237899745/vue-driven-cloud-storage
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
a86903fcdc48e464553d0d414f675dd0f044c694
vue-driven-cloud-storage/backend/tests/boundary-tests.js
237899745 4350113979 fix: 修复配额说明重复和undefined问题 
- 在editStorageForm中初始化oss_storage_quota_value和oss_quota_unit
- 删除重复的旧配额说明块,保留新的当前配额设置显示

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 19:39:53 +08:00

935 lines
31 KiB
JavaScript
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
/**
* 边界条件和异常处理测试套件
*
* 测试范围:
* 1. 输入边界测试空字符串、超长字符串、特殊字符、SQL注入、XSS
* 2. 文件操作边界测试(空文件、超大文件、特殊字符文件名、深层目录)
* 3. 网络异常测试超时、断连、OSS连接失败
* 4. 并发操作测试(多文件上传、多文件删除、重复提交)
* 5. 状态一致性测试刷新恢复、Token过期、存储切换
*/
const assert = require('assert');
const path = require('path');
const fs = require('fs');
// 主函数包装器(支持 async/await
async function runTests() {
// 测试结果收集器
const testResults = {
passed: 0,
failed: 0,
errors: []
};
// 测试辅助函数
function test(name, fn) {
try {
fn();
testResults.passed++;
console.log(` [PASS] ${name}`);
} catch (error) {
testResults.failed++;
testResults.errors.push({ name, error: error.message });
console.log(` [FAIL] ${name}: ${error.message}`);
}
}
async function asyncTest(name, fn) {
try {
await fn();
testResults.passed++;
console.log(` [PASS] ${name}`);
} catch (error) {
testResults.failed++;
testResults.errors.push({ name, error: error.message });
console.log(` [FAIL] ${name}: ${error.message}`);
}
}
// ============================================================
// 1. 输入边界测试
// ============================================================
console.log('\n========== 1. 输入边界测试 ==========\n');
// 测试 sanitizeInput 函数
function testSanitizeInput() {
console.log('--- 测试 XSS 过滤函数 sanitizeInput ---');
// 从 server.js 复制的 sanitizeInput 函数
function sanitizeInput(str) {
if (typeof str !== 'string') return str;
let sanitized = str
.replace(/[&<>"']/g, (char) => {
const map = {
'&': '&amp;',
'<': '&lt;',
'>': '&gt;',
'"': '&quot;',
"'": '&#x27;'
};
return map[char];
});
sanitized = sanitized.replace(/(?:javascript|data|vbscript|expression|on\w+)\s*:/gi, '');
sanitized = sanitized.replace(/\x00/g, '');
return sanitized;
}
// 空字符串测试
test('空字符串输入应该返回空字符串', () => {
assert.strictEqual(sanitizeInput(''), '');
});
// 超长字符串测试
test('超长字符串应该被正确处理', () => {
const longStr = 'a'.repeat(100000);
const result = sanitizeInput(longStr);
assert.strictEqual(result.length, 100000);
});
// 特殊字符测试
test('HTML 特殊字符应该被转义', () => {
assert.strictEqual(sanitizeInput('<script>'), '&lt;script&gt;');
assert.strictEqual(sanitizeInput('"test"'), '&quot;test&quot;');
assert.strictEqual(sanitizeInput("'test'"), '&#x27;test&#x27;');
assert.strictEqual(sanitizeInput('&test&'), '&amp;test&amp;');
});
// SQL 注入测试字符串
test('SQL 注入尝试应该被转义', () => {
const sqlInjections = [
"'; DROP TABLE users; --",
"1' OR '1'='1",
"admin'--",
"1; DELETE FROM users",
"' UNION SELECT * FROM users --"
];
sqlInjections.forEach(sql => {
const result = sanitizeInput(sql);
// 确保引号被转义
assert.ok(!result.includes("'") || result.includes('&#x27;'), `SQL injection not escaped: ${sql}`);
});
});
