-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathsecurity.test.js
42 lines (38 loc) · 1.08 KB
/
security.test.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
const assert = require('assert');
const Execute = require('../lib/execute');
const Compile = require('../lib/compile');
const { defaultTransforms } = require('../lib/compile/transforms')
describe('security', () => {
it('should allow access to the console object', () => {
const result = Execute({
expression: 'fn(() => { console.log(">> jam"); return 1 });',
state: {},
sandbox: {
fn: f => f(),
},
});
assert.equal(result, 1);
});
it('should not allow access to the process object', () => {
assert.throws(
() => Execute({ expression: 'process.env', state: {} }),
/process is not defined/
);
});
it('should not allow access to require', () => {
assert.throws(
() => Execute({ expression: 'require("node:fs")', state: {} }),
/require is not defined/
);
});
it('should not compile a job with a class', () => {
const code = `fn(() => {
class Naughty {}
})`
assert.throws(() => {
new Compile(code, [
...defaultTransforms,
]);
}, /Illegal class statement/);
})
});