Arminta
/
watermanagement-backend-prod
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '27bd372904'
${ noResults }
watermanagement-backend-prod/node_modules/fastify/test/proto-poisoning.test.js

160 lines
3.8 KiB
Raw Blame History

'use strict'
const Fastify = require('..')
const sget = require('simple-get').concat
const t = require('tap')
const test = t.test
test('proto-poisoning error', t => {
t.plan(3)
const fastify = Fastify()
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.fail('handler should not be called')
})
fastify.listen(0, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "__proto__": { "a": 42 } }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 400)
})
})
})
test('proto-poisoning remove', t => {
t.plan(4)
const fastify = Fastify({ onProtoPoisoning: 'remove' })
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.equal(undefined, Object.assign({}, request.body).a)
reply.send({ ok: true })
})
fastify.listen(0, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "__proto__": { "a": 42 }, "b": 42 }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 200)
})
})
})
test('proto-poisoning ignore', t => {
t.plan(4)
const fastify = Fastify({ onProtoPoisoning: 'ignore' })
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.equal(42, Object.assign({}, request.body).a)
reply.send({ ok: true })
})
fastify.listen(0, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "__proto__": { "a": 42 }, "b": 42 }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 200)
})
})
})
test('constructor-poisoning error (default in v3)', t => {
t.plan(3)
const fastify = Fastify()
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
reply.send('ok')
})
fastify.listen(0, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "constructor": { "prototype": { "foo": "bar" } } }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 400)
})
})
})
test('constructor-poisoning error', t => {
t.plan(3)
const fastify = Fastify({ onConstructorPoisoning: 'error' })
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.fail('handler should not be called')
})
fastify.listen(0, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "constructor": { "prototype": { "foo": "bar" } } }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 400)
})
})
})
test('constructor-poisoning remove', t => {
t.plan(4)
const fastify = Fastify({ onConstructorPoisoning: 'remove' })
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.equal(undefined, Object.assign({}, request.body).foo)
reply.send({ ok: true })
})
fastify.listen(0, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "constructor": { "prototype": { "foo": "bar" } } }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 200)
})
})
})
Reference in new issue View Git Blame Copy Permalink