fix(tests): avoid installing package from untrusted registry in integration tests [SECURITY] #8776
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ylemkimon
reviewed
Feb 7, 2022
__tests__/integration.js
Outdated
| expect(stdoutOutput.toString()).toMatch(/getaddrinfo ENOTFOUND example-registry-doesnt-exist\.com/g); | ||
| } | ||
| const yarnAdd = runYarn(['add', 'is-array', '--registry', registry, '--ignore-scripts'], {cwd}); | ||
| await expect(yarnAdd).rejects.toThrow('getaddrinfo ENOTFOUND example-registry-doesnt-exist.invalid'); |
There was a problem hiding this comment.
Note some DNSs time out on .invalid domains throwing EAI_AGAIN.
There was a problem hiding this comment.
Thanks @ylemkimon - I wasn't aware of that. Updated the test to expect either ENOTFOUND or EAI_AGAIN from getaddrinfo.
Let me know what you think.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
I noticed one of the tests installs a package from registry
hxxps://example-registry-doesnt-exist[.]comwith the--registryflag, with the intent to test the case where the registry doesn't exist.However someone could register that domain and serve a package with malicious lifecycle scripts (e.g.
"preinstall")(I managed to register and park that to domain to prevent such scenario.)
This PR makes the following improvements:
.comwith the.invalidTLD (RFC 6761)--ignore-scriptssince lifecycle scripts are not relevant for this testTest plan
-