'use strict'; const assert = require('assert'); module.exports = function() { let server = process.server; describe('Security', function() { before(function() { return server.addPackage('testpkg-sec'); }); it('bad pkg #1', function() { return server.getPackage('package.json') .status(403) .body_error(/invalid package/); }); it('bad pkg #2', function() { return server.getPackage('__proto__') .status(403) .body_error(/invalid package/); }); it('__proto__, connect stuff', function() { return server.request({uri: '/testpkg-sec?__proto__=1'}) .then(function(body) { // test for NOT outputting stack trace assert(!body || typeof(body) === 'object' || body.indexOf('node_modules') === -1); // test for NOT crashing return server.request({uri: '/testpkg-sec'}).status(200); }); }); it('do not return package.json as an attachment', function() { return server.request({uri: '/testpkg-sec/-/package.json'}) .status(403) .body_error(/invalid filename/); }); it('silly things - reading #1', function() { return server.request({uri: '/testpkg-sec/-/../../../../../../../../etc/passwd'}) .status(404); }); it('silly things - reading #2', function() { return server.request({uri: '/testpkg-sec/-/%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd'}) .status(403) .body_error(/invalid filename/); }); it('silly things - writing #1', function() { return server.putTarball('testpkg-sec', 'package.json', '{}') .status(403) .body_error(/invalid filename/); }); it('silly things - writing #3', function() { return server.putTarball('testpkg-sec', 'node_modules', '{}') .status(403) .body_error(/invalid filename/); }); it('silly things - writing #4', function() { return server.putTarball('testpkg-sec', '../testpkg.tgz', '{}') .status(403) .body_error(/invalid filename/); }); }); };