github.com/verdaccio
1
0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2024-11-13 03:35:52 +01:00
Code Releases Wiki Activity
d4e3bb0327
verdaccio/test/functional/sanity/security.js
Juan Picado @jotadeveloper 8b93b579d3
refactor: naming clean up, relocation, organize by category
2017-08-06 21:54:15 +02:00

73 lines
2.1 KiB
JavaScript
Raw Blame History

'use strict';
const assert = require('assert');
module.exports = function () {
let server = process.server;
describe('Security', function () {
before(function () {
return server.addPackage('testpkg-sec');
});
it('bad pkg #1', function () {
return server.getPackage('package.json')
.status(403)
.body_error(/invalid package/);
});
it('bad pkg #2', function () {
return server.getPackage('__proto__')
.status(403)
.body_error(/invalid package/);
});
it('__proto__, connect stuff', function () {
return server.request({uri: '/testpkg-sec?__proto__=1'})
.then(function (body) {
// test for NOT outputting stack trace
assert(!body || typeof(body) === 'object' || body.indexOf('node_modules') === -1);
// test for NOT crashing
return server.request({uri: '/testpkg-sec'}).status(200);
});
});
it('do not return package.json as an attachment', function () {
return server.request({uri: '/testpkg-sec/-/package.json'})
.status(403)
.body_error(/invalid filename/);
});
it('silly things - reading #1', function () {
return server.request({uri: '/testpkg-sec/-/../../../../../../../../etc/passwd'})
.status(404);
});
it('silly things - reading #2', function () {
return server.request({uri: '/testpkg-sec/-/%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd'})
.status(403)
.body_error(/invalid filename/);
});
it('silly things - writing #1', function () {
return server.putTarball('testpkg-sec', 'package.json', '{}')
.status(403)
.body_error(/invalid filename/);
});
it('silly things - writing #3', function () {
return server.putTarball('testpkg-sec', 'node_modules', '{}')
.status(403)
.body_error(/invalid filename/);
});
it('silly things - writing #4', function () {
return server.putTarball('testpkg-sec', '../testpkg.tgz', '{}')
.status(403)
.body_error(/invalid filename/);
});
});
};
View Git Blame Copy Permalink