diff options
| author | Minteck <contact@minteck.org> | 2022-06-04 08:51:01 +0200 |
|---|---|---|
| committer | Minteck <contact@minteck.org> | 2022-06-04 08:51:01 +0200 |
| commit | 383285ecd5292bf9a825e05904955b937de84cc9 (patch) | |
| tree | 0a53b6f02c1604b078044567c03dc1b6c944c8c2 /node_modules/minimist/test/proto.js | |
| download | equestriadb-383285ecd5292bf9a825e05904955b937de84cc9.tar.gz equestriadb-383285ecd5292bf9a825e05904955b937de84cc9.tar.bz2 equestriadb-383285ecd5292bf9a825e05904955b937de84cc9.zip | |
Initial commit
Diffstat (limited to 'node_modules/minimist/test/proto.js')
| -rw-r--r-- | node_modules/minimist/test/proto.js | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/node_modules/minimist/test/proto.js b/node_modules/minimist/test/proto.js new file mode 100644 index 0000000..4ac62df --- /dev/null +++ b/node_modules/minimist/test/proto.js @@ -0,0 +1,60 @@ +var parse = require('../'); +var test = require('tape'); + +test('proto pollution', function (t) { + var argv = parse(['--__proto__.x','123']); + t.equal({}.x, undefined); + t.equal(argv.__proto__.x, undefined); + t.equal(argv.x, undefined); + t.end(); +}); + +test('proto pollution (array)', function (t) { + var argv = parse(['--x','4','--x','5','--x.__proto__.z','789']); + t.equal({}.z, undefined); + t.deepEqual(argv.x, [4,5]); + t.equal(argv.x.z, undefined); + t.equal(argv.x.__proto__.z, undefined); + t.end(); +}); + +test('proto pollution (number)', function (t) { + var argv = parse(['--x','5','--x.__proto__.z','100']); + t.equal({}.z, undefined); + t.equal((4).z, undefined); + t.equal(argv.x, 5); + t.equal(argv.x.z, undefined); + t.end(); +}); + +test('proto pollution (string)', function (t) { + var argv = parse(['--x','abc','--x.__proto__.z','def']); + t.equal({}.z, undefined); + t.equal('...'.z, undefined); + t.equal(argv.x, 'abc'); + t.equal(argv.x.z, undefined); + t.end(); +}); + +test('proto pollution (constructor)', function (t) { + var argv = parse(['--constructor.prototype.y','123']); + t.equal({}.y, undefined); + t.equal(argv.y, undefined); + t.end(); +}); + +test('proto pollution (constructor function)', function (t) { + var argv = parse(['--_.concat.constructor.prototype.y', '123']); + function fnToBeTested() {} + t.equal(fnToBeTested.y, undefined); + t.equal(argv.y, undefined); + t.end(); +}); + +// powered by snyk - https://github.com/backstage/backstage/issues/10343 +test('proto pollution (constructor function) snyk', function (t) { + var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' ')); + t.equal((function(){}).foo, undefined); + t.equal(argv.y, undefined); + t.end(); +}) |