SQLPage/tests/errors/invalid_header.rs at 74bb46e0e67264adf6dc1edecb1413a65ac02e1c · sqlpage/SQLPage · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
use crate::common::req_path;
use actix_web::{http::StatusCode, test};
use percent_encoding::{utf8_percent_encode, NON_ALPHANUMERIC};
use serde_json::{json, Value};

struct InvalidHeaderCase {
    name: &'static str,
    properties: Value,
}

async fn assert_invalid_header_response(case: &InvalidHeaderCase) {
    let properties = serde_json::to_string(&case.properties).unwrap();
    let properties = utf8_percent_encode(&properties, NON_ALPHANUMERIC).to_string();
    let path = format!("/tests/errors/invalid_header.sql?properties={properties}");

    let resp = req_path(&path).await.unwrap_or_else(|err| {
        panic!(
            "{} should return an error response instead of failing the request: {err:#}",
            case.name
        )
    });

    assert_eq!(
        resp.status(),
        StatusCode::INTERNAL_SERVER_ERROR,
        "{} should return a 500 response",
        case.name
    );

    let body = test::read_body(resp).await;
    let body_str = String::from_utf8(body.to_vec()).unwrap();
    assert!(
        body_str.to_lowercase().contains("error"),
        "{} should render an error response body, got:\n{body_str}",
        case.name
    );
}

#[actix_web::test]
async fn test_invalid_header_components_return_an_error_response() {
    let cases = vec![
        InvalidHeaderCase {
            name: "cookie domain with newline",
            properties: json!({
                "component": "cookie",
                "name": "boom",
                "value": "x",
                "domain": "\n",
            }),
        },
        InvalidHeaderCase {
            name: "cookie path with DEL",
            properties: json!({
                "component": "cookie",
                "name": "boom",
                "value": "x",
                "path": "\u{007f}",
            }),
        },
        InvalidHeaderCase {
            name: "http_header value with carriage return",
            properties: json!({
                "component": "http_header",
                "X-Test": "\r",
            }),
        },
        InvalidHeaderCase {
            name: "redirect link with NUL",
            properties: json!({
                "component": "redirect",
                "link": "\u{0000}",
            }),
        },
        InvalidHeaderCase {
            name: "authentication link with unit separator",
            properties: json!({
                "component": "authentication",
                "link": "\u{001f}",
            }),
        },
        InvalidHeaderCase {
            name: "download filename with newline",
            properties: json!({
                "component": "download",
                "data_url": "data:text/plain,ok",
                "filename": "\n",
            }),
        },
        InvalidHeaderCase {
            name: "csv filename with carriage return",
            properties: json!({
                "component": "csv",
                "filename": "\r",
            }),
        },
        InvalidHeaderCase {
            name: "csv title with NUL",
            properties: json!({
                "component": "csv",
                "title": "\u{0000}",
            }),
        },
    ];

    for case in &cases {
        assert_invalid_header_response(case).await;
    }
}