Hawkin
/
arangodb
mirror of https://gitee.com/bigwinds/arangodb
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
arangodb/tests/js/client/permissions/filesystem.js

870 lines
31 KiB
JavaScript
Raw Blame History

/*jshint globalstrict:false, strict:false */
/* global fail, getOptions, assertTrue, assertEqual, assertNotEqual, assertUndefined */
////////////////////////////////////////////////////////////////////////////////
/// @brief teardown for dump/reload tests
///
/// @file
///
/// DISCLAIMER
///
/// Copyright 2010-2012 triagens GmbH, Cologne, Germany
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// http://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
///
/// Copyright holder is ArangoDB Inc, Cologne, Germany
///
/// @author Wilfried Goesgens
/// @author Copyright 2019, ArangoDB Inc, Cologne, Germany
////////////////////////////////////////////////////////////////////////////////
const fs = require('fs');
const internal = require('internal');
// first inst - tmp -- /tmp/xxx-arangosh/
// first inst - rootDir -- /tmp/xxx-arangosh/permissions
// first inst - testFilesDir -- /tmp/xxx-arangosh/permissions/testfiles
// frist inst - subInstanceTemp -- /tmp/xxx-arangosh/permissions/subinstance_temp_directory
// second inst - tmp -- /tmp/xxx-arangosh/permissions/subinstance_temp_directory
// second inst - rootDir -- /tmp/xxx-arangosh/permissions
// second inst - testFilesDir -- /tmp/xxx-arangosh/permissions/testfiles
// second inst - subInstanceTemp -- not needed /tmp/xxx-arangosh/permissions/subinstance_tmp_directory
let rootDir = fs.join(fs.getTempPath(), '..');
let subInstanceTemp; //not set for subinstance
let testFilesDir = fs.join(rootDir, 'test_file_tree');
if (getOptions === true) {
rootDir = fs.join(fs.getTempPath(), 'permissions');
subInstanceTemp = fs.join(rootDir, 'subinstance_temp_directory');
testFilesDir = fs.join(rootDir, 'test_file_tree');
fs.makeDirectoryRecursive(subInstanceTemp);
fs.makeDirectoryRecursive(testFilesDir);
}
const topLevelForbidden = fs.join(testFilesDir, 'forbidden');
const forbiddenZipFileName = fs.join(topLevelForbidden, 'forbidden.zip');
const forbiddenJSFileName = fs.join(topLevelForbidden, 'forbidden.js');
const topLevelForbiddenRecursive = fs.join(testFilesDir, 'forbidden_recursive');
const topLevelAllowed = fs.join(testFilesDir, 'allowed');
const intoTopLevelForbidden = fs.join(topLevelAllowed, 'into_forbidden.txt');
const topLevelAllowedUnZip = fs.join(testFilesDir, 'allowed_unzip');
const topLevelAllowedRecursive = fs.join(testFilesDir, 'allowed_recursive');
const allowedZipFileName = fs.join(topLevelAllowedRecursive, 'allowed.zip');
const allowedJSFileName = fs.join(topLevelAllowedRecursive, 'allowed.js');
const intoTopLevelAllowed = fs.join(topLevelForbidden, 'into_allowed.txt');
const topLevelAllowedFile = fs.join(topLevelAllowed, 'allowed.txt');
const topLevelForbiddenFile = fs.join(topLevelForbidden, 'forbidden.txt');
// N/A const subLevelForbidden = fs.join(topLevelAllowed, 'forbidden');
const subLevelAllowed = fs.join(topLevelForbidden, 'allowed');
const intoSubLevelAllowed = topLevelForbidden + '/allowed/aoeu';
const subLevelAllowedFile = fs.join(subLevelAllowed, 'allowed.txt');
// N/A const subLevelForbiddenFile = fs.join(subLevelForbidden, 'forbidden.txt');
const topLevelAllowedWriteFile = fs.join(topLevelAllowed, 'allowed_write.txt');
const topLevelForbiddenWriteFile = fs.join(topLevelForbidden, 'forbidden_write.txt');
