Poku is an open-source project, so you can see both the Source Code on GitHub Repository and the Distribution Code on NPM.
Some test runners use eval, Poku prefers to use spawn to create an isolated process securely for each test file without transforming your files.
- Blocks access above target directory by filtering
../and/paths, for example:/rootwill be sanitized to./root../../etc/secretwill be sanitized to./etc/secret
- Normalizes paths according to the OS, allowing all collaborators to use the same path, each using their own OS:
\for Windows/for Linux and macOS
- Normalizes paths by filtering unusual path characters, for example:
<>|^?*
- Prevents shell scripts by setting
shelltofalseinspawnoptions, ensuring that only secure arguments will be used. - Every RegExp is prev-tested using the ReDoS Checker.
Currently, security updates will be applied to the following versions of Poku:
| Version | Supported |
|---|---|
| 4.x.x | ✅ |
| 3.x.x | ❌ |
| 2.x.x | ❌ |
| 1.x.x | ❌ |
| 0.x.x | ❌ |
- Please, give detailed reports
- Include steps to reproduce the vulnerability, and if possible, a patch or workaround.
- Include the specific version of Poku you are using.
Reporting:
Once the issue has been resolved, you will be attributed a part of the report.