From 3fd1e202814298b5f23b387c88f62f5ee98c9465 Mon Sep 17 00:00:00 2001
From: Remy Sharp <remy@remysharp.com>
Date: Thu, 21 Jan 2016 11:15:10 +0000
Subject: [PATCH] Add tests for DoS via header

---
 test/server.js | 27 +++++++++++++++++++++++++++
 test/utils.js  | 28 ++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)

diff --git a/test/server.js b/test/server.js
index 66ce36c..1d3405a 100755
--- a/test/server.js
+++ b/test/server.js
@@ -970,6 +970,33 @@ describe('Server', function () {
         });
     });
 
+    describe('authenticateBewit()', function () {
+
+        it('errors on uri too long', function (done) {
+
+            var long = '/';
+            for (var i = 0; i < 5000; ++i) {
+                long += 'x';
+            }
+
+            var req = {
+                method: 'GET',
+                url: long,
+                host: 'example.com',
+                port: 8080,
+                authorization: 'Hawk id="1", ts="1353788437", nonce="k3j4h2", mac="zy79QQ5/EYFmQqutVnYb73gAc/U=", ext="hello"'
+            };
+
+            Hawk.server.authenticateBewit(req, credentialsFunc, {}, function (err, credentials, bewit) {
+
+                expect(err).to.exist();
+                expect(err.output.statusCode).to.equal(400);
+                expect(err.message).to.equal('Resource path exceeds max length');
+                done();
+            });
+        });
+    });
+
     describe('authenticateMessage()', function () {
 
         it('errors on invalid authorization (ts)', function (done) {
diff --git a/test/utils.js b/test/utils.js
index 1bfef65..a2f17e5 100755
--- a/test/utils.js
+++ b/test/utils.js
@@ -93,6 +93,34 @@ describe('Utils', function () {
             expect(host.name).to.equal('[123:123:123]');
             done();
         });
+
+        it('errors on header too long', function (done) {
+
+            var long = '';
+            for (var i = 0; i < 5000; ++i) {
+                long += 'x';
+            }
+
+            expect(Hawk.utils.parseHost({ headers: { host: long } })).to.be.null();
+            done();
+        });
+    });
+
+    describe('parseAuthorizationHeader()', function () {
+
+        it('errors on header too long', function (done) {
+
+            var long = 'Scheme a="';
+            for (var i = 0; i < 5000; ++i) {
+                long += 'x';
+            }
+            long += '"';
+
+            var err = Hawk.utils.parseAuthorizationHeader(long, ['a']);
+            expect(err).to.be.instanceof(Error);
+            expect(err.message).to.equal('Header length too long');
+            done();
+        });
     });
 
     describe('version()', function () {