From 8adb9ab85a996e40db045c8b2d9f60a065f412d4 Mon Sep 17 00:00:00 2001 From: Yulong Wang Date: Fri, 1 Oct 2021 11:32:00 -0700 Subject: [PATCH] fix CodeQL warning for path-injection (#9243) --- js/web/test/e2e/run.js | 1 + js/web/test/e2e/simple-http-server.js | 80 +++++++++++++-------------- 2 files changed, 39 insertions(+), 42 deletions(-) diff --git a/js/web/test/e2e/run.js b/js/web/test/e2e/run.js index 76ea80c5db..5e5bb62434 100644 --- a/js/web/test/e2e/run.js +++ b/js/web/test/e2e/run.js @@ -93,6 +93,7 @@ async function testAllBrowserCases({ hostInKarma }) { } async function runKarma({ hostInKarma, main, browser }) { + fs.emptyDirSync(CHROME_USER_DATA_FOLDER); const selfHostFlag = hostInKarma ? '--self-host' : ''; await runInShell( `npx karma start --single-run --browsers ${browser} ${selfHostFlag} --test-main=${main} --user-data=${CHROME_USER_DATA_FOLDER}`); diff --git a/js/web/test/e2e/simple-http-server.js b/js/web/test/e2e/simple-http-server.js index a6ae8c7e9b..83866dfc31 100644 --- a/js/web/test/e2e/simple-http-server.js +++ b/js/web/test/e2e/simple-http-server.js @@ -6,58 +6,54 @@ // this is a simple HTTP server that enables CORS. // following code is based on https://developer.mozilla.org/en-US/docs/Learn/Server-side/Node_server_without_framework -var http = require('http'); -var fs = require('fs'); -var path = require('path'); +const http = require('http'); +const fs = require('fs'); +const path = require('path'); -var simpleProxies = { - './ort-wasm.wasm': './ort-wasm.wasm' +const validRequests = { + // .wasm files + '/dist/ort-wasm.wasm': ['dist/ort-wasm.wasm', 'application/wasm'], + '/dist/ort-wasm-simd.wasm': ['dist/ort-wasm-simd.wasm', 'application/wasm'], + '/dist/ort-wasm-threaded.wasm': ['dist/ort-wasm-threaded.wasm', 'application/wasm'], + '/dist/ort-wasm-simd-threaded.wasm': ['dist/ort-wasm-simd-threaded.wasm', 'application/wasm'], + + // proxied .wasm files: + '/test-wasm-path-override/ort-wasm.wasm': ['dist/ort-wasm.wasm', 'application/wasm'], + //'/test-wasm-path-override/renamed.wasm': ['dist/ort-wasm.wasm', 'application/wasm'], + + // .js files + '/dist/ort.min.js': ['dist/ort.min.js', 'text/javascript'], + '/dist/ort.js': ['dist/ort.js', 'text/javascript'], }; module.exports = function (dir) { http.createServer(function (request, response) { console.log('request ', request.url); - var filePath = '.' + (simpleProxies[request.url] ?? request.url); - - var extname = String(path.extname(filePath)).toLowerCase(); - var mimeTypes = { - '.html': 'text/html', - '.js': 'text/javascript', - '.css': 'text/css', - '.json': 'application/json', - '.png': 'image/png', - '.jpg': 'image/jpg', - '.gif': 'image/gif', - '.svg': 'image/svg+xml', - '.wav': 'audio/wav', - '.mp4': 'video/mp4', - '.woff': 'application/font-woff', - '.ttf': 'application/font-ttf', - '.eot': 'application/vnd.ms-fontobject', - '.otf': 'application/font-otf', - '.wasm': 'application/wasm' - }; - - var contentType = mimeTypes[extname] || 'application/octet-stream'; - - fs.readFile(path.resolve(dir, filePath), function (error, content) { - if (error) { - if (error.code == 'ENOENT') { - response.writeHead(404); - response.end('404'); + const requestData = validRequests[request.url]; + if (!request) { + response.writeHead(404); + response.end('404'); + } else { + const [filePath, contentType] = requestData; + fs.readFile(path.resolve(dir, filePath), function (error, content) { + if (error) { + if (error.code == 'ENOENT') { + response.writeHead(404); + response.end('404'); + } + else { + response.writeHead(500); + response.end('500'); + } } else { - response.writeHead(500); - response.end('500'); + response.setHeader('access-control-allow-origin', '*'); + response.writeHead(200, { 'Content-Type': contentType }); + response.end(content, 'utf-8'); } - } - else { - response.setHeader('access-control-allow-origin', '*'); - response.writeHead(200, { 'Content-Type': contentType }); - response.end(content, 'utf-8'); - } - }); + }); + } }).listen(8081); console.log('Server running at http://127.0.0.1:8081/');