Skip to content

Commit aff2f1d

Browse files
lukeedlukeed
committed
chore: add constructor tests
1 parent c969b50 commit aff2f1d

File tree

1 file changed

+43
-0
lines changed

1 file changed

+43
-0
lines changed

Diff for: test/index.js

+43
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,49 @@ test('class', t => {
6363
});
6464

6565

66+
test('constructor :: hijack', t => {
67+
let count = 0;
68+
69+
class Foo {}
70+
function CustomArray() {
71+
count++;
72+
}
73+
74+
const input = new Foo();
75+
t.is(input.constructor.name, 'Foo');
76+
77+
input.constructor = CustomArray;
78+
t.is(input.constructor.name, 'CustomArray');
79+
80+
const output = klona(input);
81+
t.deepEqual(input, output);
82+
83+
t.is(count, 0, '~> did not call constructor');
84+
85+
t.end();
86+
});
87+
88+
89+
// @see https://snyk.io/vuln/SNYK-JS-LODASH-450202
90+
test('constructor :: pollution', t => {
91+
const payload = '{"constructor":{"prototype":{"a0": true}}}';
92+
93+
const input = JSON.parse(payload);
94+
const output = klona(input);
95+
96+
t.deepEqual(
97+
JSON.stringify(output),
98+
payload
99+
);
100+
101+
t.not(({})['a0'], true, 'Safe POJO');
102+
t.not(input['a0'], true, 'Safe input');
103+
t.not(output['a0'], true, 'Safe output');
104+
105+
t.end();
106+
});
107+
108+
66109
test('date', t => {
67110
const input = new Date;
68111
const output = klona(input);

0 commit comments

Comments
 (0)