Ran
|
Files
3
|
Run time
0s
|
Badge
Embed ▾
README BADGES
|
travis-ci
<a href="https://github.com/jaredhanson/passport-local/commit/<a class=hub.com/jaredhanson/passport-local/commit/73045b0383ba17289c4c86a94381877a1227973d">73045b038<a href="https://github.com/jaredhanson/passport-local/commit/73045b0383ba17289c4c86a94381877a1227973d">">Add test for invalid credentials types. It should only accept string type for `username` and `password` because accepting objects as credentials can lead to MongoDB injections: `username = {$not: {$eq: &quot;&quot;}}` can happen with express body or query string parsers (respectively by passing a json body, or `username[$not][$eq]=` as query string) If passed to MongoDB with `find({username: username})` it would be a security issue. It may not be the place here to avoid such issues, but `passport-local` already rejects objects for `username` and `passport`, though only accidentally (via </a><a class="double-link" href="https://github.com/jaredhanson/passport-local/commit/<a class="double-link" href="https://github.com/jaredhanson/passport-local/commit/af9e71186892700b1763d090dd1aab705f829db2">af9e71186</a>">af9e71186</a><a href="https://github.com/jaredhanson/passport-local/commit/73045b0383ba17289c4c86a94381877a1227973d">, when adding object-formatted username/password parameter fields). This commit only adds explicit test for object credentials rejection to guarantee this check. It could be expanded to reject other types, but the actual code would need to be updated accordingly, as only objects are rejected for now. The failure message could also be changed in code and test if we decide to be more specific (e.g. 'Invalid type for credentials' instead of 'Missing credentials'). This commit also completes the code coverage (using `istanbul cover`): * Before: Statements : 97.92% ( 47/48 ) Branches : 100% ( 32/32 ) Functions : 100% ( 4/4 ) Lines : 97.62% ( 41/42 ) * After: Statements : 100% ( 48/48 ) Branches : 100% ( 32/32 ) Functions : 100% ( 4/4 ) Lines : 100% ( 42/42 ) (It adds cover for lib/utils.js:10: return null; of utils.lookup)
42 of 42 relevant lines covered (100.0%)
13.48 hits per line
Coverage | ∆ | File | Lines | Relevant | Covered | Missed | Hits/Line |
---|