const subLevelAllowedWriteFile = fs.join(subLevelAllowed, 'allowed_write.txt');
// N/A const subLevelForbiddenWriteFile = fs.join(subLevelForbidden, 'forbidden_write.txt');
const topLevelAllowedReadCSVFile = fs.join(topLevelAllowed, 'allowed_csv.txt');
const topLevelForbiddenReadCSVFile = fs.join(topLevelForbidden, 'forbidden_csv.txt');
const subLevelAllowedReadCSVFile = fs.join(subLevelAllowed, 'allowed_csv.txt');
// N/A const subLevelForbiddenReadCSVFile = fs.join(subLevelForbidden, 'forbidden_csv.txt');
const topLevelAllowedReadJSONFile = fs.join(topLevelAllowed, 'allowed_json.txt');
const topLevelForbiddenReadJSONFile = fs.join(topLevelForbidden, 'forbidden_json.txt');
const subLevelAllowedReadJSONFile = fs.join(subLevelAllowed, 'allowed_json.txt');
// N/A const subLevelForbiddenReadJSONFile = fs.join(subLevelForbidden, 'forbidden_json.txt');
const topLevelAllowedCopyFile = fs.join(topLevelAllowed, 'allowed_copy.txt');
const topLevelForbiddenCopyFile = fs.join(topLevelForbidden, 'forbidden_copy.txt');
const subLevelAllowedCopyFile = fs.join(subLevelAllowed, 'allowed_copy.txt');
// N/A const subLevelForbiddenCopyFile = fs.join(subLevelForbidden, 'forbidden_json.txt');
const CSV = 'a,b\n1,2\n3,4\n';
const CSVParsed = [['a', 'b'], ['1', '2'], ['3', '4']];
const JSONText = '{"a": true, "b":false, "c": "abc"}\n{"a": true, "b":false, "c": "abc"}';
const JSONParsed = { "a" : true, "b" : false, "c" : "abc"};
if (getOptions === true) {
// N/A fs.makeDirectoryRecursive(subLevelForbidden);
fs.makeDirectoryRecursive(topLevelAllowed);
fs.makeDirectoryRecursive(subLevelAllowed);
fs.makeDirectoryRecursive(topLevelAllowedRecursive);
fs.makeDirectoryRecursive(topLevelForbiddenRecursive);
fs.makeDirectoryRecursive(topLevelAllowedUnZip);
fs.write(topLevelAllowedFile, 'this file is allowed.\n');
fs.write(topLevelForbiddenFile, 'forbidden fruits are tasty!\n');
fs.write(subLevelAllowedFile, 'this file is allowed.\n');
// N/A fs.write(subLevelForbiddenFile, 'forbidden fruits are tasty!\n');
fs.write(forbiddenJSFileName, `print('hello world');\n`);
fs.write(allowedJSFileName, `print('hello world');\n`);
fs.write(topLevelAllowedCopyFile, 'this file is allowed.\n');
fs.write(topLevelForbiddenCopyFile, 'forbidden fruits are tasty!\n');
fs.write(subLevelAllowedCopyFile, 'this file is allowed.\n');
// N/A fs.write(subLevelForbiddenFile, 'forbidden fruits are tasty!\n');
try {
fs.linkFile(topLevelForbiddenFile, intoTopLevelForbidden);
fs.linkFile(topLevelAllowedFile, intoTopLevelAllowed);
} catch (ex) {
internal.print("unable to create symlinks" + ex);
}
fs.write(topLevelAllowedReadCSVFile, CSV);
fs.write(topLevelForbiddenReadCSVFile, CSV);
fs.write(subLevelAllowedReadCSVFile, CSV);
fs.write(topLevelAllowedReadJSONFile, JSONText);
fs.write(topLevelForbiddenReadJSONFile, JSONText);
fs.write(subLevelAllowedReadJSONFile, JSONText);
return {
'temp.path': subInstanceTemp, // Adjust the temp-path to match our current temp path
'javascript.files-whitelist': [
fs.escapePath('^' + process.env['RESULT']),
fs.escapePath('^' + topLevelAllowed),
fs.escapePath('^' + subLevelAllowed),
fs.escapePath('^' + topLevelAllowedRecursive)
]
};
}
var jsunity = require('jsunity');
var env = require('process').env;
var arangodb = require("@arangodb");
const base64Encode = require('internal').base64Encode;
function testSuite() {
function tryReadForbidden(fn) {
try {
