Repository: couchdb-fauxton Updated Branches: refs/heads/master 2bd911539 -> c5c6f1c21
fix cors validation for hosts with no tld - allow ips and things like: http://localhost:3000 - normalize urls in case a path is given by removing the path note: in general the validation should be done in the backend as single source of truth so that api users and fauxton users get the same results and also the interfaces are consistent. PR: #576 PR-URL: https://github.com/apache/couchdb-fauxton/pull/576 Reviewed-By: Benjamin Keen <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/repo Commit: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/commit/8588ef7c Tree: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/tree/8588ef7c Diff: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/diff/8588ef7c Branch: refs/heads/master Commit: 8588ef7cc55bfa7a02664d6f6670275c986bb63a Parents: 2bd9115 Author: Robert Kowalski <[email protected]> Authored: Mon Nov 16 14:40:30 2015 +0100 Committer: Robert Kowalski <[email protected]> Committed: Mon Nov 16 17:34:17 2015 +0100 ---------------------------------------------------------------------- app/addons/cors/components.react.jsx | 6 ++++-- app/addons/cors/resources.js | 16 +++++++++++++--- app/addons/cors/tests/componentsSpec.react.jsx | 4 ++-- app/addons/cors/tests/resourcesSpec.js | 19 ++++++++++++++----- 4 files changed, 33 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/blob/8588ef7c/app/addons/cors/components.react.jsx ---------------------------------------------------------------------- diff --git a/app/addons/cors/components.react.jsx b/app/addons/cors/components.react.jsx index fb9f655..37579eb 100644 --- a/app/addons/cors/components.react.jsx +++ b/app/addons/cors/components.react.jsx @@ -22,7 +22,7 @@ define([ var validateOrigin = function (origin) { if (!Resources.validateCORSDomain(origin)) { FauxtonAPI.addNotification({ - msg: 'Please enter a valid domain, starting with http/https and only containing the domain (not a subfolder).', + msg: 'Please enter a valid domain, starting with http/https.', type: 'error', clear: true }); @@ -157,7 +157,9 @@ define([ return; } - this.props.addOrigin(this.state.origin); + var url = Resources.normalizeUrls(this.state.origin); + + this.props.addOrigin(url); this.setState({origin: ''}); }, http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/blob/8588ef7c/app/addons/cors/resources.js ---------------------------------------------------------------------- diff --git a/app/addons/cors/resources.js b/app/addons/cors/resources.js index a22cfc8..ed314a9 100644 --- a/app/addons/cors/resources.js +++ b/app/addons/cors/resources.js @@ -95,10 +95,20 @@ function (app, FauxtonAPI) { }); - // simple helper function to validate the user entered a valid domain starting with http(s), optional port and - // doesn't include a subfolder + // simple helper function to validate the user entered a valid domain starting with http(s) CORS.validateCORSDomain = function (str) { - return (/^https?:\/\/[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+(:\d{2,5})?$/).test(str); + return (/^https?:\/\/(.*)(:\d{2,5})?$/).test(str); + }; + + CORS.normalizeUrls = function (url) { + var el = document.createElement('a'); + el.href = url; + + if (/:/.test(url)) { + return el.protocol + '//' + el.host; + } + + return el.protocol + '//' + el.hostname; }; return CORS; http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/blob/8588ef7c/app/addons/cors/tests/componentsSpec.react.jsx ---------------------------------------------------------------------- diff --git a/app/addons/cors/tests/componentsSpec.react.jsx b/app/addons/cors/tests/componentsSpec.react.jsx index b725085..c2f3cdd 100644 --- a/app/addons/cors/tests/componentsSpec.react.jsx +++ b/app/addons/cors/tests/componentsSpec.react.jsx @@ -97,9 +97,9 @@ define([ }); afterEach(function () { - Resources.validateCORSDomain.restore && Resources.validateCORSDomain.restore(); + utils.restore(Resources.validateCORSDomain); + utils.restore(FauxtonAPI.addNotification); React.unmountComponentAtNode(container); - FauxtonAPI.addNotification.restore && FauxtonAPI.addNotification.restore(); }); it('calls validates each domain', function () { http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/blob/8588ef7c/app/addons/cors/tests/resourcesSpec.js ---------------------------------------------------------------------- diff --git a/app/addons/cors/tests/resourcesSpec.js b/app/addons/cors/tests/resourcesSpec.js index 9690652..668bce6 100644 --- a/app/addons/cors/tests/resourcesSpec.js +++ b/app/addons/cors/tests/resourcesSpec.js @@ -46,24 +46,33 @@ define([ 'http://something.com', 'https://a.ca', 'https://something.com:8000', - 'https://www.some-valid-domain.com:80' + 'https://www.some-valid-domain.com:80', + 'http://localhost', + 'https://localhost', + 'http://192.168.1.113', + 'http://192.168.1.113:1337' ]; _.each(urls, function (url) { assert.isTrue(CORS.validateCORSDomain(url)); }); }); - it('fails on invalid domains', function () { + it('fails on non http/https domains', function () { var urls = [ 'whoahnellythisaintright', - 'http://something', - 'ftp://site.com', - 'https://this.has/subfolder' + 'ftp://site.com' ]; _.each(urls, function (url) { assert.isFalse(CORS.validateCORSDomain(url)); }); }); + it('normalizes common cases, like accidentally added subfolders', function () { + assert.equal('https://foo.com', CORS.normalizeUrls('https://foo.com/blerg')); + assert.equal('https://192.168.1.113', CORS.normalizeUrls('https://192.168.1.113/blerg')); + assert.equal('https://foo.com:1337', CORS.normalizeUrls('https://foo.com:1337/blerg')); + assert.equal('https://foo.com', CORS.normalizeUrls('https://foo.com')); + }); + }); });
