mirror of
https://github.com/n8n-io/n8n.git
synced 2025-01-25 11:31:38 -08:00
86 lines
2 KiB
TypeScript
86 lines
2 KiB
TypeScript
import { Tournament } from '@n8n/tournament';
|
|
|
|
import { PrototypeSanitizer, sanitizer } from '@/ExpressionSandboxing';
|
|
|
|
const tournament = new Tournament(
|
|
(e) => {
|
|
throw e;
|
|
},
|
|
undefined,
|
|
undefined,
|
|
{
|
|
before: [],
|
|
after: [PrototypeSanitizer],
|
|
},
|
|
);
|
|
|
|
const errorRegex = /^Cannot access ".*" due to security concerns$/;
|
|
|
|
describe('PrototypeSanitizer', () => {
|
|
describe('Static analysis', () => {
|
|
it('should not allow access to __proto__', () => {
|
|
expect(() => {
|
|
tournament.execute('{{ ({}).__proto__.__proto__ }}', {});
|
|
}).toThrowError(errorRegex);
|
|
|
|
expect(() => {
|
|
tournament.execute('{{ ({})["__proto__"]["__proto__"] }}', {});
|
|
}).toThrowError(errorRegex);
|
|
});
|
|
|
|
it('should not allow access to prototype', () => {
|
|
expect(() => {
|
|
tournament.execute('{{ Number.prototype }}', { Number });
|
|
}).toThrowError(errorRegex);
|
|
|
|
expect(() => {
|
|
tournament.execute('{{ Number["prototype"] }}', { Number });
|
|
}).toThrowError(errorRegex);
|
|
});
|
|
|
|
it('should not allow access to constructor', () => {
|
|
expect(() => {
|
|
tournament.execute('{{ Number.constructor }}', {
|
|
__sanitize: sanitizer,
|
|
Number,
|
|
});
|
|
}).toThrowError(errorRegex);
|
|
|
|
expect(() => {
|
|
tournament.execute('{{ Number["constructor"] }}', {
|
|
__sanitize: sanitizer,
|
|
Number,
|
|
});
|
|
}).toThrowError(errorRegex);
|
|
});
|
|
});
|
|
|
|
describe('Runtime', () => {
|
|
it('should not allow access to __proto__', () => {
|
|
expect(() => {
|
|
tournament.execute('{{ ({})["__" + (() => "proto")() + "__"] }}', {
|
|
__sanitize: sanitizer,
|
|
});
|
|
}).toThrowError(errorRegex);
|
|
});
|
|
|
|
it('should not allow access to prototype', () => {
|
|
expect(() => {
|
|
tournament.execute('{{ Number["pro" + (() => "toty")() + "pe"] }}', {
|
|
__sanitize: sanitizer,
|
|
Number,
|
|
});
|
|
}).toThrowError(errorRegex);
|
|
});
|
|
|
|
it('should not allow access to constructor', () => {
|
|
expect(() => {
|
|
tournament.execute('{{ Number["cons" + (() => "truc")() + "tor"] }}', {
|
|
__sanitize: sanitizer,
|
|
Number,
|
|
});
|
|
}).toThrowError(errorRegex);
|
|
});
|
|
});
|
|
});
|