feat: more tests

coratgerl · coratgerl · commit dfdaae45e332 · 2026-05-28T10:48:27.000+02:00
diff --git a/spec/FileNameNormalization.spec.js b/spec/FileNameNormalization.spec.js
@@ -95,6 +95,85 @@ describe_only_db('mongo')('Unicode filename normalization', () => {
     expect(documents.length).toBe(0);
   });
 
+  it('rejects invalid filepaths on download and delete routes', async () => {
+    const gfsAdapter = new GridFSBucketAdapter(databaseURI);
+    await reconfigureServer({
+      filesAdapter: gfsAdapter,
+      preserveFileName: true,
+    });
+
+    for (const method of ['GET', 'DELETE']) {
+      try {
+        await request({
+          method,
+          headers: {
+            'X-Parse-Application-Id': 'test',
+            'X-Parse-Master-Key': 'test',
+          },
+          url:
+            method === 'GET'
+              ? 'http://localhost:8378/1/files/test/foo%2F..%2Fbar'
+              : 'http://localhost:8378/1/files/foo%2F..%2Fbar',
+        });
+        fail(`should have rejected invalid filepath for ${method}`);
+      } catch (error) {
+        expect(error.status).toBe(400);
+        expect(error.data.code).toBe(Parse.Error.INVALID_FILE_NAME);
+      }
+    }
+  });
+
+  it('rejects reserved filepath segments on download routes', async () => {
+    const gfsAdapter = new GridFSBucketAdapter(databaseURI);
+    await reconfigureServer({
+      filesAdapter: gfsAdapter,
+      preserveFileName: true,
+    });
+
+    try {
+      await request({
+        method: 'GET',
+        url: 'http://localhost:8378/1/files/test/metadata%2Fevil.txt',
+      });
+      fail('should have rejected reserved filepath segment');
+    } catch (error) {
+      expect(error.status).toBe(400);
+      expect(error.data.code).toBe(Parse.Error.INVALID_FILE_NAME);
+      expect(error.data.error).toContain('reserved segment');
+    }
+  });
+
+  it('rejects invalid filepath renamed by beforeFind on download and metadata routes', async () => {
+    const gfsAdapter = new GridFSBucketAdapter(databaseURI);
+    await reconfigureServer({
+      filesAdapter: gfsAdapter,
+      preserveFileName: true,
+    });
+
+    const file = new Parse.File('good.txt', [1, 2, 3], 'text/plain');
+    await file.save({ useMasterKey: true });
+    Parse.Cloud.beforeFind(Parse.File, req => {
+      req.file._name = '../evil.txt';
+      return { file: req.file };
+    });
+
+    for (const url of [file.url(), `http://localhost:8378/1/files/test/metadata/${file._name}`]) {
+      try {
+        await request({
+          url,
+          headers: {
+            'X-Parse-Application-Id': 'test',
+            'X-Parse-Master-Key': 'test',
+          },
+        });
+        fail(`should have rejected renamed filepath for ${url}`);
+      } catch (error) {
+        expect(error.status).toBe(400);
+        expect(error.data.code).toBe(Parse.Error.INVALID_FILE_NAME);
+      }
+    }
+  });
+
   it('rejects path traversal in metadata download routes', async () => {
     const gfsAdapter = new GridFSBucketAdapter(databaseURI);
     await reconfigureServer({
diff --git a/spec/FilesController.spec.js b/spec/FilesController.spec.js
@@ -6,6 +6,7 @@ const GridFSBucketAdapter = require('../lib/Adapters/Files/GridFSBucketAdapter')
 const Config = require('../lib/Config');
 const FilesController = require('../lib/Controllers/FilesController').default;
 const {
+  normalizeFilename,
   validateFilename,
   validateFilepath,
 } = require('../lib/Adapters/Files/FilesAdapter');
@@ -262,4 +263,23 @@ describe('FilesController', () => {
       expect(validateFilepath(bad).code).toBe(Parse.Error.INVALID_FILE_NAME);
     }
   });
+
+  it('returns non-string filenames unchanged from normalizeFilename', () => {
+    expect(normalizeFilename(null)).toBeNull();
+    expect(normalizeFilename(42)).toBe(42);
+  });
+
+  it('rejects reserved filepath segments and invalid filename segments', () => {
+    const reservedError = validateFilepath('metadata/evil.txt');
