Mirrors/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2026-01-23 02:35:23 +00:00
Code Issues Projects Releases Wiki Activity

Add tests of malicious file names

Browse source
This commit is contained in:
El RIDO 2025-10-24 15:00:56 +02:00
parent 5c5fe333a0
commit ca70c7555d
No known key found for this signature in database
GPG key ID: 0F5C940A6BD81F92
1 changed files with 41 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

41
js/test/AttachmentViewer.js
View file

@ -129,5 +129,46 @@ describe('AttachmentViewer', function () {
return results.every(element => element);
}
);
it(
'sanitizes file names in attachments',
function() {
const clean = jsdom();
$('body').html(
'<div id="attachmentPreview" class="col-md-12 text-center hidden"></div>' +
'<div id="attachment" class="hidden"></div>' +
'<div id="templates">' +
'<div id="attachmenttemplate" role="alert" class="attachment hidden alert alert-info">' +
'<span class="glyphicon glyphicon-download-alt" aria-hidden="true"></span>' +
'<a class="alert-link">Download attachment</a>' +
'</div>' +
'</div>'
);
// mock createObjectURL for jsDOM
if (typeof window.URL.createObjectURL === 'undefined') {
Object.defineProperty(
window.URL,
'createObjectURL',
{value: function(blob) {
return 'blob:' + location.origin + '/1b9d6bcd-bbfd-4b2d-9b5d-ab8dfbbd4bed';
}}
)
}
$.PrivateBin.AttachmentViewer.init();
$.PrivateBin.Model.init();
global.atob = common.atob;
const maliciousFileNames = [
'<script>alert("☹️");//<a',
'"><meta http-equiv="refresh" content="0;url=http://example.com/">.txt',
];
for (const filename of maliciousFileNames) {
$.PrivateBin.AttachmentViewer.setAttachment('data:;base64,', filename);
assert.ok(!$('body').html().includes(filename));
}
clean();
}
);
});
});