Use let or const to avoid scope issues and hoisting
var express = require('..');
1'use strict'23var express = require('..');4var request = require('supertest');5var utils = require('./support/utils');67describe('res', function(){8 describe('.redirect(url)', function(){9 it('should default to a 302 redirect', function(done){10 var app = express();1112 app.use(function(req, res){13 res.redirect('http://google.com');14 });1516 request(app)17 .get('/')18 .expect('location', 'http://google.com')19 .expect(302, done)20 })2122 it('should encode "url"', function (done) {23 var app = express()2425 app.use(function (req, res) {26 res.redirect('https://google.com?q=\u2603 §10')27 })2829 request(app)30 .get('/')31 .expect('Location', 'https://google.com?q=%E2%98%83%20%C2%A710')32 .expect(302, done)33 })3435 it('should not touch already-encoded sequences in "url"', function (done) {36 var app = express()3738 app.use(function (req, res) {39 res.redirect('https://google.com?q=%A710')40 })4142 request(app)43 .get('/')44 .expect('Location', 'https://google.com?q=%A710')45 .expect(302, done)46 })47 })4849 describe('.redirect(status, url)', function(){50 it('should set the response status', function(done){51 var app = express();5253 app.use(function(req, res){54 res.redirect(303, 'http://google.com');55 });5657 request(app)58 .get('/')59 .expect('Location', 'http://google.com')60 .expect(303, done)61 })62 })6364 describe('when the request method is HEAD', function(){65 it('should ignore the body', function(done){66 var app = express();6768 app.use(function(req, res){69 res.redirect('http://google.com');70 });7172 request(app)73 .head('/')74 .expect(302)75 .expect('Location', 'http://google.com')76 .expect(utils.shouldNotHaveBody())77 .end(done)78 })79 })8081 describe('when accepting html', function(){82 it('should respond with html', function(done){83 var app = express();8485 app.use(function(req, res){86 res.redirect('http://google.com');87 });8889 request(app)90 .get('/')91 .set('Accept', 'text/html')92 .expect('Content-Type', /html/)93 .expect('Location', 'http://google.com')94 .expect(302, '<!DOCTYPE html><head><title>Found</title></head><body><p>Found. Redirecting to http://google.com</p></body>', done)95 })9697 it('should escape the url', function(done){98 var app = express();99100 app.use(function(req, res){101 res.redirect('<la\'me>');102 });103104 request(app)105 .get('/')106 .set('Host', 'http://example.com')107 .set('Accept', 'text/html')108 .expect('Content-Type', /html/)109 .expect('Location', '%3Cla\'me%3E')110 .expect(302, '<!DOCTYPE html><head><title>Found</title></head><body><p>Found. Redirecting to %3Cla'me%3E</p></body>', done)111 })112113 it('should not render evil javascript links in anchor href (prevent XSS)', function(done){114 var app = express();115 var xss = 'javascript:eval(document.body.innerHTML=`<p>XSS</p>`);';116 var encodedXss = 'javascript:eval(document.body.innerHTML=%60%3Cp%3EXSS%3C/p%3E%60);';117118 app.use(function(req, res){119 res.redirect(xss);120 });121122 request(app)123 .get('/')124 .set('Host', 'http://example.com')125 .set('Accept', 'text/html')126 .expect('Content-Type', /html/)127 .expect('Location', encodedXss)128 .expect(302, '<!DOCTYPE html><head><title>Found</title></head><body><p>Found. Redirecting to ' + encodedXss +'</p></body>', done);129 });130131 it('should include the redirect type', function(done){132 var app = express();133134 app.use(function(req, res){135 res.redirect(301, 'http://google.com');136 });137138 request(app)139 .get('/')140 .set('Accept', 'text/html')141 .expect('Content-Type', /html/)142 .expect('Location', 'http://google.com')143 .expect(301, '<!DOCTYPE html><head><title>Moved Permanently</title></head><body><p>Moved Permanently. Redirecting to http://google.com</p></body>', done);144 })145 })146147 describe('when accepting text', function(){148 it('should respond with text', function(done){149 var app = express();150151 app.use(function(req, res){152 res.redirect('http://google.com');153 });154155 request(app)156 .get('/')157 .set('Accept', 'text/plain, */*')158 .expect('Content-Type', /plain/)159 .expect('Location', 'http://google.com')160 .expect(302, 'Found. Redirecting to http://google.com', done)161 })162163 it('should encode the url', function(done){164 var app = express();165166 app.use(function(req, res){167 res.redirect('http://example.com/?param=<script>alert("hax");</script>');168 });169170 request(app)171 .get('/')172 .set('Host', 'http://example.com')173 .set('Accept', 'text/plain, */*')174 .expect('Content-Type', /plain/)175 .expect('Location', 'http://example.com/?param=%3Cscript%3Ealert(%22hax%22);%3C/script%3E')176 .expect(302, 'Found. Redirecting to http://example.com/?param=%3Cscript%3Ealert(%22hax%22);%3C/script%3E', done)177 })178179 it('should include the redirect type', function(done){180 var app = express();181182 app.use(function(req, res){183 res.redirect(301, 'http://google.com');184 });185186 request(app)187 .get('/')188 .set('Accept', 'text/plain, */*')189 .expect('Content-Type', /plain/)190 .expect('Location', 'http://google.com')191 .expect(301, 'Moved Permanently. Redirecting to http://google.com', done);192 })193 })194195 describe('when accepting neither text or html', function(){196 it('should respond with an empty body', function(done){197 var app = express();198199 app.use(function(req, res){200 res.redirect('http://google.com');201 });202203 request(app)204 .get('/')205 .set('Accept', 'application/octet-stream')206 .expect(302)207 .expect('location', 'http://google.com')208 .expect('content-length', '0')209 .expect(utils.shouldNotHaveHeader('Content-Type'))210 .expect(utils.shouldNotHaveBody())211 .end(done)212 })213 })214})
Code quality findings 18
Use let or const to avoid scope issues and hoisting
var request = require('supertest');
Use let or const to avoid scope issues and hoisting
var utils = require('./support/utils');
Use let or const to avoid scope issues and hoisting
var app = express();
Use let or const to avoid scope issues and hoisting
var app = express()
Use let or const to avoid scope issues and hoisting
var app = express()
Use let or const to avoid scope issues and hoisting
var app = express();
Use let or const to avoid scope issues and hoisting
var app = express();
Use let or const to avoid scope issues and hoisting
var app = express();
Use let or const to avoid scope issues and hoisting
var app = express();
Use let or const to avoid scope issues and hoisting
var app = express();
Use let or const to avoid scope issues and hoisting
var xss = 'javascript:eval(document.body.innerHTML=`<p>XSS</p>`);';
Use let or const to avoid scope issues and hoisting
var encodedXss = 'javascript:eval(document.body.innerHTML=%60%3Cp%3EXSS%3C/p%3E%60);';
Use let or const to avoid scope issues and hoisting
var app = express();
Use let or const to avoid scope issues and hoisting
var app = express();
Use let or const to avoid scope issues and hoisting
var app = express();
Use let or const to avoid scope issues and hoisting
var app = express();
Use let or const to avoid scope issues and hoisting
var app = express();
Security findings 2
Avoid due to security risks; use safer alternatives like JSON.parse or function constructors
var xss = 'javascript:eval(document.body.innerHTML=`<p>XSS</p>`);';
Avoid due to security risks; use safer alternatives like JSON.parse or function constructors
var encodedXss = 'javascript:eval(document.body.innerHTML=%60%3Cp%3EXSS%3C/p%3E%60);';