Unhandled POSTs are treated as hostile

remotestorage · Jul 25, 2024 · 9d79b69 · 9d79b69
1 parent 6c2c71b
commit 9d79b69
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 7 deletions.
diff --git a/lib/appFactory.js b/lib/appFactory.js
@@ -160,10 +160,10 @@ module.exports = async function ({ hostIdentity, jwtSecret, accountMgr, storeRou
     }
     const subpath = req.path.slice(basePath.length).split('/')?.[1];
     const name = req.path.slice(1);
-    if (['.well-known', 'storage', 'oauth', 'account', 'admin', 'crossdomain.xml', 'sitemap.xml'].includes(subpath)) {
+    if (['.well-known', 'account', 'admin', 'crossdomain.xml', 'sitemap.xml'].includes(subpath) && ['GET', 'HEAD'].includes(req.method)) {
       errorPage(req, res, 404, { title: 'Not Found', message: `“${name}” doesn't exist` });
     } else { // probably hostile
-      res.logNotes.add(`“${name}” shouldn't and doesn't exist`);
+      res.logNotes.add(`suspicious request for “${name}”; applying rate penalty`);
       res.status(404).end();
       if (Object.keys(req.session?.privileges || {}).length > 0) {
         await rateLimiterPenalty(req.ip, 2);

diff --git a/spec/modular/m_not_found.spec.js b/spec/modular/m_not_found.spec.js
@@ -18,7 +18,7 @@ describe('Nonexistant resource (modular)', function () {
       hostIdentity: this.hostIdentity,
       jwtSecret: 'swordfish',
       accountMgr: mockAccountFactory(this.hostIdentity),
-      storeRouter: (_req, _res, next) => next()
+      storeRouter: (_req, res, _next) => { res.status(404).end(); }
     });
     app.locals.title = 'Test Armadietto';
     app.locals.host = 'localhost:xxxx';
@@ -47,6 +47,12 @@ describe('Nonexistant resource (modular)', function () {
     expect(res.text).to.equal('');
   });
 
+  it('should curtly refuse POSTs without a handler', async function () {
+    const res = await chai.request(this.app).post('/admin/login');
+    expect(res).to.have.status(404);
+    expect(res.text).to.equal('');
+  });
+
   /** This tests that 404 for nonexistent assets is cache-able */
   it('should return cache headers for asset', async function () {
     const res = await chai.request(this.app).get('/assets/not-there').set('Origin', this.hostIdentity);
@@ -87,10 +93,6 @@ describe('Nonexistant resource (modular)', function () {
     expect(res).not.to.have.header('X-Powered-By');
     expect(res).to.have.header('X-XSS-Protection', '0'); // disabled because counterproductive
 
-    expect(res).to.have.header('Content-Type', /^text\/html/);
-    expect(parseInt(res.get('Content-Length'))).to.be.greaterThan(0);
-
-    expect(res).to.have.header('ETag');
     expect(res).to.have.header('Cache-Control', /\bno-cache\b/);
     expect(res).to.have.header('Cache-Control', /\bpublic\b/);
   });