madapes/madbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

improved tests
Some checks failed
CI/CD Pipeline / lint (push) Successful in 3m45s
Details
CI/CD Pipeline / integration-tests (push) Failing after 55s
Details
CI/CD Pipeline / unit-tests (push) Failing after 1m1s
Details
CI/CD Pipeline / e2e-tests (push) Has been skipped
Details
CI/CD Pipeline / build (push) Has been skipped
Details

Browse Source
This commit is contained in:
Vlad Durnea
2026-03-15 13:01:53 +02:00
parent 8ade39ae2d
commit 780e8b1c43
6 changed files with 396 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
functions/src/deno_runtime.rs
View File

@@ -192,3 +192,63 @@ impl DenoRuntime {
Ok((stdout, stderr, status, headers))
}
}
#[cfg(test)]
mod tests {
use serde_json::{json, Value};
/// Validates that the double-serialization technique produces safe JS string
/// literals, even when the payload contains characters that could break out
/// of a JS template if interpolated naively.
#[test]
fn test_double_serialize_escapes_js_injection() {
let malicious_payload = json!({
"key": "\"); process.exit(1); //"
});
let first = serde_json::to_string(&malicious_payload).unwrap();
let double = serde_json::to_string(&first).unwrap();
// The double-serialized value must be a valid JSON string
let recovered_first: String = serde_json::from_str(&double).unwrap();
let recovered: Value = serde_json::from_str(&recovered_first).unwrap();
assert_eq!(recovered, malicious_payload);
}
#[test]
fn test_double_serialize_handles_backtick_injection() {
let payload = json!({
"attack": "${globalThis.Deno.exit()}"
});
let first = serde_json::to_string(&payload).unwrap();
let double = serde_json::to_string(&first).unwrap();
// The value when placed in a JS template literal is still just a string
let recovered_first: String = serde_json::from_str(&double).unwrap();
let recovered: Value = serde_json::from_str(&recovered_first).unwrap();
assert_eq!(recovered, payload);
}
#[test]
fn test_double_serialize_handles_empty() {
let payload = json!({});
let first = serde_json::to_string(&payload).unwrap();
let double = serde_json::to_string(&first).unwrap();
let recovered_first: String = serde_json::from_str(&double).unwrap();
let recovered: Value = serde_json::from_str(&recovered_first).unwrap();
assert_eq!(recovered, payload);
}
#[test]
fn test_double_serialize_preserves_unicode() {
let payload = json!({"emoji": "🔐", "chinese": "安全"});
let first = serde_json::to_string(&payload).unwrap();
let double = serde_json::to_string(&first).unwrap();
let recovered_first: String = serde_json::from_str(&double).unwrap();
let recovered: Value = serde_json::from_str(&recovered_first).unwrap();
assert_eq!(recovered, payload);
}
}