fix: Server internal error details leaking in error messages returned to clients (#9937)
This commit is contained in:
Lucas Coratger
GitHub
@@ -20,8 +20,12 @@ const hasAllPODobject = () => {
|
||||
};
|
||||
|
||||
describe('SchemaController', () => {
|
||||
let loggerErrorSpy;
|
||||
|
||||
beforeEach(() => {
|
||||
config = Config.get('test');
|
||||
const logger = require('../lib/logger').default;
|
||||
loggerErrorSpy = spyOn(logger, 'error').and.callThrough();
|
||||
});
|
||||
|
||||
it('can validate one object', done => {
|
||||
@@ -275,6 +279,7 @@ describe('SchemaController', () => {
|
||||
})
|
||||
.then(results => {
|
||||
expect(results.length).toBe(1);
|
||||
loggerErrorSpy.calls.reset();
|
||||
const query = new Parse.Query('Stuff');
|
||||
return query.count();
|
||||
})
|
||||
@@ -283,7 +288,9 @@ describe('SchemaController', () => {
|
||||
fail('Class permissions should have rejected this query.');
|
||||
},
|
||||
err => {
|
||||
expect(err.message).toEqual('Permission denied for action count on class Stuff.');
|
||||
expect(err.message).toEqual('Permission denied');
|
||||
expect(err.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
|
||||
expect(loggerErrorSpy).toHaveBeenCalledWith('Sanitized error:', jasmine.stringContaining('Permission denied for action count on class Stuff'));
|
||||
done();
|
||||
}
|
||||
)
|
||||
@@ -1427,8 +1434,12 @@ describe('SchemaController', () => {
|
||||
});
|
||||
|
||||
describe('Class Level Permissions for requiredAuth', () => {
|
||||
let loggerErrorSpy;
|
||||
|
||||
beforeEach(() => {
|
||||
config = Config.get('test');
|
||||
const logger = require('../lib/logger').default;
|
||||
loggerErrorSpy = spyOn(logger, 'error').and.callThrough();
|
||||
});
|
||||
|
||||
function createUser() {
|
||||
@@ -1453,6 +1464,7 @@ describe('Class Level Permissions for requiredAuth', () => {
|
||||
});
|
||||
})
|
||||
.then(() => {
|
||||
loggerErrorSpy.calls.reset();
|
||||
const query = new Parse.Query('Stuff');
|
||||
return query.find();
|
||||
})
|
||||
@@ -1462,7 +1474,8 @@ describe('Class Level Permissions for requiredAuth', () => {
|
||||
done();
|
||||
},
|
||||
e => {
|
||||
expect(e.message).toEqual('Permission denied, user needs to be authenticated.');
|
||||
expect(e.message).toEqual('Permission denied');
|
||||
expect(loggerErrorSpy).toHaveBeenCalledWith('Sanitized error:', jasmine.stringContaining('Permission denied, user needs to be authenticated.'));
|
||||
done();
|
||||
}
|
||||
);
|
||||
@@ -1551,6 +1564,7 @@ describe('Class Level Permissions for requiredAuth', () => {
|
||||
});
|
||||
})
|
||||
.then(() => {
|
||||
loggerErrorSpy.calls.reset();
|
||||
const stuff = new Parse.Object('Stuff');
|
||||
stuff.set('foo', 'bar');
|
||||
return stuff.save();
|
||||
@@ -1561,7 +1575,8 @@ describe('Class Level Permissions for requiredAuth', () => {
|
||||
done();
|
||||
},
|
||||
e => {
|
||||
expect(e.message).toEqual('Permission denied, user needs to be authenticated.');
|
||||
expect(e.message).toEqual('Permission denied');
|
||||
expect(loggerErrorSpy).toHaveBeenCalledWith('Sanitized error:', jasmine.stringContaining('Permission denied, user needs to be authenticated.'));
|
||||
done();
|
||||
}
|
||||
);
|
||||
@@ -1639,6 +1654,7 @@ describe('Class Level Permissions for requiredAuth', () => {
|
||||
const stuff = new Parse.Object('Stuff');
|
||||
stuff.set('foo', 'bar');
|
||||
return stuff.save().then(() => {
|
||||
loggerErrorSpy.calls.reset();
|
||||
const query = new Parse.Query('Stuff');
|
||||
return query.get(stuff.id);
|
||||
});
|
||||
@@ -1649,7 +1665,8 @@ describe('Class Level Permissions for requiredAuth', () => {
|
||||
done();
|
||||
},
|
||||
e => {
|
||||
expect(e.message).toEqual('Permission denied, user needs to be authenticated.');
|
||||
expect(e.message).toEqual('Permission denied');
|
||||
expect(loggerErrorSpy).toHaveBeenCalledWith('Sanitized error:', jasmine.stringContaining('Permission denied, user needs to be authenticated.'));
|
||||
done();
|
||||
}
|
||||
);
|
||||
@@ -1685,6 +1702,7 @@ describe('Class Level Permissions for requiredAuth', () => {
|
||||
})
|
||||
.then(result => {
|
||||
expect(result.get('foo')).toEqual('bar');
|
||||
loggerErrorSpy.calls.reset();
|
||||
const query = new Parse.Query('Stuff');
|
||||
return query.find();
|
||||
})
|
||||
@@ -1694,7 +1712,8 @@ describe('Class Level Permissions for requiredAuth', () => {
|
||||
done();
|
||||
},
|
||||
e => {
|
||||
expect(e.message).toEqual('Permission denied, user needs to be authenticated.');
|
||||
expect(e.message).toEqual('Permission denied');
|
||||
expect(loggerErrorSpy).toHaveBeenCalledWith('Sanitized error:', jasmine.stringContaining('Permission denied, user needs to be authenticated.'));
|
||||
done();
|
||||
}
|
||||
);
|
||||
|
||||
Reference in New Issue
Block a user