MCP Playwright Server

Overview Schema Related Servers Score Discussions

security.spec.ts•11.2 kB

/** * Security Module Unit Tests * * Tests for script validation blocklist/allowlist patterns in security.ts * Ensures the security sandbox correctly blocks dangerous operations * while allowing legitimate DOM queries. */ import { test, expect } from '@playwright/test'; // Import the security module functions we're testing // Note: These tests validate the pattern matching logic test.describe('Security - Script Blocklist Patterns', () => { // These patterns should be BLOCKED const BLOCKED_SCRIPTS = [ // Code execution { script: 'eval("alert(1)")', reason: 'eval execution' }, { script: 'new Function("return 1")()', reason: 'Function constructor' }, { script: 'setTimeout(() => {}, 100)', reason: 'setTimeout' }, { script: 'setInterval(() => {}, 100)', reason: 'setInterval' }, // Storage access { script: 'document.cookie', reason: 'cookie access' }, { script: 'localStorage.getItem("key")', reason: 'localStorage' }, { script: 'sessionStorage.setItem("key", "val")', reason: 'sessionStorage', }, // Network requests { script: 'fetch("/api/data")', reason: 'fetch call' }, { script: 'new XMLHttpRequest()', reason: 'XMLHttpRequest' }, { script: 'new WebSocket("ws://evil.com")', reason: 'WebSocket' }, // DOM manipulation (XSS vectors) { script: 'element.innerHTML = "<script>"', reason: 'innerHTML assignment', }, { script: 'document.write("<div>")', reason: 'document.write' }, { script: 'window.open("http://evil.com")', reason: 'window.open' }, // Prototype pollution { script: 'obj.__proto__.polluted = true', reason: '__proto__ access' }, { script: 'Object.prototype.x = 1', reason: 'prototype modification' }, { script: 'obj.constructor.prototype.x = 1', reason: 'constructor access' }, // URI schemes { script: 'location.href = "javascript:alert(1)"', reason: 'javascript: URI', }, { script: '"data:text/html,<script>alert(1)</script>"', reason: 'data: URI', }, // Encoding bypass attempts { script: 'atob("YWxlcnQoMSk=")', reason: 'atob decoding' }, { script: 'String.fromCharCode(97, 108, 101, 114, 116)', reason: 'fromCharCode', }, // Dangerous APIs { script: 'navigator.clipboard.readText()', reason: 'clipboard access' }, { script: 'navigator.geolocation.getCurrentPosition()', reason: 'geolocation', }, // Modal dialogs { script: 'window.alert("test")', reason: 'alert dialog' }, { script: 'window.confirm("test")', reason: 'confirm dialog' }, { script: 'window.prompt("test")', reason: 'prompt dialog' }, // Frame busting { script: 'window.top.location = "/"', reason: 'top frame access' }, { script: 'window.parent.document', reason: 'parent frame access' }, // WebAssembly { script: 'new WebAssembly.Module(buffer)', reason: 'WebAssembly' }, // Workers { script: 'new Worker("worker.js")', reason: 'Worker creation' }, { script: 'new SharedWorker("shared.js")', reason: 'SharedWorker' }, // Module loading { script: 'import("./module.js")', reason: 'dynamic import' }, ]; for (const { script, reason } of BLOCKED_SCRIPTS) { test(`blocks ${reason}: ${script.slice(0, 50)}...`, async () => { // Verify these patterns contain blocked terms const blockedTerms = [ 'eval', 'Function(', 'setTimeout', 'setInterval', 'document.cookie', 'localStorage', 'sessionStorage', 'fetch(', 'XMLHttpRequest', 'WebSocket', 'innerHTML', 'document.write', 'window.open', '__proto__', '.prototype', '.constructor', 'javascript:', 'data:', 'atob', 'String.fromCharCode', 'navigator.clipboard', 'navigator.geolocation', 'window.alert', 'window.confirm', 'window.prompt', 'window.top', 'window.parent', 'WebAssembly', 'Worker(', 'SharedWorker', 'import(', ]; const isBlocked = blockedTerms.some((term) => script.toLowerCase().includes(term.toLowerCase()) ); expect(isBlocked).toBe(true); }); } }); test.describe('Security - Script Allowlist Patterns', () => { // These patterns should be ALLOWED const ALLOWED_SCRIPTS = [ // DOM queries (read-only) { script: 'document.title', reason: 'page title' }, { script: 'document.querySelector(".class")', reason: 'querySelector' }, { script: 'document.querySelectorAll("div")', reason: 'querySelectorAll' }, { script: 'document.getElementById("id")', reason: 'getElementById' }, { script: 'document.getElementsByClassName("cls")', reason: 'getElementsByClassName', }, { script: 'document.getElementsByTagName("div")', reason: 'getElementsByTagName', }, // Element properties (read-only) { script: 'element.textContent', reason: 'textContent read' }, { script: 'element.innerText', reason: 'innerText read' }, { script: 'element.value', reason: 'input value read' }, { script: 'element.id', reason: 'element id' }, { script: 'element.className', reason: 'element className' }, { script: 'element.tagName', reason: 'element tagName' }, { script: 'element.getAttribute("data-test")', reason: 'getAttribute' }, { script: 'element.hasAttribute("disabled")', reason: 'hasAttribute' }, { script: 