mehmed/QR-Invoice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

First commit

Browse Source
This commit is contained in:
Flexomatic81
2026-01-12 13:12:46 +01:00
parent b2d9501f6d
commit a1fbd8acf5
4413 changed files with 1245183 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
node_modules/fastify/test/proto-poisoning.test.js generated vendored Normal file
View File

@@ -0,0 +1,159 @@
'use strict'
const Fastify = require('..')
const sget = require('simple-get').concat
const t = require('tap')
const test = t.test
test('proto-poisoning error', t => {
t.plan(3)
const fastify = Fastify()
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.fail('handler should not be called')
})
fastify.listen({ port: 0 }, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "__proto__": { "a": 42 } }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 400)
})
})
})
test('proto-poisoning remove', t => {
t.plan(4)
const fastify = Fastify({ onProtoPoisoning: 'remove' })
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.equal(undefined, Object.assign({}, request.body).a)
reply.send({ ok: true })
})
fastify.listen({ port: 0 }, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "__proto__": { "a": 42 }, "b": 42 }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 200)
})
})
})
test('proto-poisoning ignore', t => {
t.plan(4)
const fastify = Fastify({ onProtoPoisoning: 'ignore' })
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.equal(42, Object.assign({}, request.body).a)
reply.send({ ok: true })
})
fastify.listen({ port: 0 }, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "__proto__": { "a": 42 }, "b": 42 }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 200)
})
})
})
test('constructor-poisoning error (default in v3)', t => {
t.plan(3)
const fastify = Fastify()
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
reply.send('ok')
})
fastify.listen({ port: 0 }, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "constructor": { "prototype": { "foo": "bar" } } }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 400)
})
})
})
test('constructor-poisoning error', t => {
t.plan(3)
const fastify = Fastify({ onConstructorPoisoning: 'error' })
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.fail('handler should not be called')
})
fastify.listen({ port: 0 }, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "constructor": { "prototype": { "foo": "bar" } } }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 400)
})
})
})
test('constructor-poisoning remove', t => {
t.plan(4)
const fastify = Fastify({ onConstructorPoisoning: 'remove' })
t.teardown(fastify.close.bind(fastify))
fastify.post('/', (request, reply) => {
t.equal(undefined, Object.assign({}, request.body).foo)
reply.send({ ok: true })
})
fastify.listen({ port: 0 }, function (err) {
t.error(err)
sget({
method: 'POST',
url: 'http://localhost:' + fastify.server.address().port,
headers: { 'Content-Type': 'application/json' },
body: '{ "constructor": { "prototype": { "foo": "bar" } } }'
}, (err, response, body) => {
t.error(err)
t.equal(response.statusCode, 200)
})
})
})