From 5c6a631fc62ba4a3986551525e86a2e9969e10cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?= Date: Sun, 17 Dec 2023 14:20:45 -0500 Subject: [PATCH] uploads.js --- test/uploads.js | 376 ++++++++++++++++++++---------------------------- 1 file changed, 154 insertions(+), 222 deletions(-) diff --git a/test/uploads.js b/test/uploads.js index 7a00000737..fadcc05baf 100644 --- a/test/uploads.js +++ b/test/uploads.js @@ -5,9 +5,6 @@ const assert = require('assert'); const nconf = require('nconf'); const path = require('path'); const fs = require('fs').promises; -const request = require('request'); -const requestAsync = require('request-promise-native'); -const util = require('util'); const db = require('./mocks/databasemock'); const categories = require('../src/categories'); @@ -21,6 +18,7 @@ const socketUser = require('../src/socket.io/user'); const helpers = require('./helpers'); const file = require('../src/file'); const image = require('../src/image'); +const request = require('../src/request'); const emptyUploadsFolder = async () => { const files = await fs.readdir(`${nconf.get('upload_path')}/files`); @@ -83,31 +81,25 @@ describe('Upload Controllers', () => { await privileges.global.give(['groups:upload:post:file'], 'registered-users'); }); - it('should fail if the user exceeds the upload rate limit threshold', (done) => { + it('should fail if the user exceeds the upload rate limit threshold', async () => { const oldValue = meta.config.allowedFileExtensions; meta.config.allowedFileExtensions = 'png,jpg,bmp,html'; require('../src/middleware/uploads').clearCache(); const times = meta.config.uploadRateLimitThreshold + 1; - async.timesSeries(times, (i, next) => { - helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/503.html'), {}, jar, csrf_token, (err, res, body) => { - if (i + 1 >= times) { - assert.strictEqual(res.statusCode, 500); - assert.strictEqual(body.error, '[[error:upload-ratelimit-reached]]'); - } else { - assert.ifError(err); - assert.strictEqual(res.statusCode, 200); - assert(body && body.status && body.response && body.response.images); - assert(Array.isArray(body.response.images)); - assert(body.response.images[0].url); - } - - next(err); - }); - }, (err) => { - meta.config.allowedFileExtensions = oldValue; - assert.ifError(err); - done(); - }); + for (let i = 0; i < times; i++) { + // eslint-disable-next-line no-await-in-loop + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/503.html'), {}, jar, csrf_token); + if (i + 1 >= times) { + assert.strictEqual(response.statusCode, 500); + assert.strictEqual(body.error, '[[error:upload-ratelimit-reached]]'); + } else { + assert.strictEqual(response.statusCode, 200); + assert(body && body.status && body.response && body.response.images); + assert(Array.isArray(body.response.images)); + assert(body.response.images[0].url); + } + } + meta.config.allowedFileExtensions = oldValue; }); }); @@ -121,34 +113,26 @@ describe('Upload Controllers', () => { await privileges.global.give(['groups:upload:post:file'], 'registered-users'); }); - it('should upload an image to a post', (done) => { - helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/test.png'), {}, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.equal(res.statusCode, 200); - assert(body && body.status && body.response && body.response.images); - assert(Array.isArray(body.response.images)); - assert(body.response.images[0].url); - done(); - }); + it('should upload an image to a post', async () => { + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/test.png'), {}, jar, csrf_token); + assert.equal(response.statusCode, 200); + assert(body && body.status && body.response && body.response.images); + assert(Array.isArray(body.response.images)); + assert(body.response.images[0].url); }); - it('should upload an image to a post and then delete the upload', (done) => { - helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/test.png'), {}, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.strictEqual(res.statusCode, 200); - assert(body && body.status && body.response && body.response.images); - assert(Array.isArray(body.response.images)); - assert(body.response.images[0].url); - const name = body.response.images[0].url.replace(`${nconf.get('relative_path') + nconf.get('upload_url')}/`, ''); - socketUser.deleteUpload({ uid: regularUid }, { uid: regularUid, name: name }, (err) => { - assert.ifError(err); - db.getSortedSetRange(`uid:${regularUid}:uploads`, 