cli/packages/cli-server-api/src/__tests__/openURLMiddleware.test.ts at 41cef8e3272f11633d1ca145839dbff70a49fa6e · react-native-community/cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
import http from 'http';
import {Readable} from 'stream';
import open from 'open';
import openURLMiddleware from '../openURLMiddleware';

jest.mock('open');

function createMockRequest(method: string, body: object): http.IncomingMessage {
  const bodyStr = JSON.stringify(body);
  const readable = new Readable();
  readable.push(bodyStr);
  readable.push(null);

  return Object.assign(readable, {
    method,
    url: '/',
    headers: {
      'content-type': 'application/json',
      'content-length': String(Buffer.byteLength(bodyStr)),
    },
  }) as unknown as http.IncomingMessage;
}

describe('openURLMiddleware', () => {
  let res: jest.Mocked<http.ServerResponse>;
  let next: jest.Mock;

  beforeEach(() => {
    res = {
      writeHead: jest.fn(),
      end: jest.fn(),
      setHeader: jest.fn(),
    } as any;

    next = jest.fn();
    jest.clearAllMocks();
  });

  afterEach(() => {
    jest.restoreAllMocks();
  });

  test('should return 400 for non-string URL', (done) => {
    const req = createMockRequest('POST', {url: 123});

    res.end = jest.fn(() => {
      try {
        expect(open).not.toHaveBeenCalled();
        expect(res.writeHead).toHaveBeenCalledWith(400);
        expect(res.end).toHaveBeenCalledWith('URL must be a string');
        done();
      } catch (error) {
        done(error);
      }
    }) as any;

    openURLMiddleware(req, res, next);
  });

  // CVE-2025-11953
  test('should reject malicious URL with invalid hostname', (done) => {
    const maliciousUrl = 'https://www.$(calc.exe).com/foo';
    const req = createMockRequest('POST', {url: maliciousUrl});

    res.end = jest.fn(() => {
      try {
        expect(open).not.toHaveBeenCalled();
        expect(res.writeHead).toHaveBeenCalledWith(400);
        expect(res.end).toHaveBeenCalledWith('Invalid URL');
        done();
      } catch (error) {
        done(error);
      }
    }) as any;

    openURLMiddleware(req, res, next);
  });

  // CVE-2025-11953
  test('should reject URL with Windows pipe separator', (done) => {
    const maliciousUrl = 'https://evil.com?|calc.exe';
    const req = createMockRequest('POST', {url: maliciousUrl});

    res.end = jest.fn(() => {
      try {
        expect(open).not.toHaveBeenCalled();
        expect(res.writeHead).toHaveBeenCalledWith(400);
        expect(res.end).toHaveBeenCalledWith('Invalid URL');
        done();
      } catch (error) {
        done(error);
      }
    }) as any;

    openURLMiddleware(req, res, next);
  });

  // CVE-2025-11953
  test('should reject URL with Windows command exfiltration', (done) => {
    // Encodes to reveal %BETA% env var
    const maliciousUrl = 'https://example.com/?a=%¾TA%';
    const req = createMockRequest('POST', {url: maliciousUrl});

    res.end = jest.fn(() => {
      try {
        expect(open).not.toHaveBeenCalled();
        expect(res.writeHead).toHaveBeenCalledWith(400);
        expect(res.end).toHaveBeenCalledWith('Invalid URL');
        done();
      } catch (error) {
        done(error);
      }
    }) as any;

    openURLMiddleware(req, res, next);
  });
});