From 069678beac08ed0428faf14cdef43be3df6f6d7d Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 21 Oct 2019 14:52:16 -0400
Subject: [PATCH] adding API smoke tests

---
 test/api_integration/apis/general/index.js    |  1 +
 .../apis/general/prototype_pollution.ts       | 57 +++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 test/api_integration/apis/general/prototype_pollution.ts

diff --git a/test/api_integration/apis/general/index.js b/test/api_integration/apis/general/index.js
index 86b7565cba6de..f8daff1a6e8a8 100644
--- a/test/api_integration/apis/general/index.js
+++ b/test/api_integration/apis/general/index.js
@@ -21,5 +21,6 @@ export default function ({ loadTestFile }) {
   describe('general', () => {
     loadTestFile(require.resolve('./cookies'));
     loadTestFile(require.resolve('./csp'));
+    loadTestFile(require.resolve('./prototype_pollution'));
   });
 }
diff --git a/test/api_integration/apis/general/prototype_pollution.ts b/test/api_integration/apis/general/prototype_pollution.ts
new file mode 100644
index 0000000000000..d9efc1a9933d7
--- /dev/null
+++ b/test/api_integration/apis/general/prototype_pollution.ts
@@ -0,0 +1,57 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import expect from '@kbn/expect';
+
+// eslint-disable-next-line import/no-default-export
+export default function({ getService }) {
+  const supertest = getService('supertest');
+
+  describe('prototype pollution smoke test', () => {
+    it('prevents payloads with the "constructor.prototype" pollution vector from being accepted', async () => {
+      await supertest
+        .post('/api/sample_data/some_data_id')
+        .send([
+          {
+            constructor: {
+              prototype: 'foo',
+            },
+          },
+        ])
+        .expect(400, {
+          statusCode: 400,
+          error: 'Bad Request',
+          message: '"value" constructor.prototype is an invalid key',
+          validation: { source: 'payload', keys: ['value'] },
+        });
+    });
+
+    it('prevents payloads with the "__proto__" pollution vector from being accepted', async () => {
+      await supertest
+        .post('/api/sample_data/some_data_id')
+        .send(JSON.parse(`{"foo": { "__proto__": {} } }`))
+        .expect(400, {
+          statusCode: 400,
+          error: 'Bad Request',
+          message: '"value" __proto__ is an invalid key',
+          validation: { source: 'payload', keys: ['value'] },
+        });
+    });
+  });
+}