1var parse = require('../'); 2var test = require('tape'); 3 4test('proto pollution', function (t) { 5 var argv = parse(['--__proto__.x','123']); 6 t.equal({}.x, undefined); 7 t.equal(argv.__proto__.x, undefined); 8 t.equal(argv.x, undefined); 9 t.end(); 10}); 11 12test('proto pollution (array)', function (t) { 13 var argv = parse(['--x','4','--x','5','--x.__proto__.z','789']); 14 t.equal({}.z, undefined); 15 t.deepEqual(argv.x, [4,5]); 16 t.equal(argv.x.z, undefined); 17 t.equal(argv.x.__proto__.z, undefined); 18 t.end(); 19}); 20 21test('proto pollution (number)', function (t) { 22 var argv = parse(['--x','5','--x.__proto__.z','100']); 23 t.equal({}.z, undefined); 24 t.equal((4).z, undefined); 25 t.equal(argv.x, 5); 26 t.equal(argv.x.z, undefined); 27 t.end(); 28}); 29 30test('proto pollution (string)', function (t) { 31 var argv = parse(['--x','abc','--x.__proto__.z','def']); 32 t.equal({}.z, undefined); 33 t.equal('...'.z, undefined); 34 t.equal(argv.x, 'abc'); 35 t.equal(argv.x.z, undefined); 36 t.end(); 37}); 38 39test('proto pollution (constructor)', function (t) { 40 var argv = parse(['--constructor.prototype.y','123']); 41 t.equal({}.y, undefined); 42 t.equal(argv.y, undefined); 43 t.end(); 44}); 45 46test('proto pollution (constructor function)', function (t) { 47 var argv = parse(['--_.concat.constructor.prototype.y', '123']); 48 function fnToBeTested() {} 49 t.equal(fnToBeTested.y, undefined); 50 t.equal(argv.y, undefined); 51 t.end(); 52}); 53 54// powered by snyk - https://github.com/backstage/backstage/issues/10343 55test('proto pollution (constructor function) snyk', function (t) { 56 var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' ')); 57 t.equal((function(){}).foo, undefined); 58 t.equal(argv.y, undefined); 59 t.end(); 60}) 61