verdaccio/test/functional/security.js

'use strict';

const assert = require('assert');

module.exports = function() {
  let server = process.server;

  describe('Security', function() {
    before(function() {
      return server.addPackage('testpkg-sec');
    });

    it('bad pkg #1', function() {
      return server.getPackage('package.json')
               .status(403)
               .body_error(/invalid package/);
    });

    it('bad pkg #2', function() {
      return server.getPackage('__proto__')
               .status(403)
               .body_error(/invalid package/);
    });

    it('__proto__, connect stuff', function() {
      return server.request({uri: '/testpkg-sec?__proto__=1'})
        .then(function(body) {
          // test for NOT outputting stack trace
          assert(!body || typeof(body) === 'object' || body.indexOf('node_modules') === -1);

          // test for NOT crashing
          return server.request({uri: '/testpkg-sec'}).status(200);
        });
    });

    it('do not return package.json as an attachment', function() {
      return server.request({uri: '/testpkg-sec/-/package.json'})
               .status(403)
               .body_error(/invalid filename/);
    });

    it('silly things - reading #1', function() {
      return server.request({uri: '/testpkg-sec/-/../../../../../../../../etc/passwd'})
               .status(404);
    });

    it('silly things - reading #2', function() {
      return server.request({uri: '/testpkg-sec/-/%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd'})
               .status(403)
               .body_error(/invalid filename/);
    });

    it('silly things - writing #1', function() {
      return server.putTarball('testpkg-sec', 'package.json', '{}')
               .status(403)
               .body_error(/invalid filename/);
    });

    it('silly things - writing #3', function() {
      return server.putTarball('testpkg-sec', 'node_modules', '{}')
               .status(403)
               .body_error(/invalid filename/);
    });

    it('silly things - writing #4', function() {
      return server.putTarball('testpkg-sec', '../testpkg.tgz', '{}')
               .status(403)
               .body_error(/invalid filename/);
    });
  });
};
Update unit test es6 2017-04-19 21:15:28 +02:00			`'use strict';`