// XSS 测试字符串
test('XSS 攻击尝试应该被过滤', () => {
const xssTests = [
'<script>alert("XSS")</script>',
'<img src="x" onerror="alert(1)">',
'<a href="javascript:alert(1)">click</a>',
'<div onmouseover="alert(1)">hover</div>',
'javascript:alert(1)',
'data:text/html,<script>alert(1)</script>'
];
xssTests.forEach(xss => {
const result = sanitizeInput(xss);
assert.ok(!result.includes('<script>'), `XSS script tag not escaped: ${xss}`);
assert.ok(!result.includes('javascript:'), `XSS javascript: not filtered: ${xss}`);
});
});
// 空字节注入测试
test('空字节注入应该被过滤', () => {
assert.ok(!sanitizeInput('test\x00.txt').includes('\x00'));
assert.ok(!sanitizeInput('file\x00.jpg').includes('\x00'));
});
// null/undefined 测试
test('非字符串输入应该原样返回', () => {
assert.strictEqual(sanitizeInput(null), null);
assert.strictEqual(sanitizeInput(undefined), undefined);
assert.strictEqual(sanitizeInput(123), 123);
});
}
testSanitizeInput();
// 测试密码验证
function testPasswordValidation() {
console.log('\n--- 测试密码强度验证 ---');
function validatePasswordStrength(password) {
if (!password || password.length < 8) {
return { valid: false, message: '密码至少8个字符' };
}
if (password.length > 128) {
return { valid: false, message: '密码不能超过128个字符' };
}
const hasLetter = /[a-zA-Z]/.test(password);
const hasNumber = /[0-9]/.test(password);
const hasSpecial = /[!@#$%^&*(),.?":{}|<>_\-+=\[\]\\\/`~]/.test(password);
const typeCount = [hasLetter, hasNumber, hasSpecial].filter(Boolean).length;
if (typeCount < 2) {
return { valid: false, message: '密码必须包含字母、数字、特殊字符中的至少两种' };
}
const commonWeakPasswords = [
'password', '12345678', '123456789', 'qwerty123', 'admin123',
'letmein', 'welcome', 'monkey', 'dragon', 'master'
];
if (commonWeakPasswords.includes(password.toLowerCase())) {
return { valid: false, message: '密码过于简单,请使用更复杂的密码' };
}
return { valid: true };
}
test('空密码应该被拒绝', () => {
assert.strictEqual(validatePasswordStrength('').valid, false);
assert.strictEqual(validatePasswordStrength(null).valid, false);
});
test('过短密码应该被拒绝', () => {
assert.strictEqual(validatePasswordStrength('abc123!').valid, false);
assert.strictEqual(validatePasswordStrength('1234567').valid, false);
});
test('超长密码应该被拒绝', () => {
const longPassword = 'a'.repeat(129) + '1';
assert.strictEqual(validatePasswordStrength(longPassword).valid, false);
});
test('纯数字密码应该被拒绝', () => {
assert.strictEqual(validatePasswordStrength('12345678').valid, false);
});
test('纯字母密码应该被拒绝', () => {
assert.strictEqual(validatePasswordStrength('abcdefgh').valid, false);
});
test('常见弱密码应该被拒绝', () => {
assert.strictEqual(validatePasswordStrength('password').valid, false);
assert.strictEqual(validatePasswordStrength('admin123').valid, false);
});
test('复杂密码应该被接受', () => {
assert.strictEqual(validatePasswordStrength('MySecure123!').valid, true);
assert.strictEqual(validatePasswordStrength('Test_Pass_2024').valid, true);
});
}
testPasswordValidation();
// 测试用户名验证
function testUsernameValidation() {
console.log('\n--- 测试用户名验证 ---');
const USERNAME_REGEX = /^[A-Za-z0-9_.\u4e00-\u9fa5-]{3,20}$/u;
test('过短用户名应该被拒绝', () => {
