You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

60 lines
1.8 KiB

2 years ago
  1. var parse = require('../');
  2. var test = require('tape');
  3. test('proto pollution', function (t) {
  4. var argv = parse(['--__proto__.x','123']);
  5. t.equal({}.x, undefined);
  6. t.equal(argv.__proto__.x, undefined);
  7. t.equal(argv.x, undefined);
  8. t.end();
  9. });
  10. test('proto pollution (array)', function (t) {
  11. var argv = parse(['--x','4','--x','5','--x.__proto__.z','789']);
  12. t.equal({}.z, undefined);
  13. t.deepEqual(argv.x, [4,5]);
  14. t.equal(argv.x.z, undefined);
  15. t.equal(argv.x.__proto__.z, undefined);
  16. t.end();
  17. });
  18. test('proto pollution (number)', function (t) {
  19. var argv = parse(['--x','5','--x.__proto__.z','100']);
  20. t.equal({}.z, undefined);
  21. t.equal((4).z, undefined);
  22. t.equal(argv.x, 5);
  23. t.equal(argv.x.z, undefined);
  24. t.end();
  25. });
  26. test('proto pollution (string)', function (t) {
  27. var argv = parse(['--x','abc','--x.__proto__.z','def']);
  28. t.equal({}.z, undefined);
  29. t.equal('...'.z, undefined);
  30. t.equal(argv.x, 'abc');
  31. t.equal(argv.x.z, undefined);
  32. t.end();
  33. });
  34. test('proto pollution (constructor)', function (t) {
  35. var argv = parse(['--constructor.prototype.y','123']);
  36. t.equal({}.y, undefined);
  37. t.equal(argv.y, undefined);
  38. t.end();
  39. });
  40. test('proto pollution (constructor function)', function (t) {
  41. var argv = parse(['--_.concat.constructor.prototype.y', '123']);
  42. function fnToBeTested() {}
  43. t.equal(fnToBeTested.y, undefined);
  44. t.equal(argv.y, undefined);
  45. t.end();
  46. });
  47. // powered by snyk - https://github.com/backstage/backstage/issues/10343
  48. test('proto pollution (constructor function) snyk', function (t) {
  49. var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' '));
  50. t.equal((function(){}).foo, undefined);
  51. t.equal(argv.y, undefined);
  52. t.end();
  53. })