mirror of
https://github.com/verdaccio/verdaccio.git
synced 2024-12-30 22:34:10 -05:00
66f4197236
* chore: test * chore: add * chore: more progress * chore: progress in migration, fix prettier parser * chore: reduce tsc errors * chore: refactor storage utils types * chore: refactor utils types * chore: refactor local storage types * chore: refactor config utils types * chore: refactor tsc types * refactor: apply eslint fix, tabs etc * chore: fix lint errors * test: update unit test conf to typescript setup few test refactored to typescript * chore: enable more unit test migrate to typescript * chore: migrate storage test to tsc * chore: migrate up storage test to tsc * refactor: enable plugin and auth test * chore: migrate plugin loader test * chore: update dependencies * chore: migrate functional test to typescript * chore: add codecove * chore: update express * chore: downgrade puppeteer The latest version does not seems to work properly fine. * chore: update dependencies
69 lines
2.4 KiB
TypeScript
69 lines
2.4 KiB
TypeScript
import _ from 'lodash';
|
|
import {HTTP_STATUS} from '../../../src/lib/constants';
|
|
|
|
export default function(server) {
|
|
|
|
describe('should test security on endpoints', () => {
|
|
beforeAll(function () {
|
|
return server.addPackage('testpkg-sec');
|
|
});
|
|
|
|
test('should fails on fetch bad pkg #1', () => {
|
|
return server.getPackage('__proto__')
|
|
.status(HTTP_STATUS.FORBIDDEN)
|
|
.body_error(/invalid package/);
|
|
});
|
|
|
|
test('should fails on fetch bad pkg #2', () => {
|
|
return server.getPackage('__proto__')
|
|
.status(HTTP_STATUS.FORBIDDEN)
|
|
.body_error(/invalid package/);
|
|
});
|
|
|
|
test('should do not fails on __proto__, connect stuff', () => {
|
|
return server.request({uri: '/testpkg-sec?__proto__=1'})
|
|
.then(function (body) {
|
|
// test for NOT outputting stack trace
|
|
expect(_.isNil(body) || _.isObject(body) || body.indexOf('node_modules')).toBeTruthy();
|
|
|
|
// test for NOT crashing
|
|
return server.request({uri: '/testpkg-sec'}).status(HTTP_STATUS.OK);
|
|
});
|
|
});
|
|
|
|
test('should fails and do not return __proto__ as an attachment', () => {
|
|
return server.request({uri: '/testpkg-sec/-/__proto__'})
|
|
.status(HTTP_STATUS.FORBIDDEN)
|
|
.body_error(/invalid filename/);
|
|
});
|
|
|
|
test('should fails on fetch silly things - reading #1', () => {
|
|
return server.request({uri: '/testpkg-sec/-/../../../../../../../../etc/passwd'})
|
|
.status(HTTP_STATUS.NOT_FOUND);
|
|
});
|
|
|
|
test('should fails on fetch silly things - reading #2', () => {
|
|
return server.request({uri: '/testpkg-sec/-/%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd'})
|
|
.status(HTTP_STATUS.FORBIDDEN)
|
|
.body_error(/invalid filename/);
|
|
});
|
|
|
|
test('should fails on fetch silly things - writing #1', () => {
|
|
return server.putTarball('testpkg-sec', '__proto__', '{}')
|
|
.status(HTTP_STATUS.FORBIDDEN)
|
|
.body_error(/invalid filename/);
|
|
});
|
|
|
|
test('should fails on fetch silly things - writing #3', () => {
|
|
return server.putTarball('testpkg-sec', 'node_modules', '{}')
|
|
.status(HTTP_STATUS.FORBIDDEN)
|
|
.body_error(/invalid filename/);
|
|
});
|
|
|
|
test('should fails on fetch silly things - writing #4', () => {
|
|
return server.putTarball('testpkg-sec', '../testpkg.tgz', '{}')
|
|
.status(HTTP_STATUS.FORBIDDEN)
|
|
.body_error(/invalid filename/);
|
|
});
|
|
});
|
|
}
|