Move security related test cases into a its own file.

test/integration/production/test/index.test.js

@@ -7,13 +7,12 @@ import {
   nextBuild,
   startApp,
   stopApp,
-  renderViaHTTP,
+  renderViaHTTP
-  waitFor
 } from 'next-test-utils'
 import webdriver from 'next-webdriver'
 import fetch from 'node-fetch'
 import dynamicImportTests from '../../basic/test/dynamic'
-import { readFileSync } from 'fs'
+import security from './security'
 
 const appDir = join(__dirname, '../')
 let appPort
@@ -74,23 +73,6 @@ describe('Production Usage', () => {
     })
   })
 
-  describe('With XSS Attacks', () => {
-    it('should prevent URI based attaks', async () => {
-      const browser = await webdriver(appPort, '/\',document.body.innerHTML="HACKED",\'')
-      // Wait 5 secs to make sure we load all the client side JS code
-      await waitFor(5000)
-
-      const bodyText = await browser
-        .elementByCss('body').text()
-
-      if (/HACKED/.test(bodyText)) {
-        throw new Error('Vulnerable to XSS attacks')
-      }
-
-      browser.close()
-    })
-  })
-
   describe('Misc', () => {
     it('should handle already finished responses', async () => {
       const res = {
@@ -111,21 +93,6 @@ describe('Production Usage', () => {
       const data = await renderViaHTTP(appPort, '/static/data/item.txt')
       expect(data).toBe('item')
     })
-
-    it('should only access files inside .next directory', async () => {
-      const buildId = readFileSync(join(__dirname, '../.next/BUILD_ID'), 'utf8')
-
-      const pathsToCheck = [
-        `/_next/${buildId}/page/../../../info`,
-        `/_next/${buildId}/page/../../../info.js`,
-        `/_next/${buildId}/page/../../../info.json`
-      ]
-
-      for (const path of pathsToCheck) {
-        const data = await renderViaHTTP(appPort, path)
-        expect(data.includes('cool-version')).toBeFalsy()
-      }
-    })
   })
 
   describe('X-Powered-By header', () => {
@@ -162,4 +129,6 @@ describe('Production Usage', () => {
   })
 
   dynamicImportTests(context, (p, q) => renderViaHTTP(context.appPort, p, q))
+
+  security(context)
 })

test/integration/production/test/security.js

@@ -0,0 +1,45 @@
+/* global describe, it, expect
+ */
+
+import { readFileSync } from 'fs'
+import { join } from 'path'
+import { renderViaHTTP, waitFor } from 'next-test-utils'
+import webdriver from 'next-webdriver'
+
+module.exports = (context) => {
+  describe('With Security Related Issues', () => {
+    it('should only access files inside .next directory', async () => {
+      const buildId = readFileSync(join(__dirname, '../.next/BUILD_ID'), 'utf8')
+
+      const pathsToCheck = [
+        `/_next/${buildId}/page/../../../info`,
+        `/_next/${buildId}/page/../../../info.js`,
+        `/_next/${buildId}/page/../../../info.json`,
+        `/_next/:buildId/webpack/chunks/../../../info.json`,
+        `/_next/:buildId/webpack/../../../info.json`,
+        `/_next/../../../info.json`,
+        `/static/../../../info.json`
+      ]
+
+      for (const path of pathsToCheck) {
+        const data = await renderViaHTTP(context.appPort, path)
+        expect(data.includes('cool-version')).toBeFalsy()
+      }
+    })
+
+    it('should prevent URI based XSS attacks', async () => {
+      const browser = await webdriver(context.appPort, '/\',document.body.innerHTML="HACKED",\'')
+      // Wait 5 secs to make sure we load all the client side JS code
+      await waitFor(5000)
+
+      const bodyText = await browser
+        .elementByCss('body').text()
+
+      if (/HACKED/.test(bodyText)) {
+        throw new Error('Vulnerable to XSS attacks')
+      }
+
+      browser.close()
+    })
+  })
+}