netwerk/test/httpserver/test/test_headers.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169

/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
/* vim:set ts=2 sw=2 sts=2 et: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

// tests for header storage in httpd.js; nsHttpHeaders is an *internal* data
// structure and is not to be used directly outside of httpd.js itself except
// for testing purposes

/**
 * Ensures that a fieldname-fieldvalue combination is a valid header.
 *
 * @param fieldName
 *   the name of the header
 * @param fieldValue
 *   the value of the header
 * @param headers
 *   an nsHttpHeaders object to use to check validity
 */
function assertValidHeader(fieldName, fieldValue, headers) {
  try {
    headers.setHeader(fieldName, fieldValue, false);
  } catch (e) {
    do_throw("Unexpected exception thrown: " + e);
  }
}

/**
 * Ensures that a fieldname-fieldvalue combination is not a valid header.
 *
 * @param fieldName
 *   the name of the header
 * @param fieldValue
 *   the value of the header
 * @param headers
 *   an nsHttpHeaders object to use to check validity
 */
function assertInvalidHeader(fieldName, fieldValue, headers) {
  try {
    headers.setHeader(fieldName, fieldValue, false);
    throw new Error(
      `Setting (${fieldName}, ${fieldValue}) as header succeeded!`
    );
  } catch (e) {
    if (e.result !== Cr.NS_ERROR_INVALID_ARG) {
      do_throw("Unexpected exception thrown: " + e);
    }
  }
}

function run_test() {
  testHeaderValidity();
  testGetHeader();
  testHeaderEnumerator();
  testHasHeader();
}

function testHeaderValidity() {
  var headers = new nsHttpHeaders();

  assertInvalidHeader("f o", "bar", headers);
  assertInvalidHeader("f\0n", "bar", headers);
  assertInvalidHeader("foo:", "bar", headers);
  assertInvalidHeader("f\\o", "bar", headers);
  assertInvalidHeader("@xml", "bar", headers);
  assertInvalidHeader("fiz(", "bar", headers);
  assertInvalidHeader("HTTP/1.1", "bar", headers);
  assertInvalidHeader('b"b', "bar", headers);
  assertInvalidHeader("ascsd\t", "bar", headers);
  assertInvalidHeader("{fds", "bar", headers);
  assertInvalidHeader("baz?", "bar", headers);
  assertInvalidHeader("a\\b\\c", "bar", headers);
  assertInvalidHeader("\0x7F", "bar", headers);
  assertInvalidHeader("\0x1F", "bar", headers);
  assertInvalidHeader("f\n", "bar", headers);
  assertInvalidHeader("foo", "b\nar", headers);
  assertInvalidHeader("foo", "b\rar", headers);
  assertInvalidHeader("foo", "b\0", headers);

  // request splitting, fwiw -- we're actually immune to this type of attack so
  // long as we don't implement persistent connections
  assertInvalidHeader("f\r\nGET /badness HTTP/1.1\r\nFoo", "bar", headers);

  assertValidHeader("f'", "baz", headers);
  assertValidHeader("f`", "baz", headers);
  assertValidHeader("f.", "baz", headers);
  assertValidHeader("f---", "baz", headers);
  assertValidHeader("---", "baz", headers);
  assertValidHeader("~~~", "baz", headers);
  assertValidHeader("~~~", "b\r\n bar", headers);
  assertValidHeader("~~~", "b\r\n\tbar", headers);
}

function testGetHeader() {
  var headers = new nsHttpHeaders();

  headers.setHeader("Content-Type", "text/html", false);
  var c = headers.getHeader("content-type");
  Assert.equal(c, "text/html");

  headers.setHeader("test", "FOO", false);
  c = headers.getHeader("test");
  Assert.equal(c, "FOO");

  try {
    headers.getHeader(":");
    throw new Error("Failed to throw for invalid header");
  } catch (e) {
    if (e.result !== Cr.NS_ERROR_INVALID_ARG) {
      do_throw("headers.getHeader(':') must throw invalid arg");
    }
  }

  try {
    headers.getHeader("valid");
    throw new Error("header doesn't exist");
  } catch (e) {
    if (e.result !== Cr.NS_ERROR_NOT_AVAILABLE) {
      do_throw("shouldn't be a header named 'valid' in headers!");
    }
  }
}

function testHeaderEnumerator() {
  var headers = new nsHttpHeaders();

  var heads = {
    foo: "17",
    baz: "two six niner",
    decaf: "class Program { int .7; int main(){ .7 = 5; return 7 - .7; } }",
  };

  for (var i in heads) {
    headers.setHeader(i, heads[i], false);
  }

  var en = headers.enumerator;
  while (en.hasMoreElements()) {
    var it = en.getNext().QueryInterface(Ci.nsISupportsString).data;
    Assert.ok(it.toLowerCase() in heads);
    delete heads[it.toLowerCase()];
  }

  if (Object.keys(heads).length) {
    do_throw("still have properties in heads!?!?");
  }
}

function testHasHeader() {
  var headers = new nsHttpHeaders();

  headers.setHeader("foo", "bar", false);
  Assert.ok(headers.hasHeader("foo"));
  Assert.ok(headers.hasHeader("fOo"));
  Assert.ok(!headers.hasHeader("not-there"));

  headers.setHeader("f`'~", "bar", false);
  Assert.ok(headers.hasHeader("F`'~"));

  try {
    headers.hasHeader(":");
    throw new Error("failed to throw");
  } catch (e) {
    if (e.result !== Cr.NS_ERROR_INVALID_ARG) {
      do_throw(".hasHeader for an invalid name should throw");
    }
  }
}