diff --git a/src/lib/local-storage.js b/src/lib/local-storage.js index ac5bf45f9..323b93bdd 100644 --- a/src/lib/local-storage.js +++ b/src/lib/local-storage.js @@ -409,7 +409,7 @@ class LocalStorage implements IStorage { _transform.apply(uploadStream, arguments); }; - if (name === pkgFileName || name === '__proto__') { + if (name === '__proto__') { process.nextTick(() => { uploadStream.emit('error', ErrorCode.getForbidden()); }); diff --git a/src/lib/utils.js b/src/lib/utils.js index 81fb58f0d..d3e655c1a 100644 --- a/src/lib/utils.js +++ b/src/lib/utils.js @@ -75,7 +75,6 @@ function validateName(name: string): boolean { name.charAt(0) === '-' || // "-" is reserved by couchdb name === 'node_modules' || name === '__proto__' || - name === 'package.json' || name === 'favicon.ico' ); } diff --git a/test/functional/sanity/security.js b/test/functional/sanity/security.js index 4afa1e891..c366a655d 100644 --- a/test/functional/sanity/security.js +++ b/test/functional/sanity/security.js @@ -9,7 +9,7 @@ export default function(server) { }); test('should fails on fetch bad pkg #1', () => { - return server.getPackage('package.json') + return server.getPackage('__proto__') .status(HTTP_STATUS.FORBIDDEN) .body_error(/invalid package/); }); @@ -31,8 +31,8 @@ export default function(server) { }); }); - test('should fails and do not return package.json as an attachment', () => { - return server.request({uri: '/testpkg-sec/-/package.json'}) + test('should fails and do not return __proto__ as an attachment', () => { + return server.request({uri: '/testpkg-sec/-/__proto__'}) .status(HTTP_STATUS.FORBIDDEN) .body_error(/invalid filename/); }); @@ -49,7 +49,7 @@ export default function(server) { }); test('should fails on fetch silly things - writing #1', () => { - return server.putTarball('testpkg-sec', 'package.json', '{}') + return server.putTarball('testpkg-sec', '__proto__', '{}') .status(HTTP_STATUS.FORBIDDEN) .body_error(/invalid filename/); }); diff --git a/test/unit/api/local-storage.spec.js b/test/unit/api/local-storage.spec.js index 686bb17c8..2a081cae8 100644 --- a/test/unit/api/local-storage.spec.js +++ b/test/unit/api/local-storage.spec.js @@ -344,7 +344,7 @@ describe('LocalStorage', () => { stream.on('error', (err) => { expect(err).not.toBeNull(); expect(err.statusCode).toEqual(HTTP_STATUS.CONFLICT); - expect(err.message).toMatch(/this package is already present/); + expect(err.message).toMatch(/this package is already present/); }); stream.on('success', function(){ expect(spy).toHaveBeenCalled(); @@ -385,7 +385,7 @@ describe('LocalStorage', () => { }); test('should fails on abort on add a new tarball', (done) => { - const stream = storage.addTarball('package.json', `${pkgName}-fails-add-tarball-1.0.4.tgz`); + const stream = storage.addTarball('__proto__', `${pkgName}-fails-add-tarball-1.0.4.tgz`); stream.abort(); stream.on('error', function(err) { expect(err).not.toBeNull(); diff --git a/test/unit/api/utils.spec.js b/test/unit/api/utils.spec.js index d4a6667a7..5c252fd59 100644 --- a/test/unit/api/utils.spec.js +++ b/test/unit/api/utils.spec.js @@ -59,10 +59,6 @@ describe('Utilities', () => { assert(validate('JSONStream')); }); - test('no package.json', () => { - assert(!validate('package.json')); - }); - test('no path seps', () => { assert(!validate('some/thing')); assert(!validate('some\\thing'));