Merge branch 'master' into qr

Author: HARDY8118

.github/release-drafter.yml

@@ -0,0 +1,42 @@
+name-template: 'v$RESOLVED_VERSION'
+tag-template: 'v$RESOLVED_VERSION'
+
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+change-title-escapes: '\<*_&'
+
+categories:
+  - title: 'Breaking changes'
+    labels:
+      - 'major version'
+  - title: 'Features and enhancements'
+    labels:
+      - 'feature'
+      - 'enhancement'
+  - title: 'Bug Fixes'
+    labels:
+      - 'fix'
+      - 'bug'
+  - title: 'Other changes'
+    labels:
+      - 'dependencies'
+      - 'documentation'
+
+exclude-labels:
+  - "skip-changelog"
+  - "maintenance"
+  - "trivial"
+
+version-resolver:
+  major:
+    labels:
+      - 'major version'
+  minor:
+    labels:
+      - 'minor version'
+  patch:
+    labels:
+      - 'patch version'
+  default: patch
+
+template: |
+  $CHANGES

.github/workflows/release-drafter.yml

@@ -0,0 +1,20 @@
+name: release-drafter
+
+on:
+  push:
+    # branches to consider in the event; optional, defaults to all
+    branches:
+      - master
+
+jobs:
+  update_release_draft:
+    permissions:
+      contents: write
+      pull-requests: read
+    if: github.repository == 'http-party/http-server'
+    runs-on: ubuntu-latest
+    steps:
+      # Drafts your next release notes as pull requests are merged into master
+      - uses: release-drafter/release-drafter@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -58,8 +58,7 @@ This will install `http-server` globally so that it may be run from the command
 |`-U` or `--utc` |Use UTC time format in log messages.| |
 |`--log-ip` |Enable logging of the client's IP address |`false` |
 |`-P` or `--proxy` |Proxies all requests which can't be resolved locally to the given url. e.g.: -P http://someurl.com | |
-|`--proxy-options` Pass proxy [options](https://github.com/http-party/node-http-proxy#options) using nested dotted objects. e.g.: --proxy-options.secure false
-
+|`--proxy-options` |Pass proxy [options](https://github.com/http-party/node-http-proxy#options) using nested dotted objects. e.g.: --proxy-options.secure false |
 |`--username` |Username for basic authentication | |
 |`--password` |Password for basic authentication | |
 |`-S`, `--tls` or `--ssl` |Enable secure request serving with TLS/SSL (HTTPS)|`false`|

bin/http-server

@@ -9,6 +9,7 @@ var colors     = require('colors/safe'),
     opener     = require('opener'),
     fs         = require('fs'),
     qrcode     = require('qrcode-terminal');
+    url        = require('url');
 var argv = require('minimist')(process.argv.slice(2), {
   alias: {
     tls: 'ssl'
@@ -163,6 +164,16 @@ function listen(port) {
     }
   }
 
+  if (proxy) {
+    try {
+      new url.URL(proxy)
+    }
+    catch (err) {
+      logger.info(colors.red('Error: Invalid proxy url'));
+      process.exit(1);
+    }
+  }
+
   if (tls) {
     options.https = {
       cert: argv.C || argv.cert || 'cert.pem',

lib/core/index.js

@@ -31,6 +31,11 @@ function decodePathname(pathname) {
       ? normalized.replace(/\\/g, '/') : normalized;
 }
 
+const nonUrlSafeCharsRgx = /[\x00-\x1F\x20\x7F-\uFFFF]+/g;
+function ensureUriEncoded(text) {
+  return text
+  return String(text).replace(nonUrlSafeCharsRgx, encodeURIComponent);
+}
 
 // Check to see if we should try to compress a file with gzip.
 function shouldCompressGzip(req) {
@@ -161,7 +166,8 @@ module.exports = function createMiddleware(_dir, _options) {
       if (opts.weakCompare && clientEtag !== serverEtag
         && clientEtag !== `W/${serverEtag}` && `W/${clientEtag}` !== serverEtag) {
         return false;
-      } else if (!opts.weakCompare && (clientEtag !== serverEtag || clientEtag.indexOf('W/') === 0)) {
+      }
+      if (!opts.weakCompare && (clientEtag !== serverEtag || clientEtag.indexOf('W/') === 0)) {
         return false;
       }
     }
@@ -340,8 +346,10 @@ module.exports = function createMiddleware(_dir, _options) {
             }, res, next);
           } else {
             // Try to serve default ./404.html
+            const rawUrl = (handleError ? `/${path.join(baseDir, `404.${defaultExt}`)}` : req.url);
+            const encodedUrl = ensureUriEncoded(rawUrl);
             middleware({
-              url: (handleError ? `/${path.join(baseDir, `404.${defaultExt}`)}` : req.url),
+              url: encodedUrl,
               headers: req.headers,
               statusCode: 404,
             }, res, next);
@@ -359,7 +367,10 @@ module.exports = function createMiddleware(_dir, _options) {
           if (!pathname.match(/\/$/)) {
             res.statusCode = 302;
             const q = parsed.query ? `?${parsed.query}` : '';
-            res.setHeader('location', `${parsed.pathname}/${q}`);
+            res.setHeader(
+              'location',
+              ensureUriEncoded(`${parsed.pathname}/${q}`)
+            );
             res.end();
             return;
           }

