Skip to content

Commit

Permalink
test_runner: protect internals against prototype tampering
Browse files Browse the repository at this point in the history
  • Loading branch information
aduh95 committed Jun 30, 2022
1 parent 3b0995e commit 823e3f8
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/internal/test_runner/test.js
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,7 @@ class Test extends AsyncResource {
}
}

const test = new Factory({ fn, name, parent, ...options, ...overrides });
const test = new Factory({ __proto__: null, fn, name, parent, ...options, ...overrides });

if (parent.waitingOn === 0) {
parent.waitingOn = test.testNumber;
Expand Down
3 changes: 3 additions & 0 deletions test/fixtures/test-runner/protoMutation.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
'use strict';

Object.prototype.skip = true;
16 changes: 16 additions & 0 deletions test/parallel/test-runner-cli.js
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,22 @@ const testFixtures = fixtures.path('test-runner');
assert.match(stdout, /ok 4 - .+random\.cjs/);
}

{
// Same but with a prototype mutation in require scripts.
const args = ['--require', join(testFixtures, 'protoMutation.js'), '--test', testFixtures];
const child = spawnSync(process.execPath, args);

const stdout = child.stdout.toString();
assert.match(stdout, /ok 1 - .+index\.test\.js/);
assert.match(stdout, /not ok 2 - .+random\.test\.mjs/);
assert.match(stdout, /not ok 1 - this should fail/);
assert.match(stdout, /ok 3 - .+subdir.+subdir_test\.js/);
assert.match(stdout, /ok 4 - .+random\.cjs/);
assert.strictEqual(child.status, 1);
assert.strictEqual(child.signal, null);
assert.strictEqual(child.stderr.toString(), '');
}

{
// User specified files that don't match the pattern are still run.
const args = ['--test', testFixtures, join(testFixtures, 'index.js')];
Expand Down

0 comments on commit 823e3f8

Please sign in to comment.