verdaccio/test/functional/sanity/security.ts

import _ from 'lodash';

import { HTTP_STATUS } from '../../../src/lib/constants';

export default function (server) {
  describe('should test security on endpoints', () => {
    beforeAll(function () {
      return server.addPackage('testpkg-sec');
    });

    test('should fails on fetch bad pkg #1', () => {
      return server
        .getPackage('__proto__')
        .status(HTTP_STATUS.FORBIDDEN)
        .body_error(/invalid package/);
    });

    test('should fails on fetch bad pkg #2', () => {
      return server
        .getPackage('__proto__')
        .status(HTTP_STATUS.FORBIDDEN)
        .body_error(/invalid package/);
    });

    test('should do not fails on __proto__, connect stuff', () => {
      return server.request({ uri: '/testpkg-sec?__proto__=1' }).then(function (body) {
        // test for NOT outputting stack trace
        expect(_.isNil(body) || _.isObject(body) || body.indexOf('node_modules')).toBeTruthy();

        // test for NOT crashing
        return server.request({ uri: '/testpkg-sec' }).status(HTTP_STATUS.OK);
      });
    });

    test('should fails and do not return __proto__ as an attachment', () => {
      return server
        .request({ uri: '/testpkg-sec/-/__proto__' })
        .status(HTTP_STATUS.FORBIDDEN)
        .body_error(/invalid filename/);
    });

    test('should fails on fetch silly things - reading #1', () => {
      return server
        .request({ uri: '/testpkg-sec/-/../../../../../../../../etc/passwd' })
        .status(HTTP_STATUS.NOT_FOUND);
    });

    test('should fails on fetch silly things - reading #2', () => {
      return server
        .request({
          uri: '/testpkg-sec/-/%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd',
        })
        .status(HTTP_STATUS.FORBIDDEN)
        .body_error(/invalid filename/);
    });

    test('should fails on fetch silly things - writing #1', () => {
      return server
        .putTarball('testpkg-sec', '__proto__', '{}')
        .status(HTTP_STATUS.FORBIDDEN)
        .body_error(/invalid filename/);
    });

    test('should fails on fetch silly things - writing #3', () => {
      return server
        .putTarball('testpkg-sec', 'node_modules', '{}')
        .status(HTTP_STATUS.FORBIDDEN)
        .body_error(/invalid filename/);
    });

    test('should fails on fetch silly things - writing #4', () => {
      return server
        .putTarball('testpkg-sec', '../testpkg.tgz', '{}')
        .status(HTTP_STATUS.FORBIDDEN)
        .body_error(/invalid filename/);
    });
  });
}
fix(deps): update all non-major linting dependencies (5.x) (#2885) * fix(deps): update all non-major linting dependencies * fix lint issues * chore: increase timeout * chore: increase timeout Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: Juan Picado <juanpicado19@gmail.com> 2022-01-09 20:31:26 +01:00			`import _ from 'lodash';`
reorganize tests, and add new ones 2013-12-19 19:11:54 +04:00
build: format code prettier, enable ci (#2886) * fix: format code prettier, enable ci * chore: add trivago import prettier pluggin 2022-01-09 20:51:50 +01:00			`import { HTTP_STATUS } from '../../../src/lib/constants';`

chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`export default function (server) {`
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`describe('should test security on endpoints', () => {`
refactor: jest migration completed 2017-12-02 11:19:08 +01:00			`beforeAll(function () {`
(test): Refactor server class, renamed methods to camelCase 2017-06-28 22:56:02 +02:00			`return server.addPackage('testpkg-sec');`
Update unit test es6 2017-04-19 21:15:28 +02:00			`});`
reorganize tests, and add new ones 2013-12-19 19:11:54 +04:00
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`test('should fails on fetch bad pkg #1', () => {`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`return server`
			`.getPackage('__proto__')`
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`.status(HTTP_STATUS.FORBIDDEN)`
refactor: naming clean up, relocation, organize by category 2017-08-06 21:54:15 +02:00			`.body_error(/invalid package/);`
Update unit test es6 2017-04-19 21:15:28 +02:00			`});`
reorganize tests, and add new ones 2013-12-19 19:11:54 +04:00
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`test('should fails on fetch bad pkg #2', () => {`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`return server`
			`.getPackage('__proto__')`
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`.status(HTTP_STATUS.FORBIDDEN)`
refactor: naming clean up, relocation, organize by category 2017-08-06 21:54:15 +02:00			`.body_error(/invalid package/);`
Update unit test es6 2017-04-19 21:15:28 +02:00			`});`
set up some linting (obvious errors only) 2015-03-28 21:25:53 +03:00
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`test('should do not fails on __proto__, connect stuff', () => {`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`return server.request({ uri: '/testpkg-sec?__proto__=1' }).then(function (body) {`
			`// test for NOT outputting stack trace`
			`expect(_.isNil(body) \|\| _.isObject(body) \|\| body.indexOf('node_modules')).toBeTruthy();`
reorganize tests, and add new ones 2013-12-19 19:11:54 +04:00
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`// test for NOT crashing`
			`return server.request({ uri: '/testpkg-sec' }).status(HTTP_STATUS.OK);`
			`});`
Update unit test es6 2017-04-19 21:15:28 +02:00			`});`
reorganize tests, and add new ones 2013-12-19 19:11:54 +04:00
feat: allows package.json as package name (#1149) 2018-12-06 08:34:42 +01:00			`test('should fails and do not return __proto__ as an attachment', () => {`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`return server`
			`.request({ uri: '/testpkg-sec/-/__proto__' })`
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`.status(HTTP_STATUS.FORBIDDEN)`
refactor: naming clean up, relocation, organize by category 2017-08-06 21:54:15 +02:00			`.body_error(/invalid filename/);`
Update unit test es6 2017-04-19 21:15:28 +02:00			`});`
reorganize tests, and add new ones 2013-12-19 19:11:54 +04:00
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`test('should fails on fetch silly things - reading #1', () => {`
chore: upgrade eslint and prettier (#3565) 2023-01-18 22:49:28 +01:00			`return server`
			`.request({ uri: '/testpkg-sec/-/../../../../../../../../etc/passwd' })`
			`.status(HTTP_STATUS.NOT_FOUND);`
Update unit test es6 2017-04-19 21:15:28 +02:00			`});`
reorganize tests, and add new ones 2013-12-19 19:11:54 +04:00
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`test('should fails on fetch silly things - reading #2', () => {`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`return server`
			`.request({`
build: format code prettier, enable ci (#2886) * fix: format code prettier, enable ci * chore: add trivago import prettier pluggin 2022-01-09 20:51:50 +01:00			`uri: '/testpkg-sec/-/%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd',`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`})`
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`.status(HTTP_STATUS.FORBIDDEN)`
refactor: naming clean up, relocation, organize by category 2017-08-06 21:54:15 +02:00			`.body_error(/invalid filename/);`
Update unit test es6 2017-04-19 21:15:28 +02:00			`});`
reorganize tests, and add new ones 2013-12-19 19:11:54 +04:00
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`test('should fails on fetch silly things - writing #1', () => {`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`return server`
			`.putTarball('testpkg-sec', '__proto__', '{}')`
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`.status(HTTP_STATUS.FORBIDDEN)`
refactor: naming clean up, relocation, organize by category 2017-08-06 21:54:15 +02:00			`.body_error(/invalid filename/);`
Update unit test es6 2017-04-19 21:15:28 +02:00			`});`
reorganize tests, and add new ones 2013-12-19 19:11:54 +04:00
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`test('should fails on fetch silly things - writing #3', () => {`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`return server`
			`.putTarball('testpkg-sec', 'node_modules', '{}')`
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`.status(HTTP_STATUS.FORBIDDEN)`
refactor: naming clean up, relocation, organize by category 2017-08-06 21:54:15 +02:00			`.body_error(/invalid filename/);`
Update unit test es6 2017-04-19 21:15:28 +02:00			`});`
reorganize tests, and add new ones 2013-12-19 19:11:54 +04:00
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`test('should fails on fetch silly things - writing #4', () => {`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`return server`
			`.putTarball('testpkg-sec', '../testpkg.tgz', '{}')`
refactor: usage of constants on sanity test 2018-06-23 09:18:31 +02:00			`.status(HTTP_STATUS.FORBIDDEN)`
refactor: naming clean up, relocation, organize by category 2017-08-06 21:54:15 +02:00			`.body_error(/invalid filename/);`
Update unit test es6 2017-04-19 21:15:28 +02:00			`});`
			`});`
refactor: fix linting 2017-12-02 11:20:27 +01:00			`}`