assert.strictEqual(USERNAME_REGEX.test('ab'), false);
assert.strictEqual(USERNAME_REGEX.test('a'), false);
assert.strictEqual(USERNAME_REGEX.test(''), false);
});
test('过长用户名应该被拒绝', () => {
assert.strictEqual(USERNAME_REGEX.test('a'.repeat(21)), false);
});
test('包含非法字符的用户名应该被拒绝', () => {
assert.strictEqual(USERNAME_REGEX.test('user@name'), false);
assert.strictEqual(USERNAME_REGEX.test('user name'), false);
assert.strictEqual(USERNAME_REGEX.test('user<script>'), false);
assert.strictEqual(USERNAME_REGEX.test("user'name"), false);
});
test('合法用户名应该被接受', () => {
assert.strictEqual(USERNAME_REGEX.test('user123'), true);
assert.strictEqual(USERNAME_REGEX.test('test_user'), true);
assert.strictEqual(USERNAME_REGEX.test('test.user'), true);
assert.strictEqual(USERNAME_REGEX.test('test-user'), true);
assert.strictEqual(USERNAME_REGEX.test('用户名'), true);
assert.strictEqual(USERNAME_REGEX.test('中文用户_123'), true);
});
}
testUsernameValidation();
// ============================================================
// 2. 文件操作边界测试
// ============================================================
console.log('\n========== 2. 文件操作边界测试 ==========\n');
function testPathSecurity() {
console.log('--- 测试路径安全校验 ---');
function isSafePathSegment(name) {
return (
typeof name === 'string' &&
name.length > 0 &&
name.length <= 255 &&
!name.includes('..') &&
!/[/\\]/.test(name) &&
!/[\x00-\x1F]/.test(name)
);
}
test('空文件名应该被拒绝', () => {
assert.strictEqual(isSafePathSegment(''), false);
});
test('超长文件名应该被拒绝', () => {
assert.strictEqual(isSafePathSegment('a'.repeat(256)), false);
});
test('包含路径遍历的文件名应该被拒绝', () => {
assert.strictEqual(isSafePathSegment('..'), false);
assert.strictEqual(isSafePathSegment('../etc/passwd'), false);
assert.strictEqual(isSafePathSegment('test/../../../'), false);
});
test('包含路径分隔符的文件名应该被拒绝', () => {
assert.strictEqual(isSafePathSegment('test/file'), false);
assert.strictEqual(isSafePathSegment('test\\file'), false);
});
test('包含控制字符的文件名应该被拒绝', () => {
assert.strictEqual(isSafePathSegment('test\x00file'), false);
assert.strictEqual(isSafePathSegment('test\x1Ffile'), false);
});
test('合法文件名应该被接受', () => {
assert.strictEqual(isSafePathSegment('normal_file.txt'), true);
assert.strictEqual(isSafePathSegment('中文文件名.pdf'), true);
assert.strictEqual(isSafePathSegment('file with spaces.doc'), true);
assert.strictEqual(isSafePathSegment('file-with-dashes.js'), true);
assert.strictEqual(isSafePathSegment('file.name.with.dots.txt'), true);
});
}
testPathSecurity();
function testFileExtensionSecurity() {
console.log('\n--- 测试文件扩展名安全 ---');
const DANGEROUS_EXTENSIONS = [
'.php', '.php3', '.php4', '.php5', '.phtml', '.phar',
'.jsp', '.jspx', '.jsw', '.jsv', '.jspf',
'.asp', '.aspx', '.asa', '.asax', '.ascx', '.ashx', '.asmx',
'.htaccess', '.htpasswd'
];
function isFileExtensionSafe(filename) {
if (!filename || typeof filename !== 'string') return false;
const ext = path.extname(filename).toLowerCase();
if (DANGEROUS_EXTENSIONS.includes(ext)) {
return false;
}
const nameLower = filename.toLowerCase();
for (const dangerExt of DANGEROUS_EXTENSIONS) {
if (nameLower.includes(dangerExt + '.')) {
return false;
}
}
return true;
}
test('PHP 文件应该被拒绝', () => {
assert.strictEqual(isFileExtensionSafe('test.php'), false);
assert.strictEqual(isFileExtensionSafe('shell.phtml'), false);
assert.strictEqual(isFileExtensionSafe('backdoor.phar'), false);
});
test('JSP 文件应该被拒绝', () => {
assert.strictEqual(isFileExtensionSafe('test.jsp'), false);
assert.strictEqual(isFileExtensionSafe('test.jspx'), false);
});
test('ASP 文件应该被拒绝', () => {
assert.strictEqual(isFileExtensionSafe('test.asp'), false);
assert.strictEqual(isFileExtensionSafe('test.aspx'), false);
});
test('双扩展名攻击应该被拒绝', () => {
assert.strictEqual(isFileExtensionSafe('shell.php.jpg'), false);
assert.strictEqual(isFileExtensionSafe('backdoor.jsp.png'), false);
});
test('.htaccess 和 .htpasswd 文件应该被拒绝', () => {
// 更新测试以匹配修复后的 isFileExtensionSafe 函数
// 现在会检查 dangerousFilenames 列表
const dangerousFilenames = ['.htaccess', '.htpasswd'];
function isFileExtensionSafeFixed(filename) {
if (!filename || typeof filename !== 'string') return false;
const ext = path.extname(filename).toLowerCase();
const nameLower = filename.toLowerCase();
if (DANGEROUS_EXTENSIONS.includes(ext)) {
return false;
}
// 特殊处理:检查以危险名称开头的文件
if (dangerousFilenames.includes(nameLower)) {
return false;
}
for (const dangerExt of DANGEROUS_EXTENSIONS) {
if (nameLower.includes(dangerExt + '.')) {
return false;
}
}
return true;
}
assert.strictEqual(isFileExtensionSafeFixed('.htaccess'), false);
assert.strictEqual(isFileExtensionSafeFixed('.htpasswd'), false);
});
test('正常文件应该被接受', () => {
assert.strictEqual(isFileExtensionSafe('document.pdf'), true);
assert.strictEqual(isFileExtensionSafe('image.jpg'), true);
assert.strictEqual(isFileExtensionSafe('video.mp4'), true);
assert.strictEqual(isFileExtensionSafe('archive.zip'), true);
assert.strictEqual(isFileExtensionSafe('script.js'), true);
assert.strictEqual(isFileExtensionSafe('program.exe'), true); // 允许exe因为服务器不会执行
});
test('空或非法输入应该被拒绝', () => {
assert.strictEqual(isFileExtensionSafe(''), false);
assert.strictEqual(isFileExtensionSafe(null), false);
assert.strictEqual(isFileExtensionSafe(undefined), false);
});
}
testFileExtensionSecurity();
// ============================================================
// 3. 存储路径安全测试
// ============================================================
console.log('\n========== 3. 存储路径安全测试 ==========\n');
function testLocalStoragePath() {
console.log('--- 测试本地存储路径安全 ---');
// 精确模拟 LocalStorageClient.getFullPath 方法(与 storage.js 保持一致)
function getFullPath(basePath, relativePath) {
// 0. 输入验证:检查空字节注入和其他危险字符
if (typeof relativePath !== 'string') {
throw new Error('无效的路径类型');
}
// 检查空字节注入(%00, \x00
if (relativePath.includes('\x00') || relativePath.includes('%00')) {
console.warn('[安全] 检测到空字节注入尝试:', relativePath);
throw new Error('路径包含非法字符');
}
// 1. 规范化路径,移除 ../ 等危险路径
let normalized = path.normalize(relativePath || '').replace(/^(\.\.[\/\\])+/, '');
// 2. 额外检查:移除路径中间的 .. (防止 a/../../../etc/passwd 绕过)
// 解析后的路径不应包含 ..
