1 |
|
2 |
|
3 |
|
4 | var parse = require('../lib/not_json').parse;
|
5 |
|
6 |
|
7 | describe('Checks not_json parser for security', function() {
|
8 |
|
9 | var checks = [
|
10 | { str: "{ evil1: \"eval (harry)\" }", isOK:false }
|
11 | , { str: "{ evil2: \"eval(harry)\" }", isOK:false }
|
12 | , { str: "{ not_evil2: \"_eval('asd','not')\" }", isOK:true }
|
13 | , { str: "{ not_evil3: \"eval_(monkey)\" }", isOK:true }
|
14 | , { str: "{ not_evil4: \"eval$(asd)\" }", isOK:true }
|
15 | , { str: "{ js_evil1: \"javascript:alert('I got here!')\" }", isOK:false }
|
16 | , { str: "{ fn_not_evil1:'func()' }", isOK:true }
|
17 | , { str: "{ function: new Date() + \" I am not evil\" }", isOK:true }
|
18 | , { str: "{ fn_evil1: (function() { alert('I am evil'); })() }", isOK:false }
|
19 | , { str: "{ fn_evil2: \"function named123 () {}\" }", isOK:false }
|
20 | , { str: "{ fn_evil3: \"function _nam123() { alert('oi'); }\" }", isOK:false }
|
21 | , { str: "{ fn_not_evil3: \"function _nam123.dotted () {}\" }", isOK:true }
|
22 | , { str: "{ fn_not_evil4: \"function_nam123 () {}\" }", isOK:true }
|
23 | ]
|
24 | checks.forEach(function(obj, idx){
|
25 | it("Check #"+(idx+1)+": '" + obj.str + "' is ok: " + obj.isOK, function() {
|
26 | try {
|
27 | parse(obj.str)
|
28 | }
|
29 | catch(e) {
|
30 |
|
31 | assert.isFalse(obj.isOK)
|
32 | return;
|
33 | }
|
34 | assert.isTrue(obj.isOK);
|
35 | })
|
36 |
|
37 | });
|
38 | });
|