Hugging Face's logo

Spaces:
helloya20
/
chat
Configuration error

App Files Community
chat
File size: 5,075 Bytes
f0743f4
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
 
import { handleJsonParseError } from './json';
import type { Request, Response, NextFunction } from 'express';

describe('handleJsonParseError', () => {
  let req: Partial<Request>;
  let res: Partial<Response>;
  let next: NextFunction;
  let jsonSpy: jest.Mock;
  let statusSpy: jest.Mock;

  beforeEach(() => {
    req = {
      path: '/api/test',
      method: 'POST',
      ip: '127.0.0.1',
    };

    jsonSpy = jest.fn();
    statusSpy = jest.fn().mockReturnValue({ json: jsonSpy });

    res = {
      status: statusSpy,
      json: jsonSpy,
    };

    next = jest.fn();
  });

  describe('JSON parse errors', () => {
    it('should handle JSON SyntaxError with 400 status', () => {
      const err = new SyntaxError('Unexpected token < in JSON at position 0') as SyntaxError & {
        status?: number;
        body?: unknown;
      };
      err.status = 400;
      err.body = {};

      handleJsonParseError(err, req as Request, res as Response, next);

      expect(statusSpy).toHaveBeenCalledWith(400);
      expect(jsonSpy).toHaveBeenCalledWith({
        error: 'Invalid JSON format',
        message: 'The request body contains malformed JSON',
      });
      expect(next).not.toHaveBeenCalled();
    });

    it('should not reflect user input in error message', () => {
      const maliciousInput = '<script>alert("xss")</script>';
      const err = new SyntaxError(
        `Unexpected token < in JSON at position 0: ${maliciousInput}`,
      ) as SyntaxError & {
        status?: number;
        body?: unknown;
      };
      err.status = 400;
      err.body = maliciousInput;

      handleJsonParseError(err, req as Request, res as Response, next);

      expect(statusSpy).toHaveBeenCalledWith(400);
      const errorResponse = jsonSpy.mock.calls[0][0];
      expect(errorResponse.message).not.toContain(maliciousInput);
      expect(errorResponse.message).toBe('The request body contains malformed JSON');
      expect(next).not.toHaveBeenCalled();
    });

    it('should handle JSON parse error with HTML tags in body', () => {
      const err = new SyntaxError('Invalid JSON') as SyntaxError & {
        status?: number;
        body?: unknown;
      };
      err.status = 400;
      err.body = '<html><body><h1>XSS</h1></body></html>';

      handleJsonParseError(err, req as Request, res as Response, next);

      expect(statusSpy).toHaveBeenCalledWith(400);
      const errorResponse = jsonSpy.mock.calls[0][0];
      expect(errorResponse.message).not.toContain('<html>');
      expect(errorResponse.message).not.toContain('<script>');
      expect(next).not.toHaveBeenCalled();
    });
  });

  describe('non-JSON errors', () => {
    it('should pass through non-SyntaxError errors', () => {
      const err = new Error('Some other error');

      handleJsonParseError(err, req as Request, res as Response, next);

      expect(next).toHaveBeenCalledWith(err);
      expect(statusSpy).not.toHaveBeenCalled();
      expect(jsonSpy).not.toHaveBeenCalled();
    });

    it('should pass through SyntaxError without status 400', () => {
      const err = new SyntaxError('Some syntax error') as SyntaxError & { status?: number };
      err.status = 500;

      handleJsonParseError(err, req as Request, res as Response, next);

      expect(next).toHaveBeenCalledWith(err);
      expect(statusSpy).not.toHaveBeenCalled();
    });

    it('should pass through SyntaxError without body property', () => {
      const err = new SyntaxError('Some syntax error') as SyntaxError & { status?: number };
      err.status = 400;

      handleJsonParseError(err, req as Request, res as Response, next);

      expect(next).toHaveBeenCalledWith(err);
      expect(statusSpy).not.toHaveBeenCalled();
    });

    it('should pass through TypeError', () => {
      const err = new TypeError('Type error');

      handleJsonParseError(err, req as Request, res as Response, next);

      expect(next).toHaveBeenCalledWith(err);
      expect(statusSpy).not.toHaveBeenCalled();
    });
  });

  describe('security verification', () => {
    it('should return generic error message for all JSON parse errors', () => {
      const testCases = [
        'Unexpected token < in JSON',
        'Unexpected end of JSON input',
        'Invalid or unexpected token',
        '<script>alert(1)</script>',
        '"><img src=x onerror=alert(1)>',
      ];

      testCases.forEach((errorMsg) => {
        const err = new SyntaxError(errorMsg) as SyntaxError & {
          status?: number;
          body?: unknown;
        };
        err.status = 400;
        err.body = errorMsg;

        jsonSpy.mockClear();
        statusSpy.mockClear();
        (next as jest.Mock).mockClear();

        handleJsonParseError(err, req as Request, res as Response, next);

        const errorResponse = jsonSpy.mock.calls[0][0];
        // Verify the generic message is always returned, not the user input
        expect(errorResponse.message).toBe('The request body contains malformed JSON');
        expect(errorResponse.error).toBe('Invalid JSON format');
      });
    });
  });
});