Fixed error when trimming response to protect against JSON vulnerabil…

…ity error (pr by @magarcia https://github.com/magarcia)Use encodeURI to process query strings with spaces and other such characters in default http adapter. (pr by https://github.com/tiwariarvin)
jonsamwell · Aug 26, 2015 · 43d0317 · 43d0317
1 parent f63ba76
commit 43d0317
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 13 deletions.
diff --git a/dist/ChangeLog.txt b/dist/ChangeLog.txt
@@ -1,6 +1,6 @@
 27/08/2015 V1.11.3
 Fixed error when trimming response to protect against JSON vulnerability error (pr  by @magarcia https://github.com/magarcia)
-Use encodeURI to process query strings with spaces and other such characters. (pr by https://github.com/tiwariarvin)
+Use encodeURI to process query strings with spaces and other such characters in default http adapter. (pr by https://github.com/tiwariarvin)
 
 21/08/2015 V1.11.2
 Fixed dist file build error.

diff --git a/dist/angular-http-batch.js b/dist/angular-http-batch.js
@@ -248,7 +248,7 @@ function HttpBatchAdapter($document, $window, httpBatchConfig) {
 
       batchBody.push('Content-Type: application/http; msgtype=request', constants.emptyString);
 
-      batchBody.push(request.method + ' ' + urlInfo.relativeUrl + ' ' + constants.httpVersion);
+      batchBody.push(request.method + ' ' + encodeURI(urlInfo.relativeUrl) + ' ' + constants.httpVersion);
       batchBody.push('Host: ' + urlInfo.host);
 
       for (header in request.headers) {

diff --git a/dist/angular-http-batch.min.js b/dist/angular-http-batch.min.js
diff --git a/tests/services/adapters/httpAdapter.spec.js b/tests/services/adapters/httpAdapter.spec.js
@@ -119,6 +119,32 @@
           expect(result.data).to.equal('--boundary123\r\nContent-disposition: form-data\r\nContent-Type: application/http; msgtype=request\r\n\r\n' +
             'GET api/some-method?params=123 HTTP/1.1\r\nHost: localhost:9876\r\n\r\n\r\n--boundary123--');
         });
+
+        it('should build the correct request that includes uri ecoding the urls', function () {
+          var rawRequest = {
+              url: 'api/some method?params=123',
+              method: 'GET'
+            },
+            config = {
+              batchEndpointUrl: 'batchEndpointUrl',
+              batchRequestHeaders: {
+                'Content-disposition': 'form-data'
+              },
+              batchPartRequestHeaders: {
+                'Content-disposition': 'form-data'
+              }
+            };
+
+          var result = httpAdapter.buildRequest([rawRequest], config);
+
+          expect(result.method).to.equal('POST');
+          expect(result.url).to.equal(config.batchEndpointUrl);
+          expect(result.cache).to.equal(false);
+          expect(result.headers['Content-Type']).to.equal('multipart/mixed; boundary=boundary123');
+          expect(result.headers['Content-disposition']).to.equal('form-data');
+          expect(result.data).to.equal('--boundary123\r\nContent-disposition: form-data\r\nContent-Type: application/http; msgtype=request\r\n\r\n' +
+            'GET api/some%20method?params=123 HTTP/1.1\r\nHost: localhost:9876\r\n\r\n\r\n--boundary123--');
+        });
       });
 
       describe('parseResponse', function () {

diff --git a/tests/services/httpBatcher.spec.js b/tests/services/httpBatcher.spec.js
@@ -719,34 +719,64 @@
             }
           });
 
+
           $timeout.flush();
           $httpBackend.flush();
         });
 
         it('should return original data for non strings when trim Angular "JSON Vulnerability Protection" prefix', function (done) {
-           var data = [
-            {
+          var responseData = [{
               "headers": {
                 "Content-Type": "text/html; charset=utf-8"
               },
               "status_code": 200,
               "body": "Success!",
               "reason_phrase": "OK"
-            },
-            {
+            }, {
               "headers": {
                 "Content-Type": "text/html; charset=utf-8"
               },
               "status_code": 201,
               "body": "{\"text\": \"some text\"}",
               "reason_phrase": "CREATED"
-            }
-          ];
-          var returned = trimJsonProtectionVulnerability(data);
-          expect(returned).to.equal(data);
-          done();
-        });
+            }],
+            batchEndpointUrl = 'http://www.someservice.com/batch',
+            batchConfig = {
+              batchEndpointUrl: batchEndpointUrl,
+              batchRequestCollectionDelay: 200,
+              minimumBatchSize: 1,
+              adapter: {
+                buildRequest: function () {
+                  return {
+                    method: 'POST',
+                    url: batchEndpointUrl,
+                    cache: false,
+                    headers: {},
+                    data: ''
+                  };
+                },
+                parseResponse: function (requests, rawResponse) {
+                  expect(rawResponse.data).to.deep.equal(responseData);
+                  done();
+                  return [];
+                }
+              }
+            };
+
+          $httpBackend.expectPOST(batchConfig.batchEndpointUrl).respond(200, responseData, {}, 'OK');
+
+          sandbox.stub(httpBatchConfig, 'calculateBoundary').returns('31fcc127-a593-4e1d-86f3-57e45375848f');
+          sandbox.stub(httpBatchConfig, 'getBatchConfig').returns(batchConfig);
 
+          httpBatcher.batchRequest({
+            url: 'http://www.gogle.com/resource',
+            method: 'GET',
+            callback: angular.noop
+          });
+
+          $timeout.flush();
+          $httpBackend.flush();
+        });
 
         describe('error handling', function () {
           it('should handle a 500 response', function (done) {