'element.dataset.testId', reason: 'dataset access' }, // Viewport/scroll info { script: 'window.innerWidth', reason: 'viewport width' }, { script: 'window.innerHeight', reason: 'viewport height' }, { script: 'window.scrollY', reason: 'scroll position Y' }, { script: 'window.scrollX', reason: 'scroll position X' }, { script: 'window.pageYOffset', reason: 'page offset Y' }, { script: 'window.devicePixelRatio', reason: 'device pixel ratio' }, // Computed styles { script: 'window.getComputedStyle(element)', reason: 'computed style' }, { script: 'element.getBoundingClientRect()', reason: 'bounding rect' }, // Document state { script: 'document.readyState', reason: 'ready state' }, { script: 'document.activeElement', reason: 'active element' }, { script: 'document.body.innerText', reason: 'body text' }, { script: 'document.forms.length', reason: 'form count' }, { script: 'document.links.length', reason: 'link count' }, { script: 'document.images.length', reason: 'image count' }, // Safe navigator properties { script: 'navigator.userAgent', reason: 'user agent' }, { script: 'navigator.language', reason: 'language' }, { script: 'navigator.platform', reason: 'platform' }, { script: 'navigator.onLine', reason: 'online status' }, // JSON serialization { script: 'JSON.stringify({ x: 1 })', reason: 'JSON stringify' }, // Element dimensions { script: 'element.offsetWidth', reason: 'offset width' }, { script: 'element.offsetHeight', reason: 'offset height' }, { script: 'element.clientWidth', reason: 'client width' }, { script: 'element.scrollHeight', reason: 'scroll height' }, // Boolean states { script: 'element.checked', reason: 'checkbox checked' }, { script: 'element.disabled', reason: 'disabled state' }, { script: 'element.hidden', reason: 'hidden state' }, { script: 'element.selected', reason: 'selected state' }, ]; for (const { script, reason } of ALLOWED_SCRIPTS) { test(`allows ${reason}: ${script.slice(0, 50)}...`, async () => { // Verify these patterns match safe patterns const safePatterns = [ /document\.title/, /document\.querySelector/, /document\.getElementById/, /document\.getElementsBy/, /\.textContent/, /\.innerText/, /\.value/, /\.id/, /\.className/, /\.tagName/, /\.getAttribute/, /\.hasAttribute/, /\.dataset/, /window\.innerWidth/, /window\.innerHeight/, /window\.scroll[XY]/, /window\.page[XY]Offset/, /window\.devicePixelRatio/, /window\.getComputedStyle/, /\.getBoundingClientRect/, /document\.readyState/, /document\.activeElement/, /document\.body/, /document\.forms/, /document\.links/, /document\.images/, /navigator\.userAgent/, /navigator\.language/, /navigator\.platform/, /navigator\.onLine/, /JSON\.stringify/, /\.offset(Width|Height)/, /\.client(Width|Height)/, /\.scroll(Width|Height)/, /\.checked/, /\.disabled/, /\.hidden/, /\.selected/, ]; const isAllowed = safePatterns.some((pattern) => pattern.test(script)); expect(isAllowed).toBe(true); }); } }); test.describe('Security - Edge Cases and Bypass Attempts', () => { // Edge cases that might try to bypass blocklist const BYPASS_ATTEMPTS = [ { script: 'ev\u0061l("test")', reason: 'unicode escape in eval', shouldBlock: true, }, { script: '(0, eval)("test")', reason: 'indirect eval', shouldBlock: true }, { script: 'window["eval"]("test")', reason: 'bracket notation eval', shouldBlock: true, }, { script: 'this.constructor.constructor("return 1")()', reason: 'nested constructor', shouldBlock: true, }, { script: '`${eval}`', reason: 'template literal with eval', shouldBlock: true, }, ]; for (const { script, reason, shouldBlock } of BYPASS_ATTEMPTS) { test(`handles bypass attempt: ${reason}`, async () => { // Check if the script contains blocked patterns const containsEval = script.includes('eval'); const containsConstructor = script.includes('constructor'); if (shouldBlock) { expect(containsEval || containsConstructor).toBe(true); } }); } }); test.describe('Security - URL Protocol Validation', () => { const VALID_URLS = [ 'http://example.com', 'https://example.com', 'http://localhost:3000', 'https://localhost:8080/path', 'http://127.0.0.1:3000', 'https://[::1]:3000', ]; const INVALID_URLS = [ 'javascript:alert(1)', 'data:text/html,<script>alert(1)</script>', 'file:///etc/passwd', 'ftp://example.com', 'ws://example.com', 'wss://example.com', 'blob:http://example.com/uuid', 'vbscript:msgbox("test")', ]; for (const url of VALID_URLS) { test(`allows valid URL: ${url}`, async () => { const parsed = new URL(url); expect(['http:', 'https:']).toContain(parsed.protocol); }); } for (const url of INVALID_URLS) { test(`blocks invalid URL: ${url.slice(0, 30)}...`, async () => { try { const parsed = new URL(url); expect(['http:', 'https:']).not.toContain(parsed.protocol); } catch { // Invalid URL format is also acceptable rejection expect(true).toBe(true); } }); } });

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/j0hanz/playwright-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

security.spec.ts•11.2 kB