fs.read(fn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'access to ' + fn + ' wasn\'t forbidden');
}
}
function tryReadAllowed(fn, expectedContent) {
let content = fs.read(fn);
assertEqual(content,
expectedContent,
'Expected ' + fn + ' to contain "' + expectedContent + '" but it contained: "' + content + '"!');
}
function tryReadBufferForbidden(fn) {
try {
fs.readBuffer(fn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'access to ' + fn + ' wasn\'t forbidden');
}
}
function tryReadBufferAllowed(fn, expectedContent) {
let content = fs.readBuffer(fn);
assertEqual(content.toString(),
expectedContent,
'Expected ' + fn + ' to contain "' + expectedContent + '" but it contained: "' + content + '"!');
}
function tryRead64Forbidden(fn) {
try {
fs.read64(fn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'access to ' + fn + ' wasn\'t forbidden');
}
}
function tryRead64Allowed(fn, expectedContentPlain) {
let expectedContent = base64Encode(expectedContentPlain);
let content = fs.read64(fn);
assertEqual(content,
expectedContent,
'Expected ' + fn + ' to contain "' + expectedContent + '" but it contained: "' + content + '"!');
}
function tryReadCSVForbidden(fn) {
try {
internal.processCsvFile(fn, function (raw_row, index) {
});
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'access to ' + fn + ' wasn\'t forbidden');
}
}
function tryReadCSVAllowed(fn) {
let CSVContent = [];
let content = internal.processCsvFile(fn, function (raw_row, index) {
CSVContent.push(raw_row);
});
assertEqual(CSVContent,
CSVParsed,
'Expected ' + fn + ' to contain "' + CSVParsed + '" but it contained: "' + CSVContent + '"!');
}
function tryReadJSONForbidden(fn) {
try {
internal.processJsonFile(fn, function (raw_row, index) {
});
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'access to ' + fn + ' wasn\'t forbidden');
}
}
function tryReadJSONAllowed(fn, expectedContentPlain) {
let count = 0;
let content = internal.processJsonFile(fn, function (raw_row, index) {
assertEqual(raw_row,
JSONParsed,
'Expected ' + fn + ' to contain "' + JSONParsed + '" but it contained: "' + raw_row + '"!');
count ++;
});
assertEqual(count, 2);
}
function tryAdler32Forbidden(fn) {
try {
fs.adler32(fn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'access to ' + fn + ' wasn\'t forbidden: ' + err);
}
}
function tryAdler32Allowed(fn, expectedContentPlain) {
let content = fs.adler32(fn);
assertTrue(content > 0);
}
function tryWriteForbidden(fn) {
try {
let rc = fs.write(fn, '1212 this is just a test');
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'Write access to ' + fn + ' wasn\'t forbidden');
}
}
function tryWriteAllowed(fn) {
let rc = fs.write(fn, '1212 this is just a test');
assertTrue(rc, 'Expected ' + fn + ' to be writeable');
}
function tryAppendForbidden(fn) {
try {
let rc = fs.append(fn, '1212 this is just a test');
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'Append access to ' + fn + ' wasn\'t forbidden');
}
}
function tryAppendAllowed(fn) {
let rc = fs.append(fn, '1212 this is just a test');
assertTrue(rc, 'Expected ' + fn + ' to be appendeable');
}
function tryChmodForbidden(fn) {
try {
let rc = fs.chmod(fn, '0755');
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'chmod access to ' + fn + ' wasn\'t forbidden');
}
}
function tryChmodAllowed(fn) {
let rc = fs.chmod(fn, '0755');
assertTrue(rc, 'Expected ' + fn + ' to be chmodable');
}
function tryExistsForbidden(fn) {