if (normalized.includes('..')) {
console.warn('[安全] 检测到目录遍历尝试:', relativePath);
throw new Error('路径包含非法字符');
}
// 3. 将绝对路径转换为相对路径解决Linux环境下的问题
if (path.isAbsolute(normalized)) {
// 移除开头的 / 或 Windows 盘符,转为相对路径
normalized = normalized.replace(/^[\/\\]+/, '').replace(/^[a-zA-Z]:/, '');
}
// 4. 空字符串或 . 表示根目录
if (normalized === '' || normalized === '.') {
return basePath;
}
// 5. 拼接完整路径
const fullPath = path.join(basePath, normalized);
// 6. 解析真实路径(处理符号链接)后再次验证
const resolvedBasePath = path.resolve(basePath);
const resolvedFullPath = path.resolve(fullPath);
// 7. 安全检查:确保路径在用户目录内(防止目录遍历攻击)
if (!resolvedFullPath.startsWith(resolvedBasePath)) {
console.warn('[安全] 检测到路径遍历攻击:', {
input: relativePath,
resolved: resolvedFullPath,
base: resolvedBasePath
});
throw new Error('非法路径访问');
}
return fullPath;
}
const basePath = '/tmp/storage/user_1';
test('正常相对路径应该被接受', () => {
const result = getFullPath(basePath, 'documents/file.txt');
assert.ok(result.includes('documents'));
assert.ok(result.includes('file.txt'));
});
test('路径遍历攻击应该被安全处理(开头的..被移除)', () => {
// ../../../etc/passwd 经过 normalize 和 replace 后变成 etc/passwd
// 最终路径会被沙箱化到用户目录内
const result = getFullPath(basePath, '../../../etc/passwd');
// 验证结果路径在用户基础路径内
assert.ok(result.startsWith(basePath), `路径 ${result} 应该以 ${basePath} 开头`);
// 验证解析后的路径确实在基础路径内
const resolved = path.resolve(result);
const baseResolved = path.resolve(basePath);
assert.ok(resolved.startsWith(baseResolved), '解析后的路径应该在用户目录内');
});
test('路径遍历攻击应该被安全处理(中间的..被移除)', () => {
// a/../../../etc/passwd 经过 normalize 变成 ../../etc/passwd
// 然后经过 replace 变成 etc/passwd最终被沙箱化
const result = getFullPath(basePath, 'a/../../../etc/passwd');
assert.ok(result.startsWith(basePath), `路径 ${result} 应该以 ${basePath} 开头`);
const resolved = path.resolve(result);
const baseResolved = path.resolve(basePath);
assert.ok(resolved.startsWith(baseResolved), '解析后的路径应该在用户目录内');
});
test('空字节注入应该被拒绝', () => {
assert.throws(() => getFullPath(basePath, 'file\x00.txt'), /非法/);
assert.throws(() => getFullPath(basePath, 'file%00.txt'), /非法/);
});
test('绝对路径应该被安全处理(转换为相对路径)', () => {
// /etc/passwd 会被转换为 etc/passwd然后拼接到 basePath
const result = getFullPath(basePath, '/etc/passwd');
assert.ok(result.startsWith(basePath), `路径 ${result} 应该以 ${basePath} 开头`);
// 最终路径应该是 basePath/etc/passwd
assert.ok(result.includes('etc') && result.includes('passwd'));
// 确保是安全的子路径而不是真正的 /etc/passwd
const resolved = path.resolve(result);
const baseResolved = path.resolve(basePath);
assert.ok(resolved.startsWith(baseResolved), '解析后的路径应该在用户目录内');
});
test('空路径应该返回基础路径', () => {
assert.strictEqual(getFullPath(basePath, ''), basePath);
assert.strictEqual(getFullPath(basePath, '.'), basePath);
});
}
testLocalStoragePath();
// ============================================================
// 4. Token 验证测试
// ============================================================
console.log('\n========== 4. Token 验证测试 ==========\n');
function testTokenValidation() {
console.log('--- 测试 Token 格式验证 ---');
// 验证 token 格式hex 字符串)
function isValidTokenFormat(token) {
if (!token || typeof token !== 'string') {
return false;
}
return /^[a-f0-9]{32,96}$/i.test(token);
}
test('空 token 应该被拒绝', () => {
assert.strictEqual(isValidTokenFormat(''), false);
assert.strictEqual(isValidTokenFormat(null), false);
assert.strictEqual(isValidTokenFormat(undefined), false);
});
test('过短 token 应该被拒绝', () => {
assert.strictEqual(isValidTokenFormat('abc123'), false);
assert.strictEqual(isValidTokenFormat('a'.repeat(31)), false);
});
test('过长 token 应该被拒绝', () => {