0, -1, (err, uploads) => { - assert.ifError(err); - assert.equal(uploads.includes(name), false); - done(); - }); - }); - }); + it('should upload an image to a post and then delete the upload', async () => { + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/test.png'), {}, jar, csrf_token); + + assert.strictEqual(response.statusCode, 200); + assert(body && body.status && body.response && body.response.images); + assert(Array.isArray(body.response.images)); + assert(body.response.images[0].url); + const name = body.response.images[0].url.replace(`${nconf.get('relative_path') + nconf.get('upload_url')}/`, ''); + await socketUser.deleteUpload({ uid: regularUid }, { uid: regularUid, name: name }); + + const uploads = await db.getSortedSetRange(`uid:${regularUid}:uploads`, 0, -1); + assert.equal(uploads.includes(name), false); }); it('should not allow deleting if path is not correct', (done) => { @@ -165,55 +149,45 @@ describe('Upload Controllers', () => { }); }); - it('should resize and upload an image to a post', (done) => { + it('should resize and upload an image to a post', async () => { const oldValue = meta.config.resizeImageWidth; meta.config.resizeImageWidth = 10; meta.config.resizeImageWidthThreshold = 10; - helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/test.png'), {}, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.equal(res.statusCode, 200); - assert(body && body.status && body.response && body.response.images); - assert(Array.isArray(body.response.images)); - assert(body.response.images[0].url); - assert(body.response.images[0].url.match(/\/assets\/uploads\/files\/\d+-test-resized\.png/)); - meta.config.resizeImageWidth = oldValue; - meta.config.resizeImageWidthThreshold = 1520; - done(); - }); + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/test.png'), {}, jar, csrf_token); + + assert.equal(response.statusCode, 200); + assert(body && body.status && body.response && body.response.images); + assert(Array.isArray(body.response.images)); + assert(body.response.images[0].url); + assert(body.response.images[0].url.match(/\/assets\/uploads\/files\/\d+-test-resized\.png/)); + meta.config.resizeImageWidth = oldValue; + meta.config.resizeImageWidthThreshold = 1520; }); - it('should upload a file to a post', (done) => { + it('should upload a file to a post', async () => { const oldValue = meta.config.allowedFileExtensions; meta.config.allowedFileExtensions = 'png,jpg,bmp,html'; - helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/503.html'), {}, jar, csrf_token, (err, res, body) => { - meta.config.allowedFileExtensions = oldValue; - assert.ifError(err); - assert.strictEqual(res.statusCode, 200); - assert(body && body.status && body.response && body.response.images); - assert(Array.isArray(body.response.images)); - assert(body.response.images[0].url); - done(); - }); + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/503.html'), {}, jar, csrf_token); + meta.config.allowedFileExtensions = oldValue; + + assert.strictEqual(response.statusCode, 200); + assert(body && body.status && body.response && body.response.images); + assert(Array.isArray(body.response.images)); + assert(body.response.images[0].url); }); - it('should fail to upload image to post if image dimensions are too big', (done) => { - helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/toobig.png'), {}, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.strictEqual(res.statusCode, 500); - assert(body && body.status && body.status.message); - assert.strictEqual(body.status.message, 'Image dimensions are too big'); - done(); - }); + it('should fail to upload image to post if image dimensions are too big', async () => { + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/toobig.png'), {}, jar, csrf_token); + assert.strictEqual(response.statusCode, 500); + assert(body && body.status && body.status.message); + assert.strictEqual(body.status.message, 'Image dimensions are too big'); }); - it('should fail to upload image to post if image is broken', (done) => { - helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/brokenimage.png'), {}, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.strictEqual(res.statusCode, 500); - assert(body && body.status && body.status.message); - assert.strictEqual(body.status.message, 'Input file contains unsupported image format'); - done(); - }); + it('should fail to upload image to post if image is broken', async () => { + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/brokenimage.png'), {}, jar, csrf_token); + assert.strictEqual(response.statusCode, 