-
Notifications
You must be signed in to change notification settings - Fork 66.9k
Expand file tree
/
Copy pathshielding.ts
More file actions
210 lines (192 loc) · 7.4 KB
/
shielding.ts
File metadata and controls
210 lines (192 loc) · 7.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
import { describe, expect, test } from 'vitest'
import { SURROGATE_ENUMS } from '@/frame/middleware/set-fastly-surrogate-key.js'
import { get } from '@/tests/helpers/e2etest.js'
describe('honeypotting', () => {
test('any GET with survey-vote and survey-token query strings is 400', async () => {
const res = await get('/en?survey-vote=1&survey-token=2')
expect(res.statusCode).toBe(400)
expect(res.body).toMatch(/Honeypotted/)
expect(res.headers['cache-control']).toMatch('private')
})
})
describe('junk paths', () => {
test('junk full pathname', async () => {
const res = await get('/xmlrpc.php')
expect(res.statusCode).toBe(404)
expect(res.headers['content-type']).toMatch('text/plain')
expect(res.headers['cache-control']).toMatch('public')
})
test('junk base name', async () => {
const res = await get('/en/get-started/.env.local')
expect(res.statusCode).toBe(404)
expect(res.headers['content-type']).toMatch('text/plain')
expect(res.headers['cache-control']).toMatch('public')
})
test.each(['/_nextanything', '/_next/data', '/_next/data/', '/_next/cgi/bin.foo'])(
'invalid requests for _next prefix %s',
async (path) => {
const res = await get(path)
expect(res.statusCode).toBe(404)
expect(res.headers['content-type']).toMatch('text/plain')
expect(res.headers['cache-control']).toMatch('public')
},
)
test('just _next', async () => {
const res = await get('/_next')
expect(res.statusCode).toBe(404)
})
test('with a starting /en/ but with a junk end', async () => {
const res = await get('/en/package-lock.json')
expect(res.statusCode).toBe(404)
expect(res.headers['content-type']).toMatch('text/plain')
})
})
describe('index.md and .md suffixes', () => {
test('any URL that ends with /index.md redirects', async () => {
// With language prefix
{
const res = await get('/en/get-started/index.md')
expect(res.statusCode).toBe(302)
expect(res.headers.location).toBe('/en/get-started')
}
// Without language prefix
{
const res = await get('/get-started/index.md')
expect(res.statusCode).toBe(302)
expect(res.headers.location).toBe('/get-started')
}
// With query string
{
const res = await get('/get-started/index.md?foo=bar')
expect(res.statusCode).toBe(302)
expect(res.headers.location).toBe('/get-started?foo=bar')
}
})
// TODO-ARTICLEAPI: unskip tests or replace when ready to ship article API
test('any URL that ends with /.md redirects', async () => {
// With language prefix
{
const res = await get('/en/get-started/hello.md')
expect(res.statusCode).toBe(302)
expect(res.headers.location).toBe('/api/article/body?pathname=/en/get-started/hello')
}
// Without language prefix
{
const res = await get('/get-started/hello.md')
expect(res.statusCode).toBe(302)
expect(res.headers.location).toBe('/api/article/body?pathname=/get-started/hello')
}
// With query string
{
const res = await get('/get-started/hello.md?foo=bar')
expect(res.statusCode).toBe(302)
expect(res.headers.location).toBe('/api/article/body?pathname=/get-started/hello')
}
})
})
describe('rate limiting', () => {
// We can't actually trigger a full rate limit because
// then all other tests will all fail. And we can't rely on this
// test always being run last.
test('only happens if you have junk query strings', async () => {
const res = await get('/robots.txt?foo=bar', {
headers: {
// Rate limiting only happens in production, so we need to
// make the environment look like production.
'fastly-client-ip': '0.0.0.0',
},
})
expect(res.statusCode).toBe(200)
const limit = parseInt(res.headers['ratelimit-limit'])
const remaining = parseInt(res.headers['ratelimit-remaining'])
expect(limit).toBeGreaterThan(0)
expect(remaining).toBeLessThan(limit)
// A second request
{
const res = await get('/robots.txt?foo=buzz', {
headers: {
'fastly-client-ip': '0.0.0.0',
},
})
expect(res.statusCode).toBe(200)
const newLimit = parseInt(res.headers['ratelimit-limit'])
const newRemaining = parseInt(res.headers['ratelimit-remaining'])
expect(newLimit).toBe(limit)
// Can't rely on `newRemaining == remaining - 1` because of
// concurrency of test-running.
expect(newRemaining).toBeLessThan(remaining)
}
})
test('nothing happens if no unrecognized query string', async () => {
const res = await get('/robots.txt')
expect(res.statusCode).toBe(200)
expect(res.headers['ratelimit-limit']).toBeUndefined()
expect(res.headers['ratelimit-remaining']).toBeUndefined()
})
test('Fastly IPs are not rate limited', async () => {
// Fastly IPs are in the form `X.X.X.X/Y`
// Rate limited IPs are in the form `X.X.X.X`
// Where the last X could be any 2-3 digit number
const mockFastlyIP = '23.235.32.0'
// Cookies only allows 1 request per minute
const res1 = await get('/api/cookies', {
headers: {
'fastly-client-ip': mockFastlyIP,
},
})
expect(res1.statusCode).toBe(200)
// A second request shouldn't be rate limited because it's from a Fastly IP
const res2 = await get('/api/cookies', {
headers: {
'fastly-client-ip': mockFastlyIP,
},
})
expect(res2.statusCode).toBe(200)
})
})
describe('404 pages and their content-type', () => {
const exampleNonLanguage404plain = ['/_next/image/foo']
test.each(exampleNonLanguage404plain)(
'non-language 404 response is plain text and cacheable: %s',
async (pathname) => {
const res = await get(pathname)
expect(res.statusCode).toBe(404)
expect(res.headers['content-type']).toMatch('text/plain')
expect(res.headers['cache-control']).toMatch('public')
},
)
const exampleNonLanguage404s = [
'/wp-content/themes/seotheme/db.php?u',
'/enterprise/3.1/_next/static/chunks/616-910d0397bafa52e0.js',
'/~root',
]
test.each(exampleNonLanguage404s)(
'non-language 404 response is html text and cacheable: %s',
async (pathname) => {
const res = await get(pathname)
expect(res.statusCode).toBe(404)
expect(res.headers['content-type']).toMatch('text/html; charset=utf-8')
expect(res.headers['cache-control']).toMatch('public')
},
)
test('valid language prefix 404 response is HTML', async () => {
const res = await get('/en/something-that-doesnt-existent')
expect(res.statusCode).toBe(404)
expect(res.headers['content-type']).toMatch('text/html')
expect(res.headers['cache-control']).toMatch('public')
expect(res.headers['cache-control']).toMatch(/max-age=\d\d+/)
const surrogateKeySplit = res.headers['surrogate-key'].split(/\s/g)
// The default is that it'll be purged at the next deploy.
expect(surrogateKeySplit.includes(SURROGATE_ENUMS.DEFAULT)).toBeTruthy()
expect(res.headers['surrogate-control']).toContain('public')
expect(res.headers['surrogate-control']).toMatch(/max-age=[1-9]/)
})
})
describe('/_next/data/... paths', () => {
test('invalid build ID', async () => {
const res = await get('/_next/data/madeupbutnotvalid/en/free-pro-team%40latest/pages.json')
expect(res.statusCode).toBe(404)
expect(res.headers['content-type']).toMatch('text/plain')
expect(res.headers['cache-control']).toMatch('public')
})
})