assert.strictEqual(isValidTokenFormat('a'.repeat(97)), false);
});
test('非 hex 字符 token 应该被拒绝', () => {
assert.strictEqual(isValidTokenFormat('g'.repeat(48)), false);
assert.strictEqual(isValidTokenFormat('test-token-123'), false);
assert.strictEqual(isValidTokenFormat('<script>alert(1)</script>'), false);
});
test('合法 token 应该被接受', () => {
assert.strictEqual(isValidTokenFormat('a'.repeat(48)), true);
assert.strictEqual(isValidTokenFormat('abcdef123456'.repeat(4)), true);
assert.strictEqual(isValidTokenFormat('ABCDEF123456'.repeat(4)), true);
});
}
testTokenValidation();
// ============================================================
// 5. 并发和竞态条件测试
// ============================================================
console.log('\n========== 5. 并发和竞态条件测试 ==========\n');
async function testRateLimiter() {
console.log('--- 测试速率限制器 ---');
// 简化版 RateLimiter
class RateLimiter {
constructor(options = {}) {
this.maxAttempts = options.maxAttempts || 5;
this.windowMs = options.windowMs || 15 * 60 * 1000;
this.blockDuration = options.blockDuration || 30 * 60 * 1000;
this.attempts = new Map();
this.blockedKeys = new Map();
}
isBlocked(key) {
const blockInfo = this.blockedKeys.get(key);
if (!blockInfo) return false;
if (Date.now() > blockInfo.expiresAt) {
this.blockedKeys.delete(key);
this.attempts.delete(key);
return false;
}
return true;
}
recordFailure(key) {
const now = Date.now();
if (this.isBlocked(key)) {
return { blocked: true };
}
let attemptInfo = this.attempts.get(key);
if (!attemptInfo || now > attemptInfo.windowEnd) {
attemptInfo = { count: 0, windowEnd: now + this.windowMs };
}
attemptInfo.count++;
this.attempts.set(key, attemptInfo);
if (attemptInfo.count >= this.maxAttempts) {
this.blockedKeys.set(key, {
expiresAt: now + this.blockDuration
});
return { blocked: true, remainingAttempts: 0 };
}
return {
blocked: false,
remainingAttempts: this.maxAttempts - attemptInfo.count
};
}
recordSuccess(key) {
this.attempts.delete(key);
this.blockedKeys.delete(key);
}
getFailureCount(key) {
const attemptInfo = this.attempts.get(key);
if (!attemptInfo || Date.now() > attemptInfo.windowEnd) {
return 0;
}
return attemptInfo.count;
}
}
const limiter = new RateLimiter({ maxAttempts: 3, windowMs: 1000, blockDuration: 1000 });
await asyncTest('首次请求应该不被阻止', async () => {
const result = limiter.recordFailure('test-ip-1');
assert.strictEqual(result.blocked, false);
assert.strictEqual(result.remainingAttempts, 2);
});
await asyncTest('达到限制后应该被阻止', async () => {
const key = 'test-ip-2';
limiter.recordFailure(key);
limiter.recordFailure(key);
const result = limiter.recordFailure(key);
assert.strictEqual(result.blocked, true);
assert.strictEqual(limiter.isBlocked(key), true);
});
await asyncTest('成功后应该清除计数', async () => {
const key = 'test-ip-3';
limiter.recordFailure(key);
limiter.recordFailure(key);
limiter.recordSuccess(key);
assert.strictEqual(limiter.getFailureCount(key), 0);
assert.strictEqual(limiter.isBlocked(key), false);
});
await asyncTest('阻止过期后应该自动解除', async () => {
const key = 'test-ip-4';
limiter.recordFailure(key);
limiter.recordFailure(key);
limiter.recordFailure(key);
// 模拟时间过期
const blockInfo = limiter.blockedKeys.get(key);
if (blockInfo) {
blockInfo.expiresAt = Date.now() - 1;
}
assert.strictEqual(limiter.isBlocked(key), false);
});
}
await testRateLimiter();
// ============================================================
// 6. 数据库操作边界测试
// ============================================================
console.log('\n========== 6. 数据库操作边界测试 ==========\n');
