string, string | string[]>> {
+  get headers(): Readonly<Record<string, string | string[]>> | undefined {
     return this._headers;
   }
 
+  get secureEndpoint(): boolean {
+    return this.url.startsWith('https');
+  }
+
   constructor({
+    protocol,
     method,
     url,
     body,
     correlationIdRegex,
     headers = {}
-  }: Omit<RequestOptions, 'headers'> & {
-    headers?: Record<string, string | string[]>;
-  }) {
+  }: RequestOptions) {
+    this.protocol = protocol;
     this._method = method?.toUpperCase() ?? 'GET';
-    this.url = this.normalizeUrl(url);
+    this.validateUrl(url);
+    this.url = url;
     this.correlationIdRegex =
       this.normalizeCorrelationIdRegex(correlationIdRegex);
     this._headers = headers;
-
     this.precheckBody(body);
     this.body = body;
   }
@@ -51,13 +58,9 @@ export class Request {
     };
   }
 
-  private normalizeUrl(url: string): string {
-    if (!url) {
-      throw new Error('Url must be declared explicitly.');
-    }
-
+  private validateUrl(url: string): void {
     try {
-      return new URL(url).toString();
+      new URL(url);
     } catch {
       throw new Error('Invalid URL.');
     }

packages/repeater/src/request-runner/Request.ts

@@ -7,14 +7,14 @@ import 'reflect-metadata';
 import { anything, spy, verify, when } from 'ts-mockito';
 import { Logger, LogLevel } from '@sectester/core';
 import { SocksProxyAgent } from 'socks-proxy-agent';
-import { constants, gzip } from 'zlib';
+import { brotliCompress, constants, gzip } from 'zlib';
 import { promisify } from 'util';
 
 const createRequest = (options: Partial<RequestOptions> = {}) => {
   const requestOptions = {
+    protocol: Protocol.HTTP,
     url: 'https://foo.bar',
     method: 'GET',
-    headers: {},
     ...options
   };
   const request = new Request(requestOptions);
@@ -84,6 +84,22 @@ describe('HttpRequestRunner', () => {
       });
     });
 
+    it('should preserve directory traversal', async () => {
+      const runner = setupRunner();
+      const path = 'public/../../../../../../etc/passwd';
+      const { request } = createRequest({
+        url: `http://localhost:8080/${path}`
+      });
+      nock('http://localhost:8080').get(`/${path}`).reply(200, {});
+
+      const response = await runner.run(request);
+
+      expect(response).toMatchObject({
+        statusCode: 200,
+        body: {}
+      });
+    });
+
     it('should handle HTTP errors', async () => {
       const runner = setupRunner();
       const { request, requestOptions } = createRequest();
@@ -158,6 +174,24 @@ describe('HttpRequestRunner', () => {
       expect(response.body).toEqual(expected);
     });
 
+    it('should decode response body if content-encoding is brotli', async () => {
+      const runner = setupRunner({
+        maxContentLength: 1,
+        allowedMimes: ['text/plain']
+      });
+      const { request, requestOptions } = createRequest();
+      const expected = 'x'.repeat(1025);
+      const bigBody = await promisify(brotliCompress)(expected);
+      nock(requestOptions.url).get('/').reply(200, bigBody, {
+        'content-type': 'text/plain',
+        'content-encoding': 'br'
+      });
+
+      const response = await runner.run(request);
+
+      expect(response.body).toEqual(expected);
+    });
+
     it('should decode and truncate gzipped response body if content-type is not in allowed list', async () => {
       const runner = setupRunner({
         maxContentLength: 1,