mirror of
https://github.com/github/codeql-action.git
synced 2025-12-29 18:50:25 +08:00
e7e35baaf0
* Bump the npm group with 2 updates Bumps the npm group with 2 updates: [eslint](https://github.com/eslint/eslint) and [eslint-plugin-import](https://github.com/import-js/eslint-plugin-import). Updates `eslint` from 8.45.0 to 8.46.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint/compare/v8.45.0...v8.46.0) Updates `eslint-plugin-import` from 2.27.5 to 2.28.0 - [Release notes](https://github.com/import-js/eslint-plugin-import/releases) - [Changelog](https://github.com/import-js/eslint-plugin-import/blob/main/CHANGELOG.md) - [Commits](https://github.com/import-js/eslint-plugin-import/compare/v2.27.5...v2.28.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: eslint-plugin-import dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com> * Update checked-in dependencies --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
65 lines
1.7 KiB
JavaScript
65 lines
1.7 KiB
JavaScript
'use strict';
|
|
|
|
/* eslint no-proto: 0 */
|
|
|
|
var parse = require('../');
|
|
var test = require('tape');
|
|
|
|
test('proto pollution', function (t) {
|
|
var argv = parse(['--__proto__.x', '123']);
|
|
t.equal({}.x, undefined);
|
|
t.equal(argv.__proto__.x, undefined);
|
|
t.equal(argv.x, undefined);
|
|
t.end();
|
|
});
|
|
|
|
test('proto pollution (array)', function (t) {
|
|
var argv = parse(['--x', '4', '--x', '5', '--x.__proto__.z', '789']);
|
|
t.equal({}.z, undefined);
|
|
t.deepEqual(argv.x, [4, 5]);
|
|
t.equal(argv.x.z, undefined);
|
|
t.equal(argv.x.__proto__.z, undefined);
|
|
t.end();
|
|
});
|
|
|
|
test('proto pollution (number)', function (t) {
|
|
var argv = parse(['--x', '5', '--x.__proto__.z', '100']);
|
|
t.equal({}.z, undefined);
|
|
t.equal((4).z, undefined);
|
|
t.equal(argv.x, 5);
|
|
t.equal(argv.x.z, undefined);
|
|
t.end();
|
|
});
|
|
|
|
test('proto pollution (string)', function (t) {
|
|
var argv = parse(['--x', 'abc', '--x.__proto__.z', 'def']);
|
|
t.equal({}.z, undefined);
|
|
t.equal('...'.z, undefined);
|
|
t.equal(argv.x, 'abc');
|
|
t.equal(argv.x.z, undefined);
|
|
t.end();
|
|
});
|
|
|
|
test('proto pollution (constructor)', function (t) {
|
|
var argv = parse(['--constructor.prototype.y', '123']);
|
|
t.equal({}.y, undefined);
|
|
t.equal(argv.y, undefined);
|
|
t.end();
|
|
});
|
|
|
|
test('proto pollution (constructor function)', function (t) {
|
|
var argv = parse(['--_.concat.constructor.prototype.y', '123']);
|
|
function fnToBeTested() {}
|
|
t.equal(fnToBeTested.y, undefined);
|
|
t.equal(argv.y, undefined);
|
|
t.end();
|
|
});
|
|
|
|
// powered by snyk - https://github.com/backstage/backstage/issues/10343
|
|
test('proto pollution (constructor function) snyk', function (t) {
|
|
var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' '));
|
|
t.equal(function () {}.foo, undefined);
|
|
t.equal(argv.y, undefined);
|
|
t.end();
|
|
});
|