function testDatabaseFieldWhitelist() {
console.log('--- 测试数据库字段白名单 ---');
const ALLOWED_FIELDS = [
'username', 'email', 'password',
'oss_provider', 'oss_region', 'oss_access_key_id', 'oss_access_key_secret', 'oss_bucket', 'oss_endpoint',
'upload_api_key', 'is_admin', 'is_active', 'is_banned', 'has_oss_config',
'is_verified', 'verification_token', 'verification_expires_at',
'storage_permission', 'current_storage_type', 'local_storage_quota', 'local_storage_used',
'theme_preference'
];
function filterUpdates(updates) {
const filtered = {};
for (const [key, value] of Object.entries(updates)) {
if (ALLOWED_FIELDS.includes(key)) {
filtered[key] = value;
}
}
return filtered;
}
test('合法字段应该被保留', () => {
const updates = { username: 'newname', email: 'new@email.com' };
const filtered = filterUpdates(updates);
assert.strictEqual(filtered.username, 'newname');
assert.strictEqual(filtered.email, 'new@email.com');
});
test('非法字段应该被过滤', () => {
const updates = {
username: 'newname',
id: 999, // 尝试修改 ID
is_admin: 1, // 合法字段
sql_injection: "'; DROP TABLE users; --" // 非法字段
};
const filtered = filterUpdates(updates);
assert.ok(!('id' in filtered));
assert.ok(!('sql_injection' in filtered));
assert.strictEqual(filtered.username, 'newname');
assert.strictEqual(filtered.is_admin, 1);
});
test('原型污染尝试应该被阻止', () => {
// 测试通过 JSON.parse 创建的包含 __proto__ 的对象
const maliciousJson = '{"username":"test","__proto__":{"isAdmin":true},"constructor":{"prototype":{}}}';
const updates = JSON.parse(maliciousJson);
const filtered = filterUpdates(updates);
// 即使 JSON.parse 创建了 __proto__ 属性,也不应该被处理
// 因为 Object.entries 不会遍历 __proto__
assert.strictEqual(filtered.username, 'test');
assert.ok(!('isAdmin' in filtered));
// 确保不会污染原型
assert.ok(!({}.isAdmin));
});
test('空对象应该返回空对象', () => {
const filtered = filterUpdates({});
assert.strictEqual(Object.keys(filtered).length, 0);
});
}
testDatabaseFieldWhitelist();
// ============================================================
// 7. HTML 实体解码测试
// ============================================================
console.log('\n========== 7. HTML 实体解码测试 ==========\n');
function testHtmlEntityDecoding() {
console.log('--- 测试 HTML 实体解码 ---');
function decodeHtmlEntities(str) {
if (typeof str !== 'string') return str;
const entityMap = {
amp: '&',
lt: '<',
gt: '>',
quot: '"',
apos: "'",
'#x27': "'",
'#x2F': '/',
'#x60': '`'
};
const decodeOnce = (input) =>
input.replace(/&(#x[0-9a-fA-F]+|#\d+|[a-zA-Z]+);/g, (match, code) => {
if (code[0] === '#') {
const isHex = code[1]?.toLowerCase() === 'x';
const num = isHex ? parseInt(code.slice(2), 16) : parseInt(code.slice(1), 10);
if (!Number.isNaN(num)) {
return String.fromCharCode(num);
}
return match;
}
const mapped = entityMap[code];
return mapped !== undefined ? mapped : match;
});
let output = str;
let decoded = decodeOnce(output);
while (decoded !== output) {
output = decoded;
decoded = decodeOnce(output);
}
return output;
}
test('基本 HTML 实体应该被解码', () => {
assert.strictEqual(decodeHtmlEntities('&lt;'), '<');
assert.strictEqual(decodeHtmlEntities('&gt;'), '>');
assert.strictEqual(decodeHtmlEntities('&amp;'), '&');
assert.strictEqual(decodeHtmlEntities('&quot;'), '"');
});
test('数字实体应该被解码', () => {
assert.strictEqual(decodeHtmlEntities('&#x27;'), "'");
assert.strictEqual(decodeHtmlEntities('&#39;'), "'");
assert.strictEqual(decodeHtmlEntities('&#x60;'), '`');
});
test('嵌套实体应该被完全解码', () => {
assert.strictEqual(decodeHtmlEntities('&amp;#x60;'), '`');
assert.strictEqual(decodeHtmlEntities('&amp;amp;'), '&');
