235 lines
7.6 KiB
JavaScript
235 lines
7.6 KiB
JavaScript
const fs = require('fs');
|
|
const vm = require('vm');
|
|
const path = require('path');
|
|
|
|
console.log("=== Running Security Enhancement Verification Tests ===");
|
|
|
|
// Helper to check for XSS patterns in strings
|
|
function containsXSS(str) {
|
|
const malicious = [
|
|
'<img',
|
|
'onerror',
|
|
'alert(1)',
|
|
'<script',
|
|
'javascript:'
|
|
];
|
|
return malicious.some(m => String(str).toLowerCase().includes(m));
|
|
}
|
|
|
|
// Mock DOM
|
|
const createMockElement = (id = 'mock') => {
|
|
const el = {
|
|
id,
|
|
classList: {
|
|
add: () => { },
|
|
remove: () => { },
|
|
contains: () => false,
|
|
toggle: () => { }
|
|
},
|
|
_innerHTML: '',
|
|
get innerHTML() { return this._innerHTML; },
|
|
set innerHTML(val) {
|
|
this._innerHTML = val;
|
|
if (containsXSS(val)) {
|
|
console.error(`❌ SECURITY VULNERABILITY: XSS payload detected in innerHTML of element "${id}"!`);
|
|
console.error(`Payload: ${val}`);
|
|
process.exit(1);
|
|
}
|
|
},
|
|
_textContent: '',
|
|
get textContent() { return this._textContent; },
|
|
set textContent(val) {
|
|
this._textContent = val;
|
|
// textContent is safe, so we don't crash here even if it contains payload
|
|
if (containsXSS(val)) {
|
|
console.log(`✅ Safe textContent usage detected in element "${id}" (Payload neutralized)`);
|
|
}
|
|
},
|
|
value: '',
|
|
style: { cssText: '', display: '' },
|
|
addEventListener: () => { },
|
|
removeEventListener: () => { },
|
|
appendChild: function(child) {
|
|
if (this.id === 'tags-list' || this.id === 'toast-container') {
|
|
// Check children for XSS
|
|
if (child._innerHTML && containsXSS(child._innerHTML)) {
|
|
console.error(`❌ SECURITY VULNERABILITY: Malicious child appended to "${this.id}"!`);
|
|
process.exit(1);
|
|
}
|
|
}
|
|
},
|
|
removeChild: () => { },
|
|
querySelector: (sel) => createMockElement(sel),
|
|
querySelectorAll: () => [createMockElement()],
|
|
getAttribute: () => '',
|
|
setAttribute: () => { },
|
|
remove: () => { },
|
|
dataset: {},
|
|
forEach: (cb) => [].forEach(cb) // for querySelectorAll
|
|
};
|
|
return el;
|
|
};
|
|
|
|
const sandbox = {
|
|
console: console,
|
|
document: {
|
|
body: createMockElement('body'),
|
|
createElement: (tag) => createMockElement(tag),
|
|
getElementById: (id) => createMockElement(id),
|
|
querySelector: (sel) => createMockElement(sel),
|
|
},
|
|
localStorage: {
|
|
_data: {},
|
|
getItem: function(key) { return this._data[key] || null; },
|
|
setItem: function(key, val) { this._data[key] = String(val); },
|
|
removeItem: function(key) { delete this._data[key]; }
|
|
},
|
|
fetch: () => Promise.reject(new Error('Network error')),
|
|
setTimeout: (cb) => cb(),
|
|
setInterval: () => { },
|
|
requestAnimationFrame: (cb) => cb(),
|
|
Date: Date,
|
|
Notification: { permission: 'denied', requestPermission: () => { } },
|
|
window: {
|
|
location: { href: '' },
|
|
open: () => {},
|
|
crypto: { randomUUID: () => '1234' }
|
|
},
|
|
crypto: { randomUUID: () => '1234' }
|
|
};
|
|
|
|
// Load source files
|
|
const files = [
|
|
'../src/utils.js',
|
|
'../src/constants.js',
|
|
'../src/api.js',
|
|
'../src/ui_helpers.js',
|
|
'../src/actions.js'
|
|
];
|
|
|
|
vm.createContext(sandbox);
|
|
|
|
// Helper to load and wrap ESM-like files into CJS for VM
|
|