try {
let rc = fs.exists(fn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'stat-access to ' + fn + ' wasn\'t forbidden');
}
try {
let rc = fs.mtime(fn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'stat-access to ' + fn + ' wasn\'t forbidden');
}
}
function tryExistsAllowed(fn, exists) {
let rc = fs.exists(fn);
assertEqual(rc, exists, 'Expected ' + fn + ' to be stat-eable');
if (exists) {
rc = fs.mtime(fn);
assertTrue(rc > 0);
}
}
function tryFileSizeForbidden(fn) {
try {
let rc = fs.size(fn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'stat-access to ' + fn + ' wasn\'t forbidden');
}
}
function tryFileSizeAllowed(fn) {
let rc = fs.size(fn);
assertTrue(rc, 'Expected ' + fn + ' to be stat-eable');
}
function tryIsDirectoryForbidden(fn) {
try {
let rc = fs.isDirectory(fn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'isDirectory-access to ' + fn + ' wasn\'t forbidden');
}
}
function tryIsDirectoryAllowed(fn, isDirectory) {
let rc = fs.isDirectory(fn);
assertEqual(rc, isDirectory, 'Expected ' + fn + ' to be a ' + isDirectory ? "directory.":"file.");
}
function tryCreateDirectoryForbidden(fn) {
try {
let rc = fs.makeDirectory(fn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'createDirectory creation of ' + fn + ' wasn\'t forbidden');
}
}
function tryCreateDirectoryAllowed(fn) {
let rc = fs.makeDirectory(fn);
assertUndefined(rc, 'Expected ' + fn + ' to become a directory.');
tryIsDirectoryAllowed(fn, true);
}
function tryRemoveDirectoryForbidden(fn) {
try {
let rc = fs.removeDirectory(fn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'removeDirectory deleting of ' + fn + ' wasn\'t forbidden');
}
}
function tryRemoveDirectoryAllowed(fn) {
let rc = fs.removeDirectory(fn);
assertUndefined(rc, 'Expected ' + fn + ' to become a directory.');
tryIsDirectoryAllowed(fn, false);
}
function tryCreateDirectoryRecursiveForbidden(fn) {
try {
let rc = fs.makeDirectoryRecursive(fn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'createDirectory creation of ' + fn + ' wasn\'t forbidden');
}
}
function tryCreateDirectoryRecursiveAllowed(fn) {
let rc = fs.makeDirectoryRecursive(fn);
assertUndefined(rc, 'Expected ' + fn + ' to become a directory.');
tryIsDirectoryAllowed(fn, true);
}
function tryRemoveDirectoryRecursiveForbidden(fn) {
try {
let rc = fs.removeDirectoryRecursive(fn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'removeDirectoryRecursive deletion of ' + fn + ' wasn\'t forbidden');
}
}
function tryRemoveDirectoryRecursiveAllowed(fn) {
let rc = fs.removeDirectoryRecursive(fn);
assertUndefined(rc, 'Expected ' + fn + ' to be removed.');
tryIsDirectoryAllowed(fn, false);
}
function tryIsFileForbidden(fn) {
try {
let rc = fs.isFile(fn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'isFile-access to ' + fn + ' wasn\'t forbidden');
}
}
function tryIsFileAllowed(fn, isFile) {
let rc = fs.isFile(fn);
assertEqual(rc, isFile, 'Expected ' + fn + ' to be a ' + isFile ? "file.":"directory.");
}
function tryListFileForbidden(dn) {
try {
let rc = fs.list(dn);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'ListFile-access to ' + dn + ' wasn\'t forbidden');
}
}
function tryListFileAllowed(dn, expectCount) {
let rc = fs.list(dn);
assertEqual(rc.length, expectCount, 'Expected ' + dn + ' to contain ' + expectCount + " files.");
}
function tryListTreeForbidden(dn) {
try {
let rc = fs.listTree(dn);
fail();
} catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'ListTree-access to ' + dn + ' wasn\'t forbidden');
}
}
function tryListTreeAllowed(dn, expectCount) {
let rc = fs.listTree(dn);
assertEqual(rc.length, expectCount, 'Expected ' + dn + ' to contain ' + expectCount + " files.");
}
function tryGetTempFileForbidden(dn) {
try {
let rc = fs.getTempFile(dn, true);
fail();
}
catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'Temfile-access to ' + dn + ' wasn\'t forbidden');
}
}
function tryGetTempFileAllowed(dn) {
let tfn = fs.getTempFile();
assertTrue(fs.isFile(tfn));
fs.remove(tfn);
}
function tryMakeAbsoluteForbidden(fn) {
try {
let absolute = fs.makeAbsolute(fn);
fail();
} catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'Absolute expansion to ' + fn + ' wasn\'t forbidden');
}
}
function tryMakeAbsoluteAllowed(fn) {
fs.makeAbsolute(fn);
}
function tryCopyFileForbidden(sn, tn) {
try {
let absolute = fs.copyFile(sn, tn);
fail();
} catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'Copying of ' + sn + ' to ' + tn + ' wasn\'t forbidden');
}
}
function tryCopyFileAllowed(sn, tn) {
try {
fs.copyFile(sn, tn);
} catch (err) {
assertTrue(false, "failed to copy " + sn + " to " + tn + " - " + err);
}
tryExistsAllowed(sn, true);
tryExistsAllowed(tn, true);
}
function tryCopyRecursiveFileForbidden(sn, tn) {
try {
let absolute = fs.copyRecursive(sn, tn);
fail();
} catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'CopyRecursiveing of ' + sn + ' to ' + tn + ' wasn\'t forbidden: ' + err);
}
}
function tryCopyRecursiveFileAllowed(sn, tn) {
try {
fs.copyRecursive(sn, tn);
} catch (err) {
assertTrue(false, "failed to copy " + sn + " to " + tn + " - " + err);
}
tryExistsAllowed(sn, true);
tryExistsAllowed(tn, true);
}
function tryMoveFileForbidden(sn, tn) {
try {
let rc = fs.move(sn, tn);
fail();
} catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'Moving of ' + sn + ' to ' + tn + ' wasn\'t forbidden');
}
}
function tryMoveFileAllowed(sn, tn) {
try {
fs.move(sn, tn);
} catch (err) {
assertTrue(false, "failed to move " + sn + " to " + tn + " - " + err);
}
tryExistsAllowed(sn, false);
tryExistsAllowed(tn, true);
}
function tryRemoveFileForbidden(fn) {
try {
let rc = fs.remove(fn);
fail();
} catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'removing of ' + fn + ' wasn\'t forbidden');
}
}
function tryRemoveFileAllowed(fn) {
try {
fs.remove(fn);
} catch (err) {
fail("failed to remove " + fn + " - " + err.Message);
}
tryExistsAllowed(fn, false);
}
function tryLinkFileForbidden(tn, sn) {
try {
let rc = fs.linkFile(tn, sn);
fail();
} catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'Moving of ' + sn + ' to ' + tn + ' wasn\'t forbidden');
}
}
function tryLinkFileAllowed(sn, tn) {
try {
fs.linkFile(sn, tn);
} catch (err) {
assertTrue(false, "failed to Link " + sn + " into " + tn + " - " + err);
}
tryExistsAllowed(sn, true);
tryExistsAllowed(tn, true);
}
function tryZipFileForbidden(zip, sn) {
try {
let rc = fs.zipFile(zip, sn, ['*']);
fail();
} catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'Zipping of ' + zip + ' to ' + sn + ' wasn\'t forbidden: ' + err);
}
}
function tryZipFileAllowed(zip, sn) {
let files = [];
try {
files = fs.list(sn).filter(function (fn) {
if (fn === 'into_forbidden.txt') {
return false;
}
return fs.isFile(fs.join(sn, fn));
});
fs.zipFile(zip, sn, files);
} catch (err) {
assertTrue(false, "failed to Zip into " + zip + " these files:" + sn + "[ " + files + " ] - " + err);