});
test('普通文本应该保持不变', () => {
assert.strictEqual(decodeHtmlEntities('hello world'), 'hello world');
assert.strictEqual(decodeHtmlEntities('test123'), 'test123');
});
test('非字符串输入应该原样返回', () => {
assert.strictEqual(decodeHtmlEntities(null), null);
assert.strictEqual(decodeHtmlEntities(undefined), undefined);
assert.strictEqual(decodeHtmlEntities(123), 123);
});
}
testHtmlEntityDecoding();
// ============================================================
// 8. 分享路径权限测试
// ============================================================
console.log('\n========== 8. 分享路径权限测试 ==========\n');
function testSharePathAccess() {
console.log('--- 测试分享路径访问权限 ---');
function isPathWithinShare(requestPath, share) {
if (!requestPath || !share) {
return false;
}
const normalizedRequest = path.normalize(requestPath).replace(/^(\.\.[\/\\])+/, '').replace(/\\/g, '/');
const normalizedShare = path.normalize(share.share_path).replace(/\\/g, '/');
if (share.share_type === 'file') {
return normalizedRequest === normalizedShare;
} else {
const sharePrefix = normalizedShare.endsWith('/') ? normalizedShare : normalizedShare + '/';
return normalizedRequest === normalizedShare || normalizedRequest.startsWith(sharePrefix);
}
}
test('单文件分享只允许访问该文件', () => {
const share = { share_type: 'file', share_path: '/documents/secret.pdf' };
assert.strictEqual(isPathWithinShare('/documents/secret.pdf', share), true);
assert.strictEqual(isPathWithinShare('/documents/other.pdf', share), false);
assert.strictEqual(isPathWithinShare('/documents/secret.pdf.bak', share), false);
});
test('目录分享允许访问子目录', () => {
const share = { share_type: 'directory', share_path: '/shared' };
assert.strictEqual(isPathWithinShare('/shared', share), true);
assert.strictEqual(isPathWithinShare('/shared/file.txt', share), true);
assert.strictEqual(isPathWithinShare('/shared/sub/file.txt', share), true);
});
test('目录分享不允许访问父目录', () => {
const share = { share_type: 'directory', share_path: '/shared' };
assert.strictEqual(isPathWithinShare('/other', share), false);
assert.strictEqual(isPathWithinShare('/shared_extra', share), false);
assert.strictEqual(isPathWithinShare('/', share), false);
});
test('路径遍历攻击应该被阻止', () => {
const share = { share_type: 'directory', share_path: '/shared' };
assert.strictEqual(isPathWithinShare('/shared/../etc/passwd', share), false);
assert.strictEqual(isPathWithinShare('/shared/../../root', share), false);
});
test('空或无效输入应该返回 false', () => {
assert.strictEqual(isPathWithinShare('', { share_type: 'file', share_path: '/test' }), false);
assert.strictEqual(isPathWithinShare(null, { share_type: 'file', share_path: '/test' }), false);
assert.strictEqual(isPathWithinShare('/test', null), false);
});
}
testSharePathAccess();
// ============================================================
// 测试总结
// ============================================================
console.log('\n========================================');
console.log('测试总结');
console.log('========================================');
console.log(`通过: ${testResults.passed}`);
console.log(`失败: ${testResults.failed}`);
if (testResults.errors.length > 0) {
console.log('\n失败的测试:');
testResults.errors.forEach((e, i) => {
console.log(` ${i + 1}. ${e.name}: ${e.error}`);
});
}
console.log('\n');
// 返回测试结果
return testResults;
}
// 运行测试
runTests().then(testResults => {
// 如果有失败,退出码为 1
process.exit(testResults.failed > 0 ? 1 : 0);
}).catch(err => {
console.error('测试执行错误:', err);
process.exit(1);
});
Reference in New Issue View Git Blame Copy Permalink