import { Tournament } from '@n8n/tournament';
import { PrototypeSanitizer, sanitizer } from '@/ExpressionSandboxing';
const tournament = new Tournament(
(e) => {
throw e;
},
undefined,
undefined,
{
before: [],
after: [PrototypeSanitizer],
},
);
const errorRegex = /^Cannot access ".*" due to security concerns$/;
describe('PrototypeSanitizer', () => {
describe('Static analysis', () => {
it('should not allow access to __proto__', () => {
expect(() => {
tournament.execute('{{ ({}).__proto__.__proto__ }}', {});
}).toThrowError(errorRegex);
expect(() => {
tournament.execute('{{ ({})["__proto__"]["__proto__"] }}', {});
}).toThrowError(errorRegex);
});
it('should not allow access to prototype', () => {
expect(() => {
tournament.execute('{{ Number.prototype }}', { Number });
}).toThrowError(errorRegex);
expect(() => {
tournament.execute('{{ Number["prototype"] }}', { Number });
}).toThrowError(errorRegex);
});
it('should not allow access to constructor', () => {
expect(() => {
tournament.execute('{{ Number.constructor }}', {
__sanitize: sanitizer,
Number,
});
}).toThrowError(errorRegex);
expect(() => {
tournament.execute('{{ Number["constructor"] }}', {
__sanitize: sanitizer,
Number,
});
}).toThrowError(errorRegex);
});
});
describe('Runtime', () => {
it('should not allow access to __proto__', () => {
expect(() => {
tournament.execute('{{ ({})["__" + (() => "proto")() + "__"] }}', {
__sanitize: sanitizer,
});
}).toThrowError(errorRegex);
});
it('should not allow access to prototype', () => {
expect(() => {
tournament.execute('{{ Number["pro" + (() => "toty")() + "pe"] }}', {
__sanitize: sanitizer,
Number,
});
}).toThrowError(errorRegex);
});
it('should not allow access to constructor', () => {
expect(() => {
tournament.execute('{{ Number["cons" + (() => "truc")() + "tor"] }}', {
__sanitize: sanitizer,
Number,
});
}).toThrowError(errorRegex);
});
});
});