Fix arobson#160 Forward slash in passwords are not escaped

aankur · May 22, 2018 · 9530b06 · 9530b06
1 parent 78edb32
commit 9530b06
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 1 deletion.
diff --git a/package.json b/package.json
@@ -70,6 +70,7 @@
     "mocha-lcov-reporter": "^1.3.0",
     "nyc": "^10.3.2",
     "request": "^2.83.0",
+    "rewire": "^4.0.1",
     "semistandard": "^12.0.0",
     "sinon": "^4.0.2",
     "standard-version": "^4.3.0"

diff --git a/spec/unit/amqp/connection.spec.js b/spec/unit/amqp/connection.spec.js
@@ -0,0 +1,45 @@
+require('../../setup.js');
+var rewire = require('rewire');
+var connection = rewire('../../../src/amqp/connection.js');
+
+var pctEncodeForwardSlash = connection.__get__('pctEncodeForwardSlash');
+var Adapter = connection.__get__('Adapter');
+
+describe('pctEncodeForwardSlash', function () {
+  it('should encode / to %2F', function (done) {
+    pctEncodeForwardSlash('/').should.equal('%2F');
+    done();
+  });
+
+  it('should encode multiple occurrences of  / to %2F', function (done) {
+    pctEncodeForwardSlash('/test/').should.equal('%2Ftest%2F');
+    done();
+  });
+
+  it(`should not encode !#$&'()*+,:;=?@[]`, function (done) {
+    pctEncodeForwardSlash(`!#$&'()*+,:;=?@[]`).should.equal(`!#$&'()*+,:;=?@[]`);
+    done();
+  });
+});
+
+describe('getUri', function () {
+  var revert;
+  var pctEncodeForwardSlashMock;
+  beforeEach(function (done) {
+    pctEncodeForwardSlashMock = sinon.mock();
+    revert = connection.__set__('pctEncodeForwardSlash', pctEncodeForwardSlashMock);
+    done();
+  });
+  afterEach(function (done) {
+    revert();
+    done();
+  });
+
+  it('should call pctEncodeForwardSlash', function (done) {
+    var adapter = new Adapter({pass: '/password'});
+    adapter.getNextUri();
+    sinon.assert.calledOnce(pctEncodeForwardSlashMock);
+    sinon.assert.calledWith(pctEncodeForwardSlashMock, '/password');
+    done();
+  });
+});
diff --git a/src/amqp/connection.js b/src/amqp/connection.js
@@ -19,6 +19,10 @@ const os = require('os');
       * no reachable endpoints
 */
 
+function pctEncodeForwardSlash (arg) {
+  return arg.split('/').join('%2F');
+}
+
 function getArgs (fn) {
   const fnString = fn.toString();
   const argList = /[(]([^)]*)[)]/.exec(fnString)[ 1 ].split(',');
@@ -196,7 +200,7 @@ Adapter.prototype.bumpIndex = function () {
 Adapter.prototype.getNextUri = function () {
   const server = this.getNext(this.servers);
   const port = this.getNext(this.ports);
-  const uri = getUri(this.protocol, this.user, escape(this.pass), server, port, this.vhost, this.heartbeat);
+  const uri = getUri(this.protocol, this.user, pctEncodeForwardSlash(escape(this.pass)), server, port, this.vhost, this.heartbeat);
   return uri;
 };