2013-12-19 16:11:54 +01:00
|
|
|
var assert = require('assert')
|
|
|
|
, ex = module.exports
|
|
|
|
|
|
|
|
module.exports = function() {
|
2013-12-29 07:40:47 +01:00
|
|
|
var server = process.server
|
|
|
|
var server2 = process.server2
|
|
|
|
|
2013-12-19 16:11:54 +01:00
|
|
|
describe('Security', function() {
|
2013-12-29 07:40:47 +01:00
|
|
|
before(server.add_package.bind(server, 'testpkg-sec'))
|
|
|
|
|
2013-12-27 14:23:14 +01:00
|
|
|
it('bad pkg #1', function(cb) {
|
|
|
|
server.get_package('package.json', function(res, body) {
|
|
|
|
assert.equal(res.statusCode, 403)
|
|
|
|
assert(~body.error.indexOf('invalid package'))
|
|
|
|
cb()
|
|
|
|
})
|
2013-12-19 16:11:54 +01:00
|
|
|
})
|
|
|
|
|
2013-12-27 14:23:14 +01:00
|
|
|
it('bad pkg #2', function(cb) {
|
|
|
|
server.get_package('__proto__', function(res, body) {
|
|
|
|
assert.equal(res.statusCode, 403)
|
|
|
|
assert(~body.error.indexOf('invalid package'))
|
|
|
|
cb()
|
|
|
|
})
|
2013-12-19 16:11:54 +01:00
|
|
|
})
|
|
|
|
|
|
|
|
it('__proto__, connect stuff', function(cb) {
|
2013-12-29 07:40:47 +01:00
|
|
|
server.request({uri:'/testpkg-sec?__proto__=1'}, function(err, res, body) {
|
2013-12-19 16:11:54 +01:00
|
|
|
// test for NOT outputting stack trace
|
|
|
|
assert(!body || typeof(body) === 'object' || body.indexOf('node_modules') === -1)
|
|
|
|
|
|
|
|
// test for NOT crashing
|
2013-12-29 07:40:47 +01:00
|
|
|
server.request({uri:'/testpkg-sec'}, function(err, res, body) {
|
2013-12-19 16:11:54 +01:00
|
|
|
assert.equal(res.statusCode, 200)
|
|
|
|
cb()
|
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
it('do not return package.json as an attachment', function(cb) {
|
2013-12-29 07:40:47 +01:00
|
|
|
server.request({uri:'/testpkg-sec/-/package.json'}, function(err, res, body) {
|
2013-12-19 16:11:54 +01:00
|
|
|
assert.equal(res.statusCode, 403)
|
|
|
|
assert(body.error.match(/invalid filename/))
|
|
|
|
cb()
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
it('silly things - reading #1', function(cb) {
|
2013-12-29 07:40:47 +01:00
|
|
|
server.request({uri:'/testpkg-sec/-/../../../../../../../../etc/passwd'}, function(err, res, body) {
|
2013-12-19 16:11:54 +01:00
|
|
|
assert.equal(res.statusCode, 404)
|
|
|
|
cb()
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
it('silly things - reading #2', function(cb) {
|
2013-12-29 07:40:47 +01:00
|
|
|
server.request({uri:'/testpkg-sec/-/%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd'}, function(err, res, body) {
|
2013-12-19 16:11:54 +01:00
|
|
|
assert.equal(res.statusCode, 403)
|
|
|
|
assert(body.error.match(/invalid filename/))
|
|
|
|
cb()
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
it('silly things - writing #1', function(cb) {
|
2013-12-29 07:40:47 +01:00
|
|
|
server.put_tarball('testpkg-sec', 'package.json', '{}', function(res, body) {
|
2013-12-19 16:11:54 +01:00
|
|
|
assert.equal(res.statusCode, 403)
|
|
|
|
assert(body.error.match(/invalid filename/))
|
|
|
|
cb()
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
it('silly things - writing #3', function(cb) {
|
2013-12-29 07:40:47 +01:00
|
|
|
server.put_tarball('testpkg-sec', 'node_modules', '{}', function(res, body) {
|
2013-12-19 16:11:54 +01:00
|
|
|
assert.equal(res.statusCode, 403)
|
|
|
|
assert(body.error.match(/invalid filename/))
|
|
|
|
cb()
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
it('silly things - writing #4', function(cb) {
|
2013-12-29 07:40:47 +01:00
|
|
|
server.put_tarball('testpkg-sec', '../testpkg.tgz', '{}', function(res, body) {
|
2013-12-19 16:11:54 +01:00
|
|
|
assert.equal(res.statusCode, 403)
|
|
|
|
assert(body.error.match(/invalid filename/))
|
|
|
|
cb()
|
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|