function loadFile(relPath) {
|
|
let code = fs.readFileSync(path.join(__dirname, relPath), 'utf8');
|
|
// Simple regex replacements for imports/exports
|
|
code = code.replace(/export /g, '');
|
|
code = code.replace(/import .*? from .*?;/g, (match) => {
|
|
// We handle dependencies manually in this narrow test context
|
|
return `// ${match}`;
|
|
});
|
|
return code;
|
|
}
|
|
|
|
// Initial state mock
|
|
vm.runInContext(`
|
|
var authToken = null;
|
|
var currentUser = null;
|
|
var orderMap = new Map();
|
|
var userFlags = new Set();
|
|
var highlightTags = [];
|
|
var allWeeks = [];
|
|
var currentWeekNumber = 1;
|
|
var currentYear = 2024;
|
|
var displayMode = 'this-week';
|
|
var langMode = 'de';
|
|
|
|
// State setters
|
|
function setAuthToken(v) { authToken = v; }
|
|
function setCurrentUser(v) { currentUser = v; }
|
|
function setHighlightTags(v) { highlightTags = v; }
|
|
function setAllWeeks(v) { allWeeks = v; }
|
|
function setCurrentWeekNumber(v) { currentWeekNumber = v; }
|
|
function setCurrentYear(v) { currentYear = v; }
|
|
`, sandbox);
|
|
|
|
files.forEach(f => vm.runInContext(loadFile(f), sandbox));
|
|
|
|
// i18n mock
|
|
vm.runInContext(`
|
|
function t(key) { return key; }
|
|
`, sandbox);
|
|
|
|
async function runTests() {
|
|
console.log("--- Test 1: GUEST_TOKEN Removal ---");
|
|
const headers = sandbox.apiHeaders(null);
|
|
if (headers['Authorization']) {
|
|
console.error("❌ FAIL: Authorization header present for null token!");
|
|
process.exit(1);
|
|
} else {
|
|
console.log("✅ PASS: No Authorization header for unauthenticated calls.");
|
|
}
|
|
|
|
console.log("--- Test 2: XSS in renderTagsList ---");
|
|
sandbox.highlightTags = ['<img src=x onerror=alert(1)>'];
|
|
// This should NOT crash the test because it uses textContent now
|
|
sandbox.renderTagsList();
|
|
console.log("✅ PASS: renderTagsList handled malicious tag safely.");
|
|
|
|
console.log("--- Test 3: showErrorModal Security ---");
|
|
// New signature: title, message, details, btnText, url
|
|
sandbox.showErrorModal(
|
|
'<img src=x onerror=alert(1)>',
|
|
'<img src=x onerror=alert(1)>',
|
|
'<img src=x onerror=alert(1)>',
|
|
'Safe Btn',
|
|
'javascript:alert(1)'
|
|
);
|
|
console.log("✅ PASS: showErrorModal handled malicious payloads safely.");
|
|
|
|
console.log("--- Test 4: addHighlightTag Validation ---");
|
|
const invalidInputs = [
|
|
'<script>alert(1)</script>',
|
|
'a', // too short (min 2)
|
|
'verylongtagnameover20characterslong', // too long (max 20)
|
|
'invalid;char' // invalid chars
|
|
];
|
|
|
|
invalidInputs.forEach(input => {
|
|
const result = sandbox.addHighlightTag(input);
|
|
if (result === true) {
|
|
console.error(`❌ FAIL: Invalid input "${input}" was accepted!`);
|
|
process.exit(1);
|
|
}
|
|
});
|
|
|
|
const validInputs = ['short', 'Bio', 'Vegg-I', 'Menü 1'];
|
|
validInputs.forEach(input => {
|
|
const result = sandbox.addHighlightTag(input);
|
|
if (result === false && !sandbox.highlightTags.includes(input)) {
|
|
console.error(`❌ FAIL: Valid input "${input}" was rejected!`);
|
|
process.exit(1);
|
|
}
|
|
});
|
|
console.log("✅ PASS: addHighlightTag correctly rejected malicious/invalid inputs.");
|
|
|
|
console.log("--- Test 5: Auth Guards in Actions ---");
|
|
let fetchCalled = false;
|
|
sandbox.fetch = () => {
|
|
fetchCalled = true;
|
|
return Promise.resