1'use strict'; 2 3/* eslint no-proto: 0 */ 4 5var parse = require('../'); 6var test = require('tape'); 7 8test('proto pollution', function (t) { 9 var argv = parse(['--__proto__.x', '123']); 10 t.equal({}.x, undefined); 11 t.equal(argv.__proto__.x, undefined); 12 t.equal(argv.x, undefined); 13 t.end(); 14}); 15 16test('proto pollution (array)', function (t) { 17 var argv = parse(['--x', '4', '--x', '5', '--x.__proto__.z', '789']); 18 t.equal({}.z, undefined); 19 t.deepEqual(argv.x, [4, 5]); 20 t.equal(argv.x.z, undefined); 21 t.equal(argv.x.__proto__.z, undefined); 22 t.end(); 23}); 24 25test('proto pollution (number)', function (t) { 26 var argv = parse(['--x', '5', '--x.__proto__.z', '100']); 27 t.equal({}.z, undefined); 28 t.equal((4).z, undefined); 29 t.equal(argv.x, 5); 30 t.equal(argv.x.z, undefined); 31 t.end(); 32}); 33 34test('proto pollution (string)', function (t) { 35 var argv = parse(['--x', 'abc', '--x.__proto__.z', 'def']); 36 t.equal({}.z, undefined); 37 t.equal('...'.z, undefined); 38 t.equal(argv.x, 'abc'); 39 t.equal(argv.x.z, undefined); 40 t.end(); 41}); 42 43test('proto pollution (constructor)', function (t) { 44 var argv = parse(['--constructor.prototype.y', '123']); 45 t.equal({}.y, undefined); 46 t.equal(argv.y, undefined); 47 t.end(); 48}); 49 50test('proto pollution (constructor function)', function (t) { 51 var argv = parse(['--_.concat.constructor.prototype.y', '123']); 52 function fnToBeTested() {} 53 t.equal(fnToBeTested.y, undefined); 54 t.equal(argv.y, undefined); 55 t.end(); 56}); 57 58// powered by snyk - https://github.com/backstage/backstage/issues/10343 59test('proto pollution (constructor function) snyk', function (t) { 60 var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' ')); 61 t.equal(function () {}.foo, undefined); 62 t.equal(argv.y, undefined); 63 t.end(); 64}); 65