0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2025-01-06 22:40:26 -05:00
verdaccio/test/functional/sanity/security.ts
renovate[bot] 23d0bd7056
fix(deps): update all non-major linting dependencies (5.x) (#2885)
* fix(deps): update all non-major linting dependencies

* fix lint issues

* chore: increase timeout

* chore: increase timeout

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Juan Picado <juanpicado19@gmail.com>
2022-01-09 20:31:26 +01:00

78 lines
2.5 KiB
TypeScript

import { HTTP_STATUS } from '../../../src/lib/constants';
import _ from 'lodash';
export default function (server) {
describe('should test security on endpoints', () => {
beforeAll(function () {
return server.addPackage('testpkg-sec');
});
test('should fails on fetch bad pkg #1', () => {
return server
.getPackage('__proto__')
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid package/);
});
test('should fails on fetch bad pkg #2', () => {
return server
.getPackage('__proto__')
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid package/);
});
test('should do not fails on __proto__, connect stuff', () => {
return server.request({ uri: '/testpkg-sec?__proto__=1' }).then(function (body) {
// test for NOT outputting stack trace
expect(_.isNil(body) || _.isObject(body) || body.indexOf('node_modules')).toBeTruthy();
// test for NOT crashing
return server.request({ uri: '/testpkg-sec' }).status(HTTP_STATUS.OK);
});
});
test('should fails and do not return __proto__ as an attachment', () => {
return server
.request({ uri: '/testpkg-sec/-/__proto__' })
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid filename/);
});
test('should fails on fetch silly things - reading #1', () => {
return server
.request({ uri: '/testpkg-sec/-/../../../../../../../../etc/passwd' })
.status(HTTP_STATUS.NOT_FOUND);
});
test('should fails on fetch silly things - reading #2', () => {
return server
.request({
uri:
'/testpkg-sec/-/%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd'
})
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid filename/);
});
test('should fails on fetch silly things - writing #1', () => {
return server
.putTarball('testpkg-sec', '__proto__', '{}')
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid filename/);
});
test('should fails on fetch silly things - writing #3', () => {
return server
.putTarball('testpkg-sec', 'node_modules', '{}')
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid filename/);
});
test('should fails on fetch silly things - writing #4', () => {
return server
.putTarball('testpkg-sec', '../testpkg.tgz', '{}')
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid filename/);
});
});
}