Update expression evaluation lib

.github/workflows/node.js.yml

@@ -16,7 +16,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [10.x, 12.x, 14.x, 15.x]
+        node-version: [12.x, 14.x, 16.x]
         # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
 
     steps:

CHANGELOG.md

@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file. Dates are d
 
 Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
 
+#### [1.3.0](https://github.com/MarcoABCardoso/iteration-test/compare/1.2.0...1.3.0)
+
+> 11 October 2021
+
+- Update dependencies [`8422c6b`](https://github.com/MarcoABCardoso/iteration-test/commit/8422c6b4fb0107634e3cc18316b038b4184baa1c)
+- Update expression evaluation lib [`5ffd754`](https://github.com/MarcoABCardoso/iteration-test/commit/5ffd754e15f91ada38c89d0e6a9aa0137562e127)
+
 #### [1.2.0](https://github.com/MarcoABCardoso/iteration-test/compare/1.1.0...1.2.0)
 
 > 7 October 2021

lib/test-suite.js

@@ -38,7 +38,7 @@ class TestSuite {
     async executeRound(options, context, roundIndex) {
         try {
             let input = await evaluateExpression(options.inputExpression, context)
-            if (options.skip) return context
+            if (options.skip) return input
             let output = await this.testFunction(input)
             let valid = await evaluateExpression(options.evaluateExpression, output)
             if (!valid) throw `Expression [${options.evaluateExpression}] is false for obtained output`

lib/utils.js

@@ -1,8 +1,8 @@
-const vm = require('vm')
+const { VM } = require('vm2')
 
 async function evaluateExpression(expression, context) {
-    let script = new vm.Script(`__result=${expression}`)
-    let result = script.runInNewContext(context || {})
+    let vm = new VM({ timeout: 1000, sandbox: context })
+    let result = vm.run(`_=${expression}`)
     return result
 }
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "iteration-test",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Runs automated testing for a given function to be run iteratively.",
   "main": "lib/index.js",
   "devDependencies": {
@@ -21,5 +21,8 @@
   "repository": {
     "type": "git",
     "url": "https://github.com/MarcoABCardoso/iteration-test"
+  },
+  "dependencies": {
+    "vm2": "^3.9.4"
   }
 }

test/test-suite.test.js

@@ -21,14 +21,14 @@ let passingTestOptions = {
 }
 
 let failingTestOptions = {
-    testFunction: payload => payload.input.text == 'hello' ? { output: { text: 'Hello, there!' }, context: payload.context } : { output: { text: 'Goodbye, now.' }, context: payload.context },
+    testFunction: payload => payload.input.text == 'hello' ? { output: { text: 'Hello, there!' }, context: payload.context || { initial: 'context' } } : { output: { text: 'Goodbye, now.' }, context: payload.context },
     tests: [
         {
             name: 'foo_passing_test',
             rounds: [
                 { inputExpression: '{ input: { text: "hello" } }', evaluateExpression: 'output.text == "Hello, there!"' },
-                { inputExpression: 'context = "foobar"', skip: true },
-                { inputExpression: '{ input: { text: "goodbye" }, context: context }', evaluateExpression: 'output.text == "Goodbye, now." && context == "foobar"' },
+                { inputExpression: 'context.foo = "bar"; _={ context }', skip: true },
+                { inputExpression: '{ input: { text: "goodbye" }, context: context }', evaluateExpression: 'output.text == "Goodbye, now." && context.foo == "bar"' },
             ]
         },
         {
@@ -49,6 +49,18 @@ let failingTestOptions = {
             rounds: [
                 { inputExpression: '{ input: { text: "hello" } }', evaluateExpression: 'invalidSyntax' },
             ]
+        },
+        {
+            name: 'foo_malicious_test_1',
+            rounds: [
+                { inputExpression: 'this.constructor.constructor("return process.exit()")()', evaluateExpression: 'this tries to crash the test' },
+            ]
+        },
+        {
+            name: 'foo_malicious_test_2',
+            rounds: [
+                { inputExpression: 'new Proxy({}, {\n  get: function(me, key) { return (arguments.callee.caller.constructor(\'return process.exit()\'))() }\n})', evaluateExpression: 'this tries to crash the test' },
+            ]
         }
     ]
 }
@@ -79,7 +91,16 @@ describe('TestSuite', () => {
             let testSuite = new TestSuite(failingTestOptions)
             testSuite.run()
                 .then(results => {
-                    expect(results).toEqual({ details: [{ name: 'foo_passing_test', success: true }, { error: 'Expression [output.text == "Something incorrect"] is false for obtained output', name: 'foo_failing_test', success: false, index: 1 }, { error: 'invalidSyntax is not defined', name: 'foo_broken_test_input', success: false, index: 0 }, { error: 'invalidSyntax is not defined', name: 'foo_broken_test_output', success: false, index: 0 }], failed: 3, passed: 1, success: false })
+                    delete results.details[4].error
+                    delete results.details[5].error
+                    expect(results).toEqual({ details: [
+                        { name: 'foo_passing_test', success: true }, 
+                        { error: 'Expression [output.text == "Something incorrect"] is false for obtained output', name: 'foo_failing_test', success: false, index: 1 }, 
+                        { error: 'invalidSyntax is not defined', name: 'foo_broken_test_input', success: false, index: 0 }, 
+                        { error: 'invalidSyntax is not defined', name: 'foo_broken_test_output', success: false, index: 0 },
+                        { name: 'foo_malicious_test_1', success: false, index: 0 },
+                        { name: 'foo_malicious_test_2', success: false, index: 0 },
+                    ], failed: 5, passed: 1, success: false })
                     done()
                 })
         })