+    expect(reservedError).not.toBeNull();
+    expect(reservedError.message).toContain('reserved segment');
+
+    const tooLongError = validateFilename(`_${'a'.repeat(128)}`);
+    expect(tooLongError).not.toBeNull();
+    expect(tooLongError.message).toContain('too long');
+
+    const invalidCharsError = validateFilename('bad?.txt');
+    expect(invalidCharsError).not.toBeNull();
+    expect(invalidCharsError.message).toContain('invalid characters');
+  });
 });
diff --git a/spec/graphqlUpload.spec.js b/spec/graphqlUpload.spec.js
@@ -0,0 +1,117 @@
+'use strict';
+
+const http = require('http');
+const { createGraphQLUploadMiddleware } = require('../lib/GraphQL/helpers/graphqlUpload');
+const { handleUpload } = require('../lib/GraphQL/loaders/filesMutations');
+
+const createMockReadStream = () => {
+  const stream = {
+    pipe(destination) {
+      setImmediate(() => {
+        if (stream.endHandler) {
+          stream.endHandler();
+        }
+      });
+      return destination;
+    },
+    on(event, handler) {
+      if (event === 'end') {
+        stream.endHandler = handler;
+      }
+    },
+    destroy() {},
+  };
+  return stream;
+};
+
+const createMockHttpResponse = (statusCode, body) => ({
+  statusCode,
+  on(event, handler) {
+    if (event === 'data') {
+      handler(body);
+    }
+    if (event === 'end') {
+      handler();
+    }
+  },
+});
+
+describe('graphqlUpload helper', () => {
+  it('skips middleware for non-multipart requests', async () => {
+    const middleware = createGraphQLUploadMiddleware({ maxFileSize: 1000 });
+    const req = { is: type => type !== 'multipart/form-data' };
+    const next = jasmine.createSpy('next');
+
+    await middleware(req, {}, next);
+
+    expect(next).toHaveBeenCalledWith();
+    expect(req.body).toBeUndefined();
+  });
+
+  it('forwards multipart parsing errors to Express', async () => {
+    const middleware = createGraphQLUploadMiddleware({ maxFileSize: 1000 });
+    const req = {
+      is: () => true,
+      headers: { 'content-type': 'multipart/form-data; boundary=----parse' },
+    };
+    const next = jasmine.createSpy('next');
+
+    await middleware(req, {}, next);
+
+    expect(next).toHaveBeenCalledWith(jasmine.any(Error));
+  });
+});
+
+describe('filesMutations handleUpload', () => {
+  const upload = {
+    createReadStream: createMockReadStream,
+    filename: 'café.txt',
+    mimetype: 'text/plain',
+  };
+  const config = {
+    serverURL: 'http://localhost:8378/1',
+    headers: {},
+  };
+
+  afterEach(() => {
+    if (jasmine.isSpy(http.request)) {
+      http.request.and.callThrough();
+    }
+  });
+
+  it('rejects non-2xx responses from the internal /files handoff', async () => {
+    spyOn(http, 'request').and.callFake((_options, callback) => {
+      const req = { on() {}, end() {} };
+      setImmediate(() => {
+        callback(createMockHttpResponse(400, JSON.stringify({ code: 130, error: 'bad upload' })));
+      });
+      return req;
+    });
+
+    await expectAsync(
+      handleUpload(Promise.resolve(upload), config)
+    ).toBeRejectedWith(jasmine.objectContaining({ code: 130 }));
+  });
+
+  it('rejects invalid JSON responses from the internal /files handoff', async () => {
+    spyOn(http, 'request').and.callFake((_options, callback) => {
+      const req = { on() {}, end() {} };
+      setImmediate(() => {
+        callback(createMockHttpResponse(200, 'not-json'));
+      });
+      return req;
+    });
+
+    await expectAsync(
+      handleUpload(Promise.resolve(upload), config)
+    ).toBeRejectedWith(jasmine.objectContaining({ code: Parse.Error.FILE_SAVE_ERROR }));
+  });
+
+  it('wraps request failures in FILE_SAVE_ERROR', async () => {
+    spyOn(http, 'request').and.throwError('connection failed');
+
+    await expectAsync(
+      handleUpload(Promise.resolve(upload), config)
+    ).toBeRejectedWith(jasmine.objectContaining({ code: Parse.Error.FILE_SAVE_ERROR }));
+  });
+});
