Merge pull request #407 from AikidoSec/fix-path-tests

Fix path unit tests
AikidoSec · Oct 7, 2024 · 042099c · 042099c
2 parents 46f7b75 + 348e414
commit 042099c
Showing 1 changed file with 66 additions and 33 deletions.
diff --git a/library/sinks/Path.test.ts b/library/sinks/Path.test.ts
@@ -53,39 +53,56 @@ t.test("it works", async (t) => {
   });
 
   runWithContext(unsafeContext, () => {
-    t.throws(
-      () => join(__dirname, "../test.txt"),
-      "Zen has blocked a Path traversal: fs.join(...) originating from body.file.matches"
+    const error = t.throws(() => join(__dirname, "../test.txt"));
+    t.same(
+      error instanceof Error ? error.message : null,
+      "Zen has blocked a path traversal attack: path.join(...) originating from body.file.matches"
     );
 
-    t.throws(
-      () => resolve(__dirname, "../test.txt"),
-      "Zen has blocked a Path traversal: fs.resolve(...) originating from body.file.matches"
+    const error2 = t.throws(() => resolve(__dirname, "../test.txt"));
+    t.same(
+      error2 instanceof Error ? error2.message : null,
+      "Zen has blocked a path traversal attack: path.resolve(...) originating from body.file.matches"
     );
 
-    t.throws(
-      () => join(__dirname, "some_directory", "../test.txt"),
-      "Zen has blocked a Path traversal: fs.join(...) originating from body.file.matches"
+    const error3 = t.throws(() =>
+      join(__dirname, "some_directory", "../test.txt")
+    );
+    t.same(
+      error3 instanceof Error ? error3.message : null,
+      "Zen has blocked a path traversal attack: path.join(...) originating from body.file.matches"
     );
 
-    t.throws(
-      () => resolve(__dirname, "some_directory", "../test.txt"),
-      "Zen has blocked a Path traversal: fs.resolve(...) originating from body.file.matches"
+    const error4 = t.throws(() =>
+      resolve(__dirname, "some_directory", "../test.txt")
+    );
+    t.same(
+      error4 instanceof Error ? error4.message : null,
+      "Zen has blocked a path traversal attack: path.resolve(...) originating from body.file.matches"
     );
 
-    t.throws(
-      () => join(__dirname, "some_directory", "../../test.txt"),
-      "Zen has blocked a Path traversal: fs.join(...) originating from body.file.matches"
+    const error5 = t.throws(() =>
+      join(__dirname, "some_directory", "../../test.txt")
+    );
+    t.same(
+      error5 instanceof Error ? error5.message : null,
+      "Zen has blocked a path traversal attack: path.join(...) originating from body.file.matches"
     );
 
-    t.throws(
-      () => resolve(__dirname, "../test.txt", "some_directory"),
-      "Zen has blocked a Path traversal: fs.resolve(...) originating from body.file.matches"
+    const error6 = t.throws(() =>
+      resolve(__dirname, "../test.txt", "some_directory")
+    );
+    t.same(
+      error6 instanceof Error ? error6.message : null,
+      "Zen has blocked a path traversal attack: path.resolve(...) originating from body.file.matches"
     );
 
-    t.throws(
-      () => join(__dirname, "../test.txt", "some_directory"),
-      "Zen has blocked a Path traversal: fs.join(...) originating from body.file.matches"
+    const error7 = t.throws(() =>
+      join(__dirname, "../test.txt", "some_directory")
+    );
+    t.same(
+      error7 instanceof Error ? error7.message : null,
+      "Zen has blocked a path traversal attack: path.join(...) originating from body.file.matches"
     );
   });
 
@@ -94,32 +111,48 @@ t.test("it works", async (t) => {
   });
 
   runWithContext(unsafeAbsoluteContext, () => {
-    t.throws(
-      () => join("/etc/", "test.txt"),
-      "Zen has blocked a Path traversal: fs.join(...) originating from body.file.matches"
+    const error = t.throws(() => join("/etc/", "test.txt"));
+    t.same(
+      error instanceof Error ? error.message : null,
+      "Zen has blocked a path traversal attack: path.normalize(...) originating from body.file.matches"
     );
 
-    t.throws(
-      () => resolve("/etc/some_directory", "test.txt"),
-      "Zen has blocked a Path traversal: fs.resolve(...) originating from body.file.matches"
+    const error2 = t.throws(() => resolve("/etc/some_directory", "test.txt"));
+    t.same(
+      error2 instanceof Error ? error2.message : null,
+      "Zen has blocked a path traversal attack: path.resolve(...) originating from body.file.matches"
     );
   });
 
   const { join: joinWin } = require("path/win32");
 
   runWithContext(unsafeAbsoluteContext, () => {
-    t.throws(
-      () => joinWin("/etc/some_directory", "test.txt"),
-      "Zen has blocked a Path traversal: fs.resolve(...) originating from body.file.matches"
+    const error = t.throws(() => joinWin("/etc/some_directory", "test.txt"));
+    t.same(
+      error instanceof Error ? error.message : null,
+      "Zen has blocked a path traversal attack: path.join(...) originating from body.file.matches"
     );
   });
 
   const { normalize: normalizePosix } = require("path/posix");
 
   runWithContext(unsafeContext, () => {
-    t.throws(
-      () => normalizePosix(__dirname, "../test.txt"),
-      "Zen has blocked a Path traversal: fs.join(...) originating from body.file.matches"
+    const error = t.throws(() => normalizePosix(__dirname, "../test.txt"));
+    t.same(
+      error instanceof Error ? error.message : null,
+      "Zen has blocked a path traversal attack: path.normalize(...) originating from body.file.matches"
+    );
+  });
+
+  const { win32: win32FromPosix } = require("path/posix");
+
+  runWithContext(unsafeContext, () => {
+    const error = t.throws(() =>
+      win32FromPosix.normalize(__dirname, "../test.txt")
+    );
+    t.same(
+      error instanceof Error ? error.message : null,
+      "Zen has blocked a path traversal attack: path.normalize(...) originating from body.file.matches"
     );
   });
 });