500); + assert(body && body.status && body.status.message); + assert.strictEqual(body.status.message, 'Input file contains unsupported image format'); }); it('should fail if file is not an image', (done) => { @@ -286,39 +260,22 @@ describe('Upload Controllers', () => { }); }); - it('should delete users uploads if account is deleted', (done) => { - let uid; - let url; + it('should delete users uploads if account is deleted', async () => { + const uid = await user.create({ username: 'uploader', password: 'barbar' }); const file = require('../src/file'); + const data = await helpers.loginUser('uploader', 'barbar'); + const { body } = await helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/test.png'), {}, data.jar, data.csrf_token); - async.waterfall([ - function (next) { - user.create({ username: 'uploader', password: 'barbar' }, next); - }, - function (_uid, next) { - uid = _uid; - helpers.loginUser('uploader', 'barbar', next); - }, - function (data, next) { - helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/test.png'), {}, data.jar, data.csrf_token, next); - }, - function (res, body, next) { - assert(body && body.status && body.response && body.response.images); - assert(Array.isArray(body.response.images)); - assert(body.response.images[0].url); - url = body.response.images[0].url; + assert(body && body.status && body.response && body.response.images); + assert(Array.isArray(body.response.images)); + assert(body.response.images[0].url); + const { url } = body.response.images[0]; - user.delete(1, uid, next); - }, - function (userData, next) { - const filePath = path.join(nconf.get('upload_path'), url.replace('/assets/uploads', '')); - file.exists(filePath, next); - }, - function (exists, next) { - assert(!exists); - done(); - }, - ], done); + await user.delete(1, uid); + + const filePath = path.join(nconf.get('upload_path'), url.replace('/assets/uploads', '')); + const exists = await file.exists(filePath); + assert(!exists); }); after(emptyUploadsFolder); @@ -337,173 +294,148 @@ describe('Upload Controllers', () => { regular_csrf_token = regularLogin.csrf_token; }); - it('should upload site logo', (done) => { - helpers.uploadFile(`${nconf.get('url')}/api/admin/uploadlogo`, path.join(__dirname, '../test/files/test.png'), {}, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.strictEqual(res.statusCode, 200); - assert(Array.isArray(body)); - assert.equal(body[0].url, `${nconf.get('relative_path')}/assets/uploads/system/site-logo.png`); - done(); - }); + it('should upload site logo', async () => { + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/admin/uploadlogo`, path.join(__dirname, '../test/files/test.png'), {}, jar, csrf_token); + assert.strictEqual(response.statusCode, 200); + assert(Array.isArray(body)); + assert.equal(body[0].url, `${nconf.get('relative_path')}/assets/uploads/system/site-logo.png`); }); - it('should fail to upload invalid file type', (done) => { - helpers.uploadFile(`${nconf.get('url')}/api/admin/category/uploadpicture`, path.join(__dirname, '../test/files/503.html'), { params: JSON.stringify({ cid: cid }) }, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.strictEqual(res.statusCode, 500); - assert.equal(body.error, '[[error:invalid-image-type, image/png&#44; image/jpeg&#44; image/pjpeg&#44; image/jpg&#44; image/gif&#44; image/svg+xml]]'); - done(); - }); + it('should fail to upload invalid file type', async () => { + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/admin/category/uploadpicture`, path.join(__dirname, '../test/files/503.html'), { params: JSON.stringify({ cid: cid }) }, jar, csrf_token); + assert.strictEqual(response.statusCode, 500); + assert.equal(body.error, '[[error:invalid-image-type, image/png&#44; image/jpeg&#44; image/pjpeg&#44; image/jpg&#44; image/gif&#44; image/svg+xml]]'); }); - it('should fail to upload category image with invalid json params', (done) => { - helpers.uploadFile(`${nconf.get('url')}/api/admin/category/uploadpicture`, path.join(__dirname, '../test/files/test.png'), { params: 'invalid json' }, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.strictEqual(res.statusCode, 500); - assert.equal(body.error, '[[error:invalid-json]]'); - done(); - }); + it('should fail to upload category image with invalid json params', async () => { + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/admin/category/uploadpicture`, path.join(__dirname, '../test/files/test.png'), { params: 'invalid json' }, jar, csrf_token); + assert.strictEqual(response.statusCode, 