			`const assert = require('assert');`
reorganize tests, and add new ones 2013-12-19 16:11:54 +01:00
			`module.exports = function() {`
Update unit test es6 2017-04-19 21:15:28 +02:00			`let server = process.server;`
tests for tags support 2013-12-29 07:40:47 +01:00
change code style to jshttp close #155, see reasons there This is a huge commit, so let me know if it will cause any trouble, I might consider reverting it if it's the case. 2014-11-12 12:14:37 +01:00			`describe('Security', function() {`
test: use promisified supertest-like asserts 2015-04-11 19:11:04 +02:00			`before(function() {`
(test): Refactor server class, renamed methods to camelCase 2017-06-28 22:56:02 +02:00			`return server.addPackage('testpkg-sec');`
Update unit test es6 2017-04-19 21:15:28 +02:00			`});`
reorganize tests, and add new ones 2013-12-19 16:11:54 +01:00
Update unit test es6 2017-04-19 21:15:28 +02:00			`it('bad pkg #1', function() {`
(test): Refactor server class, renamed methods to camelCase 2017-06-28 22:56:02 +02:00			`return server.getPackage('package.json')`
test: use promisified supertest-like asserts 2015-04-11 19:11:04 +02:00			`.status(403)`
Update unit test es6 2017-04-19 21:15:28 +02:00			`.body_error(/invalid package/);`
			`});`
reorganize tests, and add new ones 2013-12-19 16:11:54 +01:00
Update unit test es6 2017-04-19 21:15:28 +02:00			`it('bad pkg #2', function() {`
(test): Refactor server class, renamed methods to camelCase 2017-06-28 22:56:02 +02:00			`return server.getPackage('__proto__')`
test: use promisified supertest-like asserts 2015-04-11 19:11:04 +02:00			`.status(403)`
Update unit test es6 2017-04-19 21:15:28 +02:00			`.body_error(/invalid package/);`
			`});`
set up some linting (obvious errors only) 2015-03-28 19:25:53 +01:00
Update unit test es6 2017-04-19 21:15:28 +02:00			`it('__proto__, connect stuff', function() {`
			`return server.request({uri: '/testpkg-sec?__proto__=1'})`
			`.then(function(body) {`
test: use promisified supertest-like asserts 2015-04-11 19:11:04 +02:00			`// test for NOT outputting stack trace`
Update unit test es6 2017-04-19 21:15:28 +02:00			`assert(!body \|\| typeof(body) === 'object' \|\| body.indexOf('node_modules') === -1);`
reorganize tests, and add new ones 2013-12-19 16:11:54 +01:00
test: use promisified supertest-like asserts 2015-04-11 19:11:04 +02:00			`// test for NOT crashing`
Update unit test es6 2017-04-19 21:15:28 +02:00			`return server.request({uri: '/testpkg-sec'}).status(200);`
			`});`
			`});`
reorganize tests, and add new ones 2013-12-19 16:11:54 +01:00
Update unit test es6 2017-04-19 21:15:28 +02:00			`it('do not return package.json as an attachment', function() {`
			`return server.request({uri: '/testpkg-sec/-/package.json'})`
test: use promisified supertest-like asserts 2015-04-11 19:11:04 +02:00			`.status(403)`
Update unit test es6 2017-04-19 21:15:28 +02:00			`.body_error(/invalid filename/);`
			`});`
reorganize tests, and add new ones 2013-12-19 16:11:54 +01:00
Update unit test es6 2017-04-19 21:15:28 +02:00			`it('silly things - reading #1', function() {`
			`return server.request({uri: '/testpkg-sec/-/../../../../../../../../etc/passwd'})`
			`.status(404);`
			`});`
reorganize tests, and add new ones 2013-12-19 16:11:54 +01:00
Update unit test es6 2017-04-19 21:15:28 +02:00			`it('silly things - reading #2', function() {`
			`return server.request({uri: '/testpkg-sec/-/%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd'})`
test: use promisified supertest-like asserts 2015-04-11 19:11:04 +02:00			`.status(403)`
Update unit test es6 2017-04-19 21:15:28 +02:00			`.body_error(/invalid filename/);`
			`});`
reorganize tests, and add new ones 2013-12-19 16:11:54 +01:00
Update unit test es6 2017-04-19 21:15:28 +02:00			`it('silly things - writing #1', function() {`
(test): Refactor server class, renamed methods to camelCase 2017-06-28 22:56:02 +02:00			`return server.putTarball('testpkg-sec', 'package.json', '{}')`
test: use promisified supertest-like asserts 2015-04-11 19:11:04 +02:00			`.status(403)`
Update unit test es6 2017-04-19 21:15:28 +02:00			`.body_error(/invalid filename/);`
			`});`
reorganize tests, and add new ones 2013-12-19 16:11:54 +01:00
Update unit test es6 2017-04-19 21:15:28 +02:00			`it('silly things - writing #3', function() {`
(test): Refactor server class, renamed methods to camelCase 2017-06-28 22:56:02 +02:00			`return server.putTarball('testpkg-sec', 'node_modules', '{}')`
test: use promisified supertest-like asserts 2015-04-11 19:11:04 +02:00			`.status(403)`
Update unit test es6 2017-04-19 21:15:28 +02:00			`.body_error(/invalid filename/);`
			`});`
reorganize tests, and add new ones 2013-12-19 16:11:54 +01:00
Update unit test es6 2017-04-19 21:15:28 +02:00			`it('silly things - writing #4', function() {`
(test): Refactor server class, renamed methods to camelCase 2017-06-28 22:56:02 +02:00			`return server.putTarball('testpkg-sec', '../testpkg.tgz', '{}')`
test: use promisified supertest-like asserts 2015-04-11 19:11:04 +02:00			`.status(403)`
Update unit test es6 2017-04-19 21:15:28 +02:00			`.body_error(/invalid filename/);`
			`});`
			`});`
			`};`
reorganize tests, and add new ones 2013-12-19 16:11:54 +01:00