Move security related test cases into a its own file.

2024-01-19 02:48:18 +00:00 · 2018-01-13 20:29:09 +05:30 · 2018-01-13 20:29:09 +05:30 · 33f8f28209
parent 44de0f15c9
commit 33f8f28209
2 changed files with 49 additions and 35 deletions
--- a/test/integration/production/test/index.test.js
+++ b/test/integration/production/test/index.test.js
@ -7,13 +7,12 @@ import {
  nextBuild,
  startApp,
  stopApp,
-  renderViaHTTP,
-  waitFor
+  renderViaHTTP
 } from 'next-test-utils'
 import webdriver from 'next-webdriver'
 import fetch from 'node-fetch'
 import dynamicImportTests from '../../basic/test/dynamic'
-import { readFileSync } from 'fs'
+import security from './security'

 const appDir = join(__dirname, '../')
 let appPort
@ -74,23 +73,6 @@ describe('Production Usage', () => {
    })
  })

-  describe('With XSS Attacks', () => {
-    it('should prevent URI based attaks', async () => {
-      const browser = await webdriver(appPort, '/\',document.body.innerHTML="HACKED",\'')
-      // Wait 5 secs to make sure we load all the client side JS code
-      await waitFor(5000)
-
-      const bodyText = await browser
-        .elementByCss('body').text()
-
-      if (/HACKED/.test(bodyText)) {
-        throw new Error('Vulnerable to XSS attacks')
-      }
-
-      browser.close()
-    })
-  })
-
  describe('Misc', () => {
    it('should handle already finished responses', async () => {
      const res = {
@ -111,21 +93,6 @@ describe('Production Usage', () => {
      const data = await renderViaHTTP(appPort, '/static/data/item.txt')
      expect(data).toBe('item')
    })
-
-    it('should only access files inside .next directory', async () => {
-      const buildId = readFileSync(join(__dirname, '../.next/BUILD_ID'), 'utf8')
-
-      const pathsToCheck = [
-        `/_next/${buildId}/page/../../../info`,
-        `/_next/${buildId}/page/../../../info.js`,
-        `/_next/${buildId}/page/../../../info.json`
-      ]
-
-      for (const path of pathsToCheck) {
-        const data = await renderViaHTTP(appPort, path)
-        expect(data.includes('cool-version')).toBeFalsy()
-      }
-    })
  })

  describe('X-Powered-By header', () => {
@ -162,4 +129,6 @@ describe('Production Usage', () => {
  })

  dynamicImportTests(context, (p, q) => renderViaHTTP(context.appPort, p, q))
+
+  security(context)
 })
--- a/test/integration/production/test/security.js
+++ b/test/integration/production/test/security.js
@ -0,0 +1,45 @@
+/* global describe, it, expect
+ */
+
+import { readFileSync } from 'fs'
+import { join } from 'path'
+import { renderViaHTTP, waitFor } from 'next-test-utils'
+import webdriver from 'next-webdriver'
+
+module.exports = (context) => {
+  describe('With Security Related Issues', () => {
+    it('should only access files inside .next directory', async () => {
+      const buildId = readFileSync(join(__dirname, '../.next/BUILD_ID'), 'utf8')
+
+      const pathsToCheck = [
+        `/_next/${buildId}/page/../../../info`,
+        `/_next/${buildId}/page/../../../info.js`,
+        `/_next/${buildId}/page/../../../info.json`,
+        `/_next/:buildId/webpack/chunks/../../../info.json`,
+        `/_next/:buildId/webpack/../../../info.json`,
+        `/_next/../../../info.json`,
+        `/static/../../../info.json`
+      ]
+
+      for (const path of pathsToCheck) {
+        const data = await renderViaHTTP(context.appPort, path)
+        expect(data.includes('cool-version')).toBeFalsy()
+      }
+    })
+
+    it('should prevent URI based XSS attacks', async () => {
+      const browser = await webdriver(context.appPort, '/\',document.body.innerHTML="HACKED",\'')
+      // Wait 5 secs to make sure we load all the client side JS code
+      await waitFor(5000)
+
+      const bodyText = await browser
+        .elementByCss('body').text()
+
+      if (/HACKED/.test(bodyText)) {
+        throw new Error('Vulnerable to XSS attacks')
+      }
+
+      browser.close()
+    })
+  })
+}