Skip to content

Commit

Permalink
Test dev vs. prod dependencies in yarn audit
Browse files Browse the repository at this point in the history
  • Loading branch information
@as3richa
as3richa committed Jan 27, 2019
1 parent 6737b90 commit 40d5294
Show file tree
Hide file tree
Showing 4 changed files with 195 additions and 0 deletions.
40 changes: 40 additions & 0 deletions __tests__/commands/audit.js
View file
Expand Up @@ -173,6 +173,46 @@ test('calls reporter auditSummary with correct data for private package', () =>
});
});

test.concurrent('distinguishes dev and prod transitive dependencies in audit request and result', () => {
const expectedApiPost = {
name: 'foo',
version: '1.0.0',
install: [],
remove: [],
metadata: {},
requires: {
mime: '1.4.0',
hoek: '4.2.0',
},
dependencies: {
mime: {
version: '1.4.0',
integrity: 'sha512-n9ChLv77+QQEapYz8lV+rIZAW3HhAPW2CXnzb1GN5uMkuczshwvkW7XPsbzU0ZQN3sP47Er2KVkp2p3KyqZKSQ==',
requires: {},
dependencies: {},
dev: false,
},
hoek: {
version: '4.2.0',
integrity: 'sha512-v0XCLxICi9nPfYrS9RL8HbYnXi9obYAeLbSP00BmnZwCK9+Ih9WOjoZ8YoHCoav2csqn4FOz4Orldsy2dmDwmQ==',
requires: {},
dependencies: {},
dev: true,
},
},
dev: false,
};

return runAudit([], {}, 'dev-and-prod-vulnerabilities', async (config, reporter) => {
const calledWithPipe = config.requestManager.request.mock.calls[0][0].body;
const calledWith = JSON.parse(await gunzip(calledWithPipe));
expect(calledWith).toEqual(expectedApiPost);

const apiResponse = getAuditResponse(config);
expect(reporter.auditSummary).toBeCalledWith(apiResponse.metadata);
});
});

describe('returns semantic exit codes', () => {
let lockfileSpy;
let installSpy;
Expand Down
132 changes: 132 additions & 0 deletions __tests__/fixtures/audit/dev-and-prod-vulnerabilities/audit-api-response.json
View file
@@ -0,0 +1,132 @@
{
"actions": [
{
"action": "install",
"module": "mime",
"target": "2.4.0",
"isMajor": true,
"resolves": [
{
"id": 535,
"path": "mime",
"dev": false,
"optional": false,
"bundled": false
}
]
},
{
"action": "install",
"module": "hoek",
"target": "6.1.2",
"isMajor": true,
"resolves": [
{
"id": 566,
"path": "hoek",
"dev": true,
"optional": false,
"bundled": false
}
]
}
],
"advisories": {
"535": {
"findings": [
{
"version": "1.4.0",
"paths": [
"mime"
],
"dev": false,
"optional": false,
"bundled": false
}
],
"id": 535,
"created": "2017-09-25T19:02:28.152Z",
"updated": "2018-04-09T00:38:22.785Z",
"deleted": null,
"title": "Regular Expression Denial of Service",
"found_by": {
"name": "Cristian-Alexandru Staicu"
},
"reported_by": {
"name": "Cristian-Alexandru Staicu"
},
"module_name": "mime",
"cves": [
"CVE-2017-16138"
],
"vulnerable_versions": "< 1.4.1 || > 2.0.0 < 2.0.3",
"patched_versions": ">= 1.4.1 < 2.0.0 || >= 2.0.3",
"overview": "Affected versions of `mime` are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.",
"recommendation": "Update to version 2.0.3 or later.",
"references": "[Issue #167](https://github.com/broofa/node-mime/issues/167)",
"access": "public",
"severity": "moderate",
"cwe": "CWE-400",
"metadata": {
"module_type": "Multi.Library",
"exploitability": 4,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/535"
},
"566": {
"findings": [
{
"version": "4.2.0",
"paths": [
"hoek"
],
"dev": true,
"optional": false,
"bundled": false
}
],
"id": 566,
"created": "2018-04-20T21:25:58.421Z",
"updated": "2018-04-20T21:25:58.421Z",
"deleted": null,
"title": "Prototype pollution",
"found_by": {
"name": "HoLyVieR"
},
"reported_by": {
"name": "HoLyVieR"
},
"module_name": "hoek",
"cves": [],
"vulnerable_versions": "<= 4.2.0 || >= 5.0.0 < 5.0.3",
"patched_versions": "> 4.2.0 < 5.0.0 || >= 5.0.3",
"overview": "Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.\n\nThe `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the `__proto__` property.\n\nThis can be demonstrated like so:\n\n```javascript\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n```\n\nThis type of attack can be used to overwrite existing properties causing a potential denial of service.",
"recommendation": "Update to version 4.2.1, 5.0.3 or later.",
"references": "",
"access": "public",
"severity": "moderate",
"cwe": "CWE-471",
"metadata": {
"module_type": "",
"exploitability": 5,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/566"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 2,
"high": 0,
"critical": 0
},
"dependencies": 1,
"devDependencies": 1,
"optionalDependencies": 0,
"totalDependencies": 2
}
}
10 changes: 10 additions & 0 deletions __tests__/fixtures/audit/dev-and-prod-vulnerabilities/package.json
View file
@@ -0,0 +1,10 @@
{
"name": "foo",
"version": "1.0.0",
"devDependencies": {
"hoek": "4.2.0"
},
"dependencies": {
"mime": "1.4.0"
}
}
13 changes: 13 additions & 0 deletions __tests__/fixtures/audit/dev-and-prod-vulnerabilities/yarn.lock
View file
@@ -0,0 +1,13 @@
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


hoek@4.2.0:
version "4.2.0"
resolved "https://registry.yarnpkg.com/hoek/-/hoek-4.2.0.tgz#72d9d0754f7fe25ca2d01ad8f8f9a9449a89526d"
integrity sha512-v0XCLxICi9nPfYrS9RL8HbYnXi9obYAeLbSP00BmnZwCK9+Ih9WOjoZ8YoHCoav2csqn4FOz4Orldsy2dmDwmQ==

mime@1.4.0:
version "1.4.0"
resolved "https://registry.yarnpkg.com/mime/-/mime-1.4.0.tgz#69e9e0db51d44f2a3b56e48b7817d7d137f1a343"
integrity sha512-n9ChLv77+QQEapYz8lV+rIZAW3HhAPW2CXnzb1GN5uMkuczshwvkW7XPsbzU0ZQN3sP47Er2KVkp2p3KyqZKSQ==

0 comments on commit 40d5294

Please sign in to comment.