From 37613aca0c2d237eb9644c116a2886e3f82f0975 Mon Sep 17 00:00:00 2001
From: jos <wjosdejong@gmail.com>
Date: Sun, 2 Apr 2017 13:18:55 +0200
Subject: [PATCH] Moved security related tests into a separate file

---
 test/expression/parse.test.js    | 54 ------------------------------
 test/expression/security.test.js | 56 ++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 54 deletions(-)
 create mode 100644 test/expression/security.test.js

diff --git a/test/expression/parse.test.js b/test/expression/parse.test.js
index 3aeb00644..c3a411a18 100644
--- a/test/expression/parse.test.js
+++ b/test/expression/parse.test.js
@@ -2041,58 +2041,4 @@ describe('parse', function() {
 
   });
 
-  describe('security', function () {
-
-    it ('should not allow calling Function/eval via a symbol', function () {
-      assert.throws(function () {
-        math.eval('disguised("console.log(\\"hacked...\\")")()', {disguised: eval})
-      }, /Error: Calling "eval" is not allowed/)
-
-      assert.throws(function () {
-        math.eval('disguised("console.log(\\"hacked...\\")")()', {disguised: Function})
-      }, /Error: Calling "Function" is not allowed/)
-    })
-
-    it ('should not allow calling Function/eval via an object property', function () {
-      assert.throws(function () {
-        math.eval('[].map.constructor("console.log(\\"hacked...\\")")()')
-      }, /Error: Calling "Function" is not allowed/)
-
-      assert.throws(function () {
-        math.eval('obj.disguised("console.log(\\"hacked...\\")")()', {obj: {disguised: eval}})
-      }, /Error: Calling "eval" is not allowed/)
-
-      assert.throws(function () {
-        math.eval('obj.disguised("console.log(\\"hacked...\\")")()', {obj: {disguised: Function}})
-      }, /Error: Calling "Function" is not allowed/)
-    })
-
-    it ('should not allow calling Function/eval when returned by a function', function () {
-      assert.throws(function () {
-        math.eval('fn()("console.log(\\"hacked...\\")")()', {fn: function () {return Function}})
-      }, /Error: Calling "Function" is not allowed/)
-
-      assert.throws(function () {
-        math.eval('fn()("console.log(\\"hacked...\\")")()', {fn: function () {return eval}})
-      }, /Error: Calling "eval" is not allowed/)
-    })
-
-    it ('should not allow calling Function/eval via call/apply', function () {
-      assert.throws(function () {
-        math.eval('[].map.constructor.call(null, "console.log(\\"hacked...\\")")()')
-      }, /Error: Calling "call" is not allowed/)
-
-      assert.throws(function () {
-        math.eval('[].map.constructor.apply(null, ["console.log(\\"hacked...\\")"])()')
-      }, /Error: Calling "apply" is not allowed/)
-    })
-
-    it ('should not allow calling Function/eval via bind', function () {
-      assert.throws(function () {
-        math.eval('[].map.constructor.bind()("console.log(\\"hacked...\\")")()')
-      }, /Error: Calling "bind" is not allowed/)
-    })
-
-  });
-
 });
diff --git a/test/expression/security.test.js b/test/expression/security.test.js
new file mode 100644
index 000000000..3c0213b6b
--- /dev/null
+++ b/test/expression/security.test.js
@@ -0,0 +1,56 @@
+var assert = require('assert');
+var math = require('../../index');
+
+describe('security', function () {
+
+  it ('should not allow calling Function/eval via a symbol', function () {
+    assert.throws(function () {
+      math.eval('disguised("console.log(\\"hacked...\\")")()', {disguised: eval})
+    }, /Error: Calling "eval" is not allowed/)
+
+    assert.throws(function () {
+      math.eval('disguised("console.log(\\"hacked...\\")")()', {disguised: Function})
+    }, /Error: Calling "Function" is not allowed/)
+  })
+
+  it ('should not allow calling Function/eval via an object property', function () {
+    assert.throws(function () {
+      math.eval('[].map.constructor("console.log(\\"hacked...\\")")()')
+    }, /Error: Calling "Function" is not allowed/)
+
+    assert.throws(function () {
+      math.eval('obj.disguised("console.log(\\"hacked...\\")")()', {obj: {disguised: eval}})
+    }, /Error: Calling "eval" is not allowed/)
+
+    assert.throws(function () {
+      math.eval('obj.disguised("console.log(\\"hacked...\\")")()', {obj: {disguised: Function}})
+    }, /Error: Calling "Function" is not allowed/)
+  })
+
+  it ('should not allow calling Function/eval when returned by a function', function () {
+    assert.throws(function () {
+      math.eval('fn()("console.log(\\"hacked...\\")")()', {fn: function () {return Function}})
+    }, /Error: Calling "Function" is not allowed/)
+
+    assert.throws(function () {
+      math.eval('fn()("console.log(\\"hacked...\\")")()', {fn: function () {return eval}})
+    }, /Error: Calling "eval" is not allowed/)
+  })
+
+  it ('should not allow calling Function/eval via call/apply', function () {
+    assert.throws(function () {
+      math.eval('[].map.constructor.call(null, "console.log(\\"hacked...\\")")()')
+    }, /Error: Calling "call" is not allowed/)
+
+    assert.throws(function () {
+      math.eval('[].map.constructor.apply(null, ["console.log(\\"hacked...\\")"])()')
+    }, /Error: Calling "apply" is not allowed/)
+  })
+
+  it ('should not allow calling Function/eval via bind', function () {
+    assert.throws(function () {
+      math.eval('[].map.constructor.bind()("console.log(\\"hacked...\\")")()')
+    }, /Error: Calling "bind" is not allowed/)
+  })
+
+});