}
tryExistsAllowed(zip, true);
}
function tryUnZipFileForbidden(zip, sn) {
try {
let rc = fs.unzipFile(zip, sn, undefined, true);
fail();
} catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'Unzipping of ' + zip + ' to ' + sn + ' wasn\'t forbidden: ' + err);
}
}
function tryUnZipFileAllowed(zip, sn) {
try {
fs.unzipFile(zip, sn, false, true);
} catch (err) {
assertTrue(false, "failed to UnZip " + zip + " to " + sn + " - " + err);
}
}
function tryJSParseFileForbidden(fn) {
try {
require("internal").parseFile(fn);
fail();
} catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, "wasn't forbidden to parse: " + fn);
}
}
function tryJSParseFileAllowed(fn) {
try {
require("internal").parseFile(fn);
} catch (err) {
assertTrue(false, "was forbidden to parse: " + fn + " - " + err);
}
}
function tryJSEvalFileForbidden(fn) {
try {
require("internal").load(fn);
fail();
} catch (err) {
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, "wasn't forbidden to load: " + fn);
}
}
function tryJSEvalFileAllowed(fn) {
try {
require("internal").load(fn);
} catch (err) {
assertTrue(false, "was forbidden to load: " + fn + " - " + err);
}
}
return {
testGetTempFile : function() {
//tryGetTempFileForbidden('/etc/'); //NONSENSE == /tmp/arango-xxxx/etc/ is totally fine
//tryGetTempFileForbidden('/var/log/');
//tryGetTempFileForbidden(topLevelForbidden);
//FIXMEtryGetTempFileAllowed(topLevelAllowed);
//FIXME//tryGetTempFileAllowed(subLevelAllowed);
},
testReadFile : function() {
tryReadForbidden('/etc/passwd');
tryReadForbidden('/var/log/mail.log');
tryReadForbidden(topLevelForbiddenFile);
// N/A tryReadForbidden(subLevelForbiddenFile);
tryReadAllowed(topLevelAllowedFile, 'this file is allowed.\n');
tryReadAllowed(subLevelAllowedFile, 'this file is allowed.\n');
tryAdler32Forbidden('/etc/passwd');
tryAdler32Forbidden('/var/log/mail.log');
tryAdler32Forbidden(topLevelForbiddenFile);
// N/A tryAdler32Forbidden(subLevelForbiddenFile);
tryAdler32Allowed(topLevelAllowedFile, 'this file is allowed.\n');
tryAdler32Allowed(subLevelAllowedFile, 'this file is allowed.\n');
},
testReadBuffer : function() {
tryReadBufferForbidden('/etc/passwd');
tryReadBufferForbidden('/var/log/mail.log');
tryReadBufferForbidden(topLevelForbiddenFile);
// N/A tryReadForbidden(subLevelForbiddenFile);
tryReadBufferAllowed(topLevelAllowedFile, 'this file is allowed.\n');
tryReadBufferAllowed(subLevelAllowedFile, 'this file is allowed.\n');
},
testRead64File : function() {
tryRead64Forbidden('/etc/passwd');
tryRead64Forbidden('/var/log/mail.log');
tryRead64Forbidden(topLevelForbiddenFile);
// N/A tryReadForbidden(subLevelForbiddenFile);
tryRead64Allowed(topLevelAllowedFile, 'this file is allowed.\n');
tryRead64Allowed(subLevelAllowedFile, 'this file is allowed.\n');
},
testReadCSVFile : function() {
tryReadCSVForbidden('/etc/passwd');
tryReadCSVForbidden('/var/log/mail.log');
tryReadCSVForbidden(topLevelForbiddenReadCSVFile);
// N/A tryReadCSVForbidden(subLevelForbiddenReadCSVFile);
tryReadCSVAllowed(topLevelAllowedReadCSVFile, CSV);
tryReadCSVAllowed(subLevelAllowedReadCSVFile, CSV);
},
testReadJSONFile : function() {
tryReadJSONForbidden('/etc/passwd');
tryReadJSONForbidden('/var/log/mail.log');
tryReadJSONForbidden(topLevelForbiddenReadJSONFile);
// N/A tryReadJSONForbidden(subLevelForbiddenReadJSONFile);
tryReadJSONAllowed(topLevelAllowedReadJSONFile, JSONText);
