chore(fast-path-parse): add new security test

dalisoft · Aug 27, 2024 · d44606f · d44606f
1 parent be944d4
commit d44606f
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/packages/fast-path-parse/parse.test.js b/packages/fast-path-parse/parse.test.js
@@ -64,3 +64,35 @@ test('fast-path-parse unsafe', async (t) => {
     );
   });
 });
+
+test('fast-path-parse unsafe security', async (t) => {
+  await t.test('process.exit security check', () => {
+    assert.deepStrictEqual(
+      compilePathname('/foo/process.exit(1)')('/foo/(process.exit(1))'),
+      {}
+    );
+    assert.deepStrictEqual(compilePathname('/foo/process.exit(1)')('/foo'), {});
+    assert.deepStrictEqual(
+      compilePathname('/foo/:bar')('/foo/(process.exit(1))'),
+      { bar: '(process.exit(1))' }
+    );
+    assert.deepStrictEqual(
+      compilePathname('/foo/:bar')('/(process.exit(1))'),
+      {}
+    );
+    assert.deepStrictEqual(compilePathname('/:bar')('/(process.exit(1))'), {
+      bar: '(process.exit(1))'
+    });
+  });
+  await t.test('throw security check', () => {
+    assert.deepStrictEqual(compilePathname('/foo/throw 1')('/foo throw 1'), {});
+    assert.deepStrictEqual(compilePathname('/foo/throw 1')('/foo'), {});
+    assert.deepStrictEqual(compilePathname('/foo/:bar')('/foo/throw 1'), {
+      bar: 'throw 1'
+    });
+    assert.deepStrictEqual(compilePathname('/foo/:bar')('/throw 1'), {});
+    assert.deepStrictEqual(compilePathname('/:bar')('/throw 1'), {
+      bar: 'throw 1'
+    });
+  });
+});