1const normalize = require('../') 2const t = require('tap') 3 4t.test('benign object', async t => { 5 // just clean up the ./ in the targets and remove anything weird 6 const pkg = { name: 'hello', version: 'world', bin: { 7 y: './x/y', 8 z: './y/z', 9 a: './a', 10 } } 11 const expect = { name: 'hello', version: 'world', bin: { 12 y: 'x/y', 13 z: 'y/z', 14 a: 'a', 15 } } 16 t.strictSame(normalize(pkg), expect) 17 t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok') 18}) 19 20t.test('empty and non-string targets', async t => { 21 // just clean up the ./ in the targets and remove anything weird 22 const pkg = { name: 'hello', version: 'world', bin: { 23 z: './././', 24 y: '', 25 './x': 'x.js', 26 re: /asdf/, 27 foo: { bar: 'baz' }, 28 false: false, 29 null: null, 30 array: [1,2,3], 31 func: function () {}, 32 } } 33 const expect = { name: 'hello', version: 'world', bin: { 34 x: 'x.js', 35 } } 36 t.strictSame(normalize(pkg), expect) 37 t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok') 38}) 39 40t.test('slashy object', async t => { 41 const pkg = { name: 'hello', version: 'world', bin: { 42 '/path/foo': '/etc/passwd', 43 'bar': '/etc/passwd', 44 '/etc/glorb/baz': '/etc/passwd', 45 '/etc/passwd:/bin/usr/exec': '/etc/passwd', 46 } } 47 const expect = { 48 name: 'hello', 49 version: 'world', 50 bin: { 51 foo: 'etc/passwd', 52 bar: 'etc/passwd', 53 baz: 'etc/passwd', 54 exec: 'etc/passwd', 55 } 56 } 57 t.strictSame(normalize(pkg), expect) 58 t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok') 59}) 60 61t.test('dotty object', async t => { 62 const pkg = { 63 name: 'hello', 64 version: 'world', 65 bin: { 66 'nodots': '../../../../etc/passwd', 67 '../../../../../../dots': '../../../../etc/passwd', 68 '.././../\\./..//C:\\./': 'this is removed', 69 '.././../\\./..//C:\\/': 'super safe programming language', 70 '.././../\\./..//C:\\x\\y\\z/': 'xyz', 71 } } 72 const expect = { name: 'hello', version: 'world', bin: { 73 nodots: 'etc/passwd', 74 dots: 'etc/passwd', 75 C: 'super safe programming language', 76 z: 'xyz', 77 } } 78 t.strictSame(normalize(pkg), expect) 79 t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok') 80}) 81 82t.test('weird object', async t => { 83 const pkg = { name: 'hello', version: 'world', bin: /asdf/ } 84 const expect = { name: 'hello', version: 'world' } 85 t.strictSame(normalize(pkg), expect) 86 t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok') 87}) 88 89t.test('oddball keys', async t => { 90 const pkg = { 91 bin: { 92 '~': 'target', 93 '£': 'target', 94 'ζ': 'target', 95 'ぎ': 'target', 96 '操': 'target', 97 '��': 'target', 98 '��': 'target', 99 '��': 'target', 100 '��': 'target', 101 'сheck-dom': 'target', 102 'Ωpm': 'target', 103 'ζλ': 'target', 104 'мга': 'target', 105 'пше': 'target', 106 'тзч': 'target', 107 'тзь': 'target', 108 'нфкт': 'target', 109 'ссср': 'target', 110 '君の名は': 'target', 111 '君の名は': 'target', 112 } 113 } 114 115 const expect = { 116 bin: { 117 '~': 'target', 118 '£': 'target', 119 'ζ': 'target', 120 'ぎ': 'target', 121 '操': 'target', 122 '��': 'target', 123 '��': 'target', 124 '��': 'target', 125 '��': 'target', 126 'сheck-dom': 'target', 127 'Ωpm': 'target', 128 'ζλ': 'target', 129 'мга': 'target', 130 'пше': 'target', 131 'тзч': 'target', 132 'тзь': 'target', 133 'нфкт': 'target', 134 'ссср': 'target', 135 '君の名は': 'target', 136 }, 137 } 138 139 t.strictSame(normalize(pkg), expect) 140 t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok') 141}) 142