tryReadJSONAllowed(subLevelAllowedReadJSONFile, JSONText);
},
testWriteFile : function() {
tryWriteForbidden('/var/log/mail.log');
tryWriteForbidden(topLevelForbiddenWriteFile);
tryAppendForbidden('/var/log/mail.log');
tryAppendForbidden(topLevelForbiddenWriteFile);
tryWriteAllowed(topLevelAllowedWriteFile);
tryWriteAllowed(subLevelAllowedWriteFile);
tryAppendAllowed(topLevelAllowedWriteFile);
tryAppendAllowed(subLevelAllowedWriteFile);
},
testChmod : function() {
tryChmodForbidden('/etc/passwd');
tryChmodForbidden('/var/log/mail.log');
tryChmodForbidden(topLevelForbiddenFile);
// N/A tryChmodForbidden(subLevelForbiddenFile);
tryChmodAllowed(topLevelAllowedFile);
tryChmodAllowed(subLevelAllowedFile);
},
testExists : function() {
tryExistsForbidden('/etc/passwd');
tryExistsForbidden('/var/log/mail.log');
tryExistsForbidden(topLevelForbiddenFile);
// N/A tryExistsForbidden(subLevelForbiddenFile);
tryExistsAllowed(topLevelAllowedFile, true);
tryExistsAllowed(subLevelAllowedFile, true);
},
testFileSize : function() {
tryFileSizeForbidden('/etc/passwd');
tryFileSizeForbidden('/var/log/mail.log');
tryFileSizeForbidden(topLevelForbiddenFile);
// N/A tryFileSizeForbidden(subLevelForbiddenFile);
tryFileSizeAllowed(topLevelAllowedFile);
tryFileSizeAllowed(subLevelAllowedFile);
},
testIsDirectory : function() {
tryIsDirectoryForbidden('/etc/passwd');
tryIsDirectoryForbidden('/var/log/mail.log');
tryIsDirectoryForbidden(topLevelForbiddenFile);
// N/A tryFileSizeForbidden(subLevelForbiddenFile);
tryIsDirectoryAllowed(topLevelAllowedFile, false);
tryIsDirectoryAllowed(subLevelAllowedFile, false);
tryIsDirectoryAllowed(topLevelAllowed, true);
tryIsDirectoryAllowed(subLevelAllowed, true);
},
testCreateRemoveDirectory : function() {
tryCreateDirectoryForbidden('/etc/abc');
tryCreateDirectoryForbidden('/var/log/busted');
tryCreateDirectoryForbidden(fs.join(topLevelForbiddenFile, "forbidden"));
tryCreateDirectoryAllowed(fs.join(topLevelAllowed, "allowed_create_dir"));
tryCreateDirectoryAllowed(fs.join(subLevelAllowed, "allowed_create_dir"));
tryRemoveDirectoryForbidden('/etc/abc');
tryRemoveDirectoryForbidden('/var/log/busted');
tryRemoveDirectoryForbidden(fs.join(topLevelForbiddenFile, "forbidden"));
tryRemoveDirectoryAllowed(fs.join(topLevelAllowed, "allowed_create_dir"));
tryRemoveDirectoryAllowed(fs.join(subLevelAllowed, "allowed_create_dir"));
},
testCreateRemoveDirectoryRecursive : function() {
tryCreateDirectoryRecursiveForbidden('/etc/cde/fdg');
tryCreateDirectoryRecursiveForbidden('/var/log/with/sub/dir');
tryCreateDirectoryRecursiveForbidden(fs.join(topLevelForbiddenFile, "forbidden", 'sub', 'directory'));
tryCreateDirectoryRecursiveAllowed(fs.join(topLevelAllowed, 'allowed_create_recursive_dir', 'directory'));
tryCreateDirectoryRecursiveAllowed(fs.join(subLevelAllowed, 'allowed_create_recursive_dir', 'directory'));
tryRemoveDirectoryRecursiveForbidden('/etc/cde/fdg');
tryRemoveDirectoryRecursiveForbidden('/var/log/with/sub/dir');
tryRemoveDirectoryRecursiveForbidden(fs.join(topLevelForbiddenFile, "forbidden", 'sub', 'directory'));
//tryRemoveDirectoryRecursiveAllowed(fs.join(topLevelAllowed, 'allowed_create_recursive_dir', 'directory')); //outside temp dir
//tryRemoveDirectoryRecursiveAllowed(fs.join(subLevelAllowed, 'allowed_create_recursive_dir', 'directory'));
},
testIsFile : function() {
tryIsFileForbidden('/etc/passwd');
tryIsFileForbidden('/var/log/mail.log');
