0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2024-12-23 22:27:34 -05:00
verdaccio/test/functional/sanity/security.ts
Juan Picado @jotadeveloper 66f4197236
feat: convert project to typescript (#1374)
* chore: test

* chore: add

* chore: more progress

* chore: progress in migration, fix prettier parser

* chore: reduce tsc errors

* chore: refactor storage utils types

* chore: refactor utils types

* chore: refactor local storage types

* chore: refactor config utils types

* chore: refactor tsc types

* refactor: apply eslint fix, tabs etc

* chore: fix lint errors

* test: update unit test conf to typescript setup

few test refactored to typescript

* chore: enable more unit test

migrate to typescript

* chore: migrate storage test to tsc

* chore: migrate up storage test to tsc

* refactor: enable plugin and auth test

* chore: migrate plugin loader test

* chore: update dependencies

* chore: migrate functional test to typescript

* chore: add codecove

* chore: update express

* chore: downgrade puppeteer

The latest version does not seems to work properly fine.

* chore: update dependencies
2019-07-16 08:40:01 +02:00

69 lines
2.4 KiB
TypeScript

import _ from 'lodash';
import {HTTP_STATUS} from '../../../src/lib/constants';
export default function(server) {
describe('should test security on endpoints', () => {
beforeAll(function () {
return server.addPackage('testpkg-sec');
});
test('should fails on fetch bad pkg #1', () => {
return server.getPackage('__proto__')
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid package/);
});
test('should fails on fetch bad pkg #2', () => {
return server.getPackage('__proto__')
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid package/);
});
test('should do not fails on __proto__, connect stuff', () => {
return server.request({uri: '/testpkg-sec?__proto__=1'})
.then(function (body) {
// test for NOT outputting stack trace
expect(_.isNil(body) || _.isObject(body) || body.indexOf('node_modules')).toBeTruthy();
// test for NOT crashing
return server.request({uri: '/testpkg-sec'}).status(HTTP_STATUS.OK);
});
});
test('should fails and do not return __proto__ as an attachment', () => {
return server.request({uri: '/testpkg-sec/-/__proto__'})
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid filename/);
});
test('should fails on fetch silly things - reading #1', () => {
return server.request({uri: '/testpkg-sec/-/../../../../../../../../etc/passwd'})
.status(HTTP_STATUS.NOT_FOUND);
});
test('should fails on fetch silly things - reading #2', () => {
return server.request({uri: '/testpkg-sec/-/%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd'})
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid filename/);
});
test('should fails on fetch silly things - writing #1', () => {
return server.putTarball('testpkg-sec', '__proto__', '{}')
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid filename/);
});
test('should fails on fetch silly things - writing #3', () => {
return server.putTarball('testpkg-sec', 'node_modules', '{}')
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid filename/);
});
test('should fails on fetch silly things - writing #4', () => {
return server.putTarball('testpkg-sec', '../testpkg.tgz', '{}')
.status(HTTP_STATUS.FORBIDDEN)
.body_error(/invalid filename/);
});
});
}