2013-12-19 10:11:54 -05:00
|
|
|
var assert = require('assert')
|
|
|
|
|
|
|
|
module.exports = function() {
|
2014-11-12 06:14:37 -05:00
|
|
|
var server = process.server
|
2013-12-29 01:40:47 -05:00
|
|
|
|
2014-11-12 06:14:37 -05:00
|
|
|
describe('Security', function() {
|
2015-04-11 12:11:04 -05:00
|
|
|
before(function() {
|
|
|
|
return server.add_package('testpkg-sec')
|
2014-11-12 06:14:37 -05:00
|
|
|
})
|
2013-12-19 10:11:54 -05:00
|
|
|
|
2015-04-11 12:11:04 -05:00
|
|
|
it('bad pkg #1', function () {
|
|
|
|
return server.get_package('package.json')
|
|
|
|
.status(403)
|
|
|
|
.body_error(/invalid package/)
|
2014-11-12 06:14:37 -05:00
|
|
|
})
|
2013-12-19 10:11:54 -05:00
|
|
|
|
2015-04-11 12:11:04 -05:00
|
|
|
it('bad pkg #2', function () {
|
|
|
|
return server.get_package('__proto__')
|
|
|
|
.status(403)
|
|
|
|
.body_error(/invalid package/)
|
|
|
|
})
|
2015-03-28 13:25:53 -05:00
|
|
|
|
2015-04-11 12:11:04 -05:00
|
|
|
it('__proto__, connect stuff', function () {
|
|
|
|
return server.request({ uri: '/testpkg-sec?__proto__=1' })
|
|
|
|
.then(function (body) {
|
|
|
|
// test for NOT outputting stack trace
|
|
|
|
assert(!body || typeof(body) === 'object' || body.indexOf('node_modules') === -1)
|
2013-12-19 10:11:54 -05:00
|
|
|
|
2015-04-11 12:11:04 -05:00
|
|
|
// test for NOT crashing
|
|
|
|
return server.request({ uri: '/testpkg-sec' }).status(200)
|
2014-11-12 06:14:37 -05:00
|
|
|
})
|
|
|
|
})
|
2013-12-19 10:11:54 -05:00
|
|
|
|
2015-04-11 12:11:04 -05:00
|
|
|
it('do not return package.json as an attachment', function () {
|
|
|
|
return server.request({ uri: '/testpkg-sec/-/package.json' })
|
|
|
|
.status(403)
|
|
|
|
.body_error(/invalid filename/)
|
2014-11-12 06:14:37 -05:00
|
|
|
})
|
2013-12-19 10:11:54 -05:00
|
|
|
|
2015-04-11 12:11:04 -05:00
|
|
|
it('silly things - reading #1', function () {
|
|
|
|
return server.request({ uri: '/testpkg-sec/-/../../../../../../../../etc/passwd' })
|
|
|
|
.status(404)
|
2014-11-12 06:14:37 -05:00
|
|
|
})
|
2013-12-19 10:11:54 -05:00
|
|
|
|
2015-04-11 12:11:04 -05:00
|
|
|
it('silly things - reading #2', function () {
|
|
|
|
return server.request({ uri: '/testpkg-sec/-/%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd' })
|
|
|
|
.status(403)
|
|
|
|
.body_error(/invalid filename/)
|
2014-11-12 06:14:37 -05:00
|
|
|
})
|
2013-12-19 10:11:54 -05:00
|
|
|
|
2015-04-11 12:11:04 -05:00
|
|
|
it('silly things - writing #1', function () {
|
|
|
|
return server.put_tarball('testpkg-sec', 'package.json', '{}')
|
|
|
|
.status(403)
|
|
|
|
.body_error(/invalid filename/)
|
2014-11-12 06:14:37 -05:00
|
|
|
})
|
2013-12-19 10:11:54 -05:00
|
|
|
|
2015-04-11 12:11:04 -05:00
|
|
|
it('silly things - writing #3', function () {
|
|
|
|
return server.put_tarball('testpkg-sec', 'node_modules', '{}')
|
|
|
|
.status(403)
|
|
|
|
.body_error(/invalid filename/)
|
2014-11-12 06:14:37 -05:00
|
|
|
})
|
2013-12-19 10:11:54 -05:00
|
|
|
|
2015-04-11 12:11:04 -05:00
|
|
|
it('silly things - writing #4', function () {
|
|
|
|
return server.put_tarball('testpkg-sec', '../testpkg.tgz', '{}')
|
|
|
|
.status(403)
|
|
|
|
.body_error(/invalid filename/)
|
2014-11-12 06:14:37 -05:00
|
|
|
})
|
|
|
|
})
|
2013-12-19 10:11:54 -05:00
|
|
|
}
|
|
|
|
|