500); + assert.equal(body.error, '[[error:invalid-json]]'); }); - it('should upload category image', (done) => { - helpers.uploadFile(`${nconf.get('url')}/api/admin/category/uploadpicture`, path.join(__dirname, '../test/files/test.png'), { params: JSON.stringify({ cid: cid }) }, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.equal(res.statusCode, 200); - assert(Array.isArray(body)); - assert.equal(body[0].url, `${nconf.get('relative_path')}/assets/uploads/category/category-1.png`); - done(); - }); + it('should upload category image', async () => { + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/admin/category/uploadpicture`, path.join(__dirname, '../test/files/test.png'), { params: JSON.stringify({ cid: cid }) }, jar, csrf_token); + assert.equal(response.statusCode, 200); + assert(Array.isArray(body)); + assert.equal(body[0].url, `${nconf.get('relative_path')}/assets/uploads/category/category-1.png`); }); - it('should upload default avatar', (done) => { - helpers.uploadFile(`${nconf.get('url')}/api/admin/uploadDefaultAvatar`, path.join(__dirname, '../test/files/test.png'), { }, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.equal(res.statusCode, 200); - assert.equal(body[0].url, `${nconf.get('relative_path')}/assets/uploads/system/avatar-default.png`); - done(); - }); + it('should upload default avatar', async () => { + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/admin/uploadDefaultAvatar`, path.join(__dirname, '../test/files/test.png'), { }, jar, csrf_token); + assert.equal(response.statusCode, 200); + assert.equal(body[0].url, `${nconf.get('relative_path')}/assets/uploads/system/avatar-default.png`); }); - it('should upload og image', (done) => { - helpers.uploadFile(`${nconf.get('url')}/api/admin/uploadOgImage`, path.join(__dirname, '../test/files/test.png'), { }, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.equal(res.statusCode, 200); - assert.equal(body[0].url, `${nconf.get('relative_path')}/assets/uploads/system/og-image.png`); - done(); - }); + it('should upload og image', async () => { + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/admin/uploadOgImage`, path.join(__dirname, '../test/files/test.png'), { }, jar, csrf_token); + assert.equal(response.statusCode, 200); + assert.equal(body[0].url, `${nconf.get('relative_path')}/assets/uploads/system/og-image.png`); }); - it('should upload favicon', (done) => { - helpers.uploadFile(`${nconf.get('url')}/api/admin/uploadfavicon`, path.join(__dirname, '../test/files/favicon.ico'), {}, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.equal(res.statusCode, 200); - assert(Array.isArray(body)); - assert.equal(body[0].url, '/assets/uploads/system/favicon.ico'); - done(); - }); + it('should upload favicon', async () => { + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/admin/uploadfavicon`, path.join(__dirname, '../test/files/favicon.ico'), {}, jar, csrf_token); + assert.equal(response.statusCode, 200); + assert(Array.isArray(body)); + assert.equal(body[0].url, '/assets/uploads/system/favicon.ico'); }); - it('should upload touch icon', (done) => { + it('should upload touch icon', async () => { const touchiconAssetPath = '/assets/uploads/system/touchicon-orig.png'; - helpers.uploadFile(`${nconf.get('url')}/api/admin/uploadTouchIcon`, path.join(__dirname, '../test/files/test.png'), {}, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.equal(res.statusCode, 200); - assert(Array.isArray(body)); - assert.equal(body[0].url, touchiconAssetPath); - meta.config['brand:touchIcon'] = touchiconAssetPath; - request(`${nconf.get('url')}/apple-touch-icon`, (err, res, body) => { - assert.ifError(err); - assert.equal(res.statusCode, 200); - assert(body); - done(); - }); - }); + const { response, body } = await helpers.uploadFile( + `${nconf.get('url')}/api/admin/uploadTouchIcon`, + path.join(__dirname, '../test/files/test.png'), + {}, + jar, + csrf_token + ); + + assert.equal(response.statusCode, 200); + assert(Array.isArray(body)); + assert.equal(body[0].url, touchiconAssetPath); + meta.config['brand:touchIcon'] = touchiconAssetPath; + const { response: res1, body: body1 } = await request.get(`${nconf.get('url')}/apple-touch-icon`); + assert.equal(res1.statusCode, 200); + assert(body1); }); - it('should upload regular file', (done) => { - helpers.uploadFile(`${nconf.get('url')}/api/admin/upload/file`, path.join(__dirname, '../test/files/test.png'), { + it('should upload regular file', async () => { + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/admin/upload/file`, path.join(__dirname, '../test/files/test.png'), { params: JSON.stringify({ folder: 'system', }), - }, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.equal(res.statusCode, 200); - assert(Array.isArray(body)); - assert.equal(body[0].url, '/assets/uploads/system/test.png'); - assert(file.existsSync(path.join(nconf.get('upload_path'), 'system', 'test.png'))); - done(); - }); + }, jar, csrf_token); + + assert.equal(response.statusCode, 200); + assert(Array.isArray(body)); + assert.equal(body[0].url, '/assets/uploads/system/test.png'); + assert(file.existsSync(path.join(nconf.get('upload_path'), 'system', 'test.png'))); }); - it('should fail to upload regular file in wrong directory', (done) => { - helpers.uploadFile(`${nconf.get('url')}/api/admin/upload/file`, path.join(__dirname, '../test/files/test.png'), { + it('should fail to upload regular file in wrong directory', async () => { + const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/admin/upload/file`, path.join(__dirname, '../test/files/test.png'), { params: JSON.stringify({ folder: '../../system', }), - }, jar, csrf_token, (err, res, body) => { - assert.ifError(err); - assert.equal(res.statusCode, 500); - assert.strictEqual(body.error, '[[error:invalid-path]]'); - done(); - }); + }, jar, csrf_token); + + assert.equal(response.statusCode, 500); + assert.strictEqual(body.error, '[[error:invalid-path]]'); }); describe('ACP uploads screen', () => { it('should create a folder', async () => { - const res = await helpers.createFolder('', 'myfolder', jar, csrf_token); - assert.strictEqual(res.statusCode, 200); + const { response } = await helpers.createFolder('', 'myfolder', jar, csrf_token); + assert.strictEqual(response.statusCode, 200); assert(file.existsSync(path.join(nconf.get('upload_path'), 'myfolder'))); }); it('should fail to create a folder if it already exists', async () => { - const res = await helpers.createFolder('', 'myfolder', jar, csrf_token); - assert.strictEqual(res.statusCode, 403); - assert.deepStrictEqual(res.body.status, { + const { response, body } = await helpers.createFolder('', 'myfolder', jar, csrf_token); + assert.strictEqual(response.statusCode, 403); + assert.deepStrictEqual(body.status, { code: 'forbidden', message: 'Folder exists', }); }); it('should fail to create a folder as a non-admin', async () => { - const res = await helpers.createFolder('', 'hisfolder', regularJar, regular_csrf_token); - assert.strictEqual(res.statusCode, 403); - assert.deepStrictEqual(res.body.status, { + const { response, body } = await helpers.createFolder('', 'hisfolder', regularJar, regular_csrf_token); + assert.strictEqual(response.statusCode, 403); + assert.deepStrictEqual(body.status, { code: 'forbidden', message: 'You are not authorised to make this call', }); }); it('should fail to create a folder in wrong directory', async () => { - const res = await helpers.createFolder('../traversing', 'unexpectedfolder', jar, csrf_token); - assert.strictEqual(res.statusCode, 403); - assert.deepStrictEqual(res.body.status, { + const { response, body } = await helpers.createFolder('../traversing', 'unexpectedfolder', jar, csrf_token); + assert.strictEqual(response.statusCode, 403); + assert.deepStrictEqual(body.status, { code: 'forbidden', message: 'Invalid path', }); }); it('should use basename of given folderName to create new folder', async () => { - const res = await helpers.createFolder('/myfolder', '../another folder', jar, csrf_token); - assert.strictEqual(res.statusCode, 200); + const { response } = await helpers.createFolder('/myfolder', '../another folder', jar, csrf_token); + assert.strictEqual(response.statusCode, 200); const slugifiedName = 'another-folder'; assert(file.existsSync(path.join(nconf.get('upload_path'), 'myfolder', slugifiedName))); }); it('should fail to delete a file as a non-admin', async () => { - const res = await requestAsync.delete(`${nconf.get('url')}/api/v3/files`, { - body: { + const { response, body } = await request.delete(`${nconf.get('url')}/api/v3/files`, { + data: { path: '/system/test.png', }, jar: regularJar, - json: true, headers: { 'x-csrf-token': regular_csrf_token, }, - simple: false, - resolveWithFullResponse: true, + validateStatus: null, }); - assert.strictEqual(res.statusCode, 403); - assert.deepStrictEqual(res.body.status, { + assert.strictEqual(response.statusCode, 403); + assert.deepStrictEqual(body.status, { code: 'forbidden', message: 'You are not authorised to make this call', });