tryIsFileForbidden(topLevelForbiddenFile);
// N/A tryFileSizeForbidden(subLevelForbiddenFile);
tryIsFileAllowed(topLevelAllowedFile, true);
tryIsFileAllowed(subLevelAllowedFile, true);
tryIsFileAllowed(topLevelAllowed, false);
tryIsFileAllowed(subLevelAllowed, false);
},
testListFile : function() {
tryListFileForbidden('/etc/X11');
tryListFileForbidden('/var/log/');
tryListFileForbidden(topLevelForbidden);
tryListFileForbidden(topLevelForbiddenFile);
// N/A tryFileSizeForbidden(subLevelForbiddenFile);
tryListFileAllowed(topLevelAllowedFile, 0);
tryListFileAllowed(subLevelAllowedFile, 0);
tryListFileAllowed(topLevelAllowed, 7);
tryListFileAllowed(subLevelAllowed, 6);
},
testListTree : function() {
tryListTreeForbidden('/etc/X11');
tryListTreeForbidden('/var/log/');
tryListTreeForbidden(topLevelForbidden);
tryListTreeForbidden(topLevelForbiddenFile);
// N/A tryFileSizeForbidden(subLevelForbiddenFile);
tryListTreeAllowed(topLevelAllowedFile, 1);
tryListTreeAllowed(subLevelAllowedFile, 1);
//FIXME tryListTreeAllowed(topLevelAllowed, 8);
//FIXMEtryListTreeAllowed(subLevelAllowed, 7);
},
testCopyReMoveLinkFiles : function() {
tryCopyFileForbidden('/etc/passwd', topLevelAllowed);
tryCopyFileForbidden(topLevelAllowedWriteFile, topLevelForbidden);
tryLinkFileForbidden('/etc/passwd', topLevelAllowed);
tryLinkFileForbidden(topLevelAllowedWriteFile, topLevelForbidden);
tryMoveFileForbidden('/etc/passwd', topLevelAllowed);
tryMoveFileForbidden(topLevelAllowedWriteFile, topLevelForbidden);
tryRemoveFileForbidden('/etc/passwd');
tryRemoveFileForbidden(topLevelForbiddenWriteFile);
tryCopyRecursiveFileForbidden('/etc/passwd', fs.join(topLevelAllowedRecursive, 'sub', 'directory'));
tryCopyRecursiveFileForbidden(subLevelAllowed, fs.join(topLevelForbiddenRecursive, 'sub', 'directory'));
tryCopyFileAllowed(topLevelAllowedCopyFile, fs.join(topLevelAllowed, 'copy_1.txt'));
tryCopyFileAllowed(subLevelAllowedCopyFile, fs.join(topLevelAllowed, 'copy_2.txt'));
tryLinkFileAllowed(topLevelAllowedCopyFile, fs.join(topLevelAllowed, 'link_1.txt'));
tryLinkFileAllowed(subLevelAllowedCopyFile, fs.join(topLevelAllowed, 'link_2.txt'));
tryMoveFileAllowed(topLevelAllowedCopyFile, fs.join(topLevelAllowed, 'move_1.txt'));
tryMoveFileAllowed(subLevelAllowedCopyFile, fs.join(topLevelAllowed, 'move_2.txt'));
tryRemoveFileAllowed(fs.join(topLevelAllowed, 'move_1.txt'));
tryRemoveFileAllowed(fs.join(topLevelAllowed, 'move_2.txt'));
tryCopyRecursiveFileAllowed(subLevelAllowed, fs.join(topLevelAllowedRecursive, 'sub', 'directory'));
},
testZip : function() {
tryZipFileForbidden(forbiddenZipFileName, topLevelAllowed);
tryZipFileForbidden(allowedZipFileName, '/etc/');
tryZipFileForbidden(allowedZipFileName, topLevelForbidden);
tryZipFileAllowed(allowedZipFileName, topLevelAllowed);
tryUnZipFileForbidden('/etc/nothere.zip', topLevelAllowed);
tryUnZipFileForbidden(allowedZipFileName, topLevelForbidden);
tryUnZipFileAllowed(allowedZipFileName, topLevelAllowedUnZip);
},
testEval : function() {
tryJSParseFileForbidden(forbiddenJSFileName);
tryJSParseFileAllowed(allowedJSFileName);
tryJSEvalFileForbidden(forbiddenJSFileName);
tryJSEvalFileAllowed(allowedJSFileName);
// we can not forbid snippet evaluation.
// Access is file access based for now.
require("internal").parse(`print('hello world')`);
}
};
}
jsunity.run(testSuite);
return jsunity.done();
Reference in New Issue View Git Blame Copy Permalink