test: check transport param

socketio · May 1, 2023 · 7f06d24 · 7f06d24
1 parent 911d0e3
commit 7f06d24
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 2 deletions.
diff --git a/lib/server.ts b/lib/server.ts
@@ -676,7 +676,7 @@ export class Server extends BaseServer {
 
     this._applyMiddlewares(req, res as unknown as ServerResponse, () => {
       this.verify(req, true, (errorCode, errorContext) => {
-        if (errorCode) {
+        if (errorCode !== undefined) {
           this.emit("connection_error", {
             req,
             code: errorCode,

diff --git a/lib/userver.ts b/lib/userver.ts
@@ -156,7 +156,7 @@ export class uServer extends BaseServer {
 
     this._applyMiddlewares(req, res, () => {
       this.verify(req, true, async (errorCode, errorContext) => {
-        if (errorCode) {
+        if (errorCode !== undefined) {
           this.emit("connection_error", {
             req,
             code: errorCode,

diff --git a/test/server.js b/test/server.js
@@ -11,6 +11,7 @@ const { ClientSocket, listen, createPartialDone } = require("./common");
 const expect = require("expect.js");
 const request = require("superagent");
 const cookieMod = require("cookie");
+const { WebSocket } = require("ws");
 
 /**
  * Tests.
@@ -197,6 +198,51 @@ describe("server", () => {
           });
       });
     });
+
+    it("should disallow `__proto__` as transport (polling)", (done) => {
+      const partialDone = createPartialDone(done, 2);
+
+      engine = listen((port) => {
+        engine.on("connection_error", (err) => {
+          expect(err.req).to.be.ok();
+          expect(err.code).to.be(0);
+          expect(err.message).to.be("Transport unknown");
+          expect(err.context.transport).to.be("__proto__");
+          partialDone();
+        });
+
+        request
+          .get(`http://localhost:${port}/engine.io/`)
+          .query({ transport: "__proto__", EIO: 4 })
+          .end((err, res) => {
+            expect(err).to.be.an(Error);
+            expect(res.status).to.be(400);
+            expect(res.body.code).to.be(0);
+            expect(res.body.message).to.be("Transport unknown");
+            partialDone();
+          });
+      });
+    });
+
+    it("should disallow `__proto__` as transport (websocket)", (done) => {
+      const partialDone = createPartialDone(done, 2);
+
+      engine = listen((port) => {
+        engine.on("connection_error", (err) => {
+          expect(err.req).to.be.ok();
+          expect(err.code).to.be(0);
+          expect(err.message).to.be("Transport unknown");
+          expect(err.context.transport).to.be("__proto__");
+          partialDone();
+        });
+
+        const socket = new WebSocket(
+          `ws://localhost:${port}/engine.io/?EIO=4&transport=__proto__`
+        );
+
+        socket.onerror = partialDone;
+      });
+    });
   });
 
   describe("handshake", () => {