diff --git a/test/integration/production/test/index.test.js b/test/integration/production/test/index.test.js index d6fd6eb2..b5f3f71a 100644 --- a/test/integration/production/test/index.test.js +++ b/test/integration/production/test/index.test.js @@ -7,13 +7,12 @@ import { nextBuild, startApp, stopApp, - renderViaHTTP, - waitFor + renderViaHTTP } from 'next-test-utils' import webdriver from 'next-webdriver' import fetch from 'node-fetch' import dynamicImportTests from '../../basic/test/dynamic' -import { readFileSync } from 'fs' +import security from './security' const appDir = join(__dirname, '../') let appPort @@ -74,23 +73,6 @@ describe('Production Usage', () => { }) }) - describe('With XSS Attacks', () => { - it('should prevent URI based attaks', async () => { - const browser = await webdriver(appPort, '/\',document.body.innerHTML="HACKED",\'') - // Wait 5 secs to make sure we load all the client side JS code - await waitFor(5000) - - const bodyText = await browser - .elementByCss('body').text() - - if (/HACKED/.test(bodyText)) { - throw new Error('Vulnerable to XSS attacks') - } - - browser.close() - }) - }) - describe('Misc', () => { it('should handle already finished responses', async () => { const res = { @@ -111,21 +93,6 @@ describe('Production Usage', () => { const data = await renderViaHTTP(appPort, '/static/data/item.txt') expect(data).toBe('item') }) - - it('should only access files inside .next directory', async () => { - const buildId = readFileSync(join(__dirname, '../.next/BUILD_ID'), 'utf8') - - const pathsToCheck = [ - `/_next/${buildId}/page/../../../info`, - `/_next/${buildId}/page/../../../info.js`, - `/_next/${buildId}/page/../../../info.json` - ] - - for (const path of pathsToCheck) { - const data = await renderViaHTTP(appPort, path) - expect(data.includes('cool-version')).toBeFalsy() - } - }) }) describe('X-Powered-By header', () => { @@ -162,4 +129,6 @@ describe('Production Usage', () => { }) dynamicImportTests(context, (p, q) => renderViaHTTP(context.appPort, p, q)) + + security(context) }) diff --git a/test/integration/production/test/security.js b/test/integration/production/test/security.js new file mode 100644 index 00000000..1f83c145 --- /dev/null +++ b/test/integration/production/test/security.js @@ -0,0 +1,45 @@ +/* global describe, it, expect + */ + +import { readFileSync } from 'fs' +import { join } from 'path' +import { renderViaHTTP, waitFor } from 'next-test-utils' +import webdriver from 'next-webdriver' + +module.exports = (context) => { + describe('With Security Related Issues', () => { + it('should only access files inside .next directory', async () => { + const buildId = readFileSync(join(__dirname, '../.next/BUILD_ID'), 'utf8') + + const pathsToCheck = [ + `/_next/${buildId}/page/../../../info`, + `/_next/${buildId}/page/../../../info.js`, + `/_next/${buildId}/page/../../../info.json`, + `/_next/:buildId/webpack/chunks/../../../info.json`, + `/_next/:buildId/webpack/../../../info.json`, + `/_next/../../../info.json`, + `/static/../../../info.json` + ] + + for (const path of pathsToCheck) { + const data = await renderViaHTTP(context.appPort, path) + expect(data.includes('cool-version')).toBeFalsy() + } + }) + + it('should prevent URI based XSS attacks', async () => { + const browser = await webdriver(context.appPort, '/\',document.body.innerHTML="HACKED",\'') + // Wait 5 secs to make sure we load all the client side JS code + await waitFor(5000) + + const bodyText = await browser + .elementByCss('body').text() + + if (/HACKED/.test(bodyText)) { + throw new Error('Vulnerable to XSS attacks') + } + + browser.close() + }) + }) +}