Software: Apache/2.4.41 (Ubuntu). PHP/8.0.30 uname -a: Linux apirnd 5.4.0-204-generic #224-Ubuntu SMP Thu Dec 5 13:38:28 UTC 2024 x86_64 uid=33(www-data) gid=33(www-data) groups=33(www-data) Safe-mode: OFF (not secure) /usr/local/lib/node_modules/homebridge-config-ui-x/node_modules/fastify/test/ drwxr-xr-x | |
| Viewing file: Select action/file-type: 'use strict'
const Fastify = require('..')
const sget = require('simple-get').concat
const t = require('tap')
const test = t.test
test('proto-poisoning error', t => {
t.plan(3)
const fastify = Fastify()
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.fail('handler should not be called')
})
fastify.listen(0, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "__proto__": { "a": 42 } }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 400)
})
})
})
test('proto-poisoning remove', t => {
t.plan(4)
const fastify = Fastify({ onProtoPoisoning: 'remove' })
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.equal(undefined, Object.assign({}, request.body).a)
reply.send({ ok: true })
})
fastify.listen(0, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "__proto__": { "a": 42 }, "b": 42 }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 200)
})
})
})
test('proto-poisoning ignore', t => {
t.plan(4)
const fastify = Fastify({ onProtoPoisoning: 'ignore' })
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.equal(42, Object.assign({}, request.body).a)
reply.send({ ok: true })
})
fastify.listen(0, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "__proto__": { "a": 42 }, "b": 42 }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 200)
})
})
})
test('constructor-poisoning error (default in v3)', t => {
t.plan(3)
const fastify = Fastify()
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
reply.send('ok')
})
fastify.listen(0, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "constructor": { "prototype": { "foo": "bar" } } }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 400)
})
})
})
test('constructor-poisoning error', t => {
t.plan(3)
const fastify = Fastify({ onConstructorPoisoning: 'error' })
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.fail('handler should not be called')
})
fastify.listen(0, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "constructor": { "prototype": { "foo": "bar" } } }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 400)
})
})
})
test('constructor-poisoning remove', t => {
t.plan(4)
const fastify = Fastify({ onConstructorPoisoning: 'remove' })
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.equal(undefined, Object.assign({}, request.body).foo)
reply.send({ ok: true })
})
fastify.listen(0, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "constructor": { "prototype": { "foo": "bar" } } }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 200)
})
})
})
|
:: Command execute :: | |
--[ c99shell v. 2.5 [PHP 8 Update] [24.05.2025] | Generation time: 0.0086 ]-- |