lib/core/opts.js

@@ -118,7 +118,7 @@ module.exports = (opts) => {
     });
 
     aliases.cors.forEach((k) => {
-      if (isDeclared(k) && k) {
+      if (isDeclared(k) && opts[k]) {
         handleOptionsMethod = true;
         headers['Access-Control-Allow-Origin'] = '*';
         headers['Access-Control-Allow-Headers'] = 'Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since';

test/cli.test.js

@@ -101,3 +101,16 @@ test('setting mimeTypes via cli - directly', (t) => {
     });
   });
 });
+
+test('--proxy requires you to specify a protocol', (t) => {
+  t.plan(1);
+  
+  const options = ['.', '--proxy', 'google.com'];
+  const server = startServer(options);
+
+  tearDown(server, t);
+
+  server.on('exit', (code) => {
+    t.equal(code, 1);
+  });
+});

test/cors.test.js

@@ -0,0 +1,118 @@
+'use strict';
+
+const test = require('tap').test;
+const server = require('../lib/core');
+const http = require('http');
+const path = require('path');
+const request = require('request');
+
+const root = path.join(__dirname, 'public');
+
+test('cors defaults to false', (t) => {
+  t.plan(4);
+
+  const httpServer = http.createServer(
+    server({
+      root,
+      autoIndex: true,
+      defaultExt: 'html',
+    })
+  );
+
+  httpServer.listen(() => {
+    const port = httpServer.address().port;
+    const uri = `http://localhost:${port}/subdir/index.html`;
+
+    request.get({ uri }, (err, res) => {
+      t.ifError(err);
+      t.equal(res.statusCode, 200);
+      t.type(res.headers['access-control-allow-origin'], 'undefined');
+      t.type(res.headers['access-control-allow-headers'], 'undefined');
+    });
+  });
+  t.once('end', () => {
+    httpServer.close();
+  });
+});
+
+test('cors set to false', (t) => {
+  t.plan(4);
+
+  const httpServer = http.createServer(
+    server({
+      root,
+      cors: false,
+      autoIndex: true,
+      defaultExt: 'html',
+    })
+  );
+
+  httpServer.listen(() => {
+    const port = httpServer.address().port;
+    const uri = `http://localhost:${port}/subdir/index.html`;
+
+    request.get({ uri }, (err, res) => {
+      t.ifError(err);
+      t.equal(res.statusCode, 200);
+      t.type(res.headers['access-control-allow-origin'], 'undefined');
+      t.type(res.headers['access-control-allow-headers'], 'undefined');
+    });
+  });
+  t.once('end', () => {
+    httpServer.close();
+  });
+});
+
+test('cors set to true', (t) => {
+  t.plan(4);
+
+  const httpServer = http.createServer(
+    server({
+      root,
+      cors: true,
+      autoIndex: true,
+      defaultExt: 'html',
+    })
+  );
+
+  httpServer.listen(() => {
+    const port = httpServer.address().port;
+    const uri = `http://localhost:${port}/subdir/index.html`;
+    request.get({ uri }, (err, res) => {
+      t.ifError(err);
+      t.equal(res.statusCode, 200);
+      t.equal(res.headers['access-control-allow-origin'], '*');
+      t.equal(res.headers['access-control-allow-headers'], 'Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since');
+    });
+  });
+  t.once('end', () => {
+    httpServer.close();
+  });
+});
+
+test('CORS set to true', (t) => {
+  t.plan(4);
+
+  const httpServer = http.createServer(
+    server({
+      root,
+      CORS: true,
+      autoIndex: true,
+      defaultExt: 'html',
+    })
+  );
+
+  httpServer.listen(() => {
+    const port = httpServer.address().port;
+    const uri = `http://localhost:${port}/subdir/index.html`;
+    request.get({ uri }, (err, res) => {
+      t.ifError(err);
+      t.equal(res.statusCode, 200);
+      t.equal(res.headers['access-control-allow-origin'], '*');
+      t.equal(res.headers['access-control-allow-headers'], 'Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since');
+    });
+  });
+  t.once('end', () => {
+    httpServer.close();
+  });
+});

test/main.test.js

@@ -87,6 +87,19 @@ test('http-server main', (t) => {
                   .indexOf('X-Test') >= 0, 204);
             }).catch(err => t.fail(err.toString())),
 
+            t.test(
+              "Regression: don't crash on control characters in query strings",
+              {},
+              (t) => {
+                requestAsync({
+                  uri: encodeURI('http://localhost:8080/file?\x0cfoo'),
+                }).then(res => {
+                  t.equal(res.statusCode, 200);
+                }).catch(err => t.fail(err.toString()))
+                  .finally(() => t.end());
+              }
+            ),
+
             // Light compression testing. Heavier compression tests exist in
             // compression.test.js
             requestAsync({