object.js
3.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
const normalize = require('../')
const t = require('tap')
t.test('benign object', async t => {
// just clean up the ./ in the targets and remove anything weird
const pkg = { name: 'hello', version: 'world', bin: {
y: './x/y',
z: './y/z',
a: './a',
} }
const expect = { name: 'hello', version: 'world', bin: {
y: 'x/y',
z: 'y/z',
a: 'a',
} }
t.strictSame(normalize(pkg), expect)
t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok')
})
t.test('empty and non-string targets', async t => {
// just clean up the ./ in the targets and remove anything weird
const pkg = { name: 'hello', version: 'world', bin: {
z: './././',
y: '',
'./x': 'x.js',
re: /asdf/,
foo: { bar: 'baz' },
false: false,
null: null,
array: [1,2,3],
func: function () {},
} }
const expect = { name: 'hello', version: 'world', bin: {
x: 'x.js',
} }
t.strictSame(normalize(pkg), expect)
t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok')
})
t.test('slashy object', async t => {
const pkg = { name: 'hello', version: 'world', bin: {
'/path/foo': '/etc/passwd',
'bar': '/etc/passwd',
'/etc/glorb/baz': '/etc/passwd',
'/etc/passwd:/bin/usr/exec': '/etc/passwd',
} }
const expect = {
name: 'hello',
version: 'world',
bin: {
foo: 'etc/passwd',
bar: 'etc/passwd',
baz: 'etc/passwd',
exec: 'etc/passwd',
}
}
t.strictSame(normalize(pkg), expect)
t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok')
})
t.test('dotty object', async t => {
const pkg = {
name: 'hello',
version: 'world',
bin: {
'nodots': '../../../../etc/passwd',
'../../../../../../dots': '../../../../etc/passwd',
'.././../\\./..//C:\\./': 'this is removed',
'.././../\\./..//C:\\/': 'super safe programming language',
'.././../\\./..//C:\\x\\y\\z/': 'xyz',
} }
const expect = { name: 'hello', version: 'world', bin: {
nodots: 'etc/passwd',
dots: 'etc/passwd',
C: 'super safe programming language',
z: 'xyz',
} }
t.strictSame(normalize(pkg), expect)
t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok')
})
t.test('weird object', async t => {
const pkg = { name: 'hello', version: 'world', bin: /asdf/ }
const expect = { name: 'hello', version: 'world' }
t.strictSame(normalize(pkg), expect)
t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok')
})
t.test('oddball keys', async t => {
const pkg = {
bin: {
'~': 'target',
'£': 'target',
'ζ': 'target',
'ぎ': 'target',
'操': 'target',
'🎱': 'target',
'💎': 'target',
'💸': 'target',
'🦉': 'target',
'сheck-dom': 'target',
'Ωpm': 'target',
'ζλ': 'target',
'мга': 'target',
'пше': 'target',
'тзч': 'target',
'тзь': 'target',
'нфкт': 'target',
'ссср': 'target',
'君の名は': 'target',
'君の名は': 'target',
}
}
const expect = {
bin: {
'~': 'target',
'£': 'target',
'ζ': 'target',
'ぎ': 'target',
'操': 'target',
'🎱': 'target',
'💎': 'target',
'💸': 'target',
'🦉': 'target',
'сheck-dom': 'target',
'Ωpm': 'target',
'ζλ': 'target',
'мга': 'target',
'пше': 'target',
'тзч': 'target',
'тзь': 'target',
'нфкт': 'target',
'ссср': 'target',
'君の名は': 'target',
},
}
t.strictSame(normalize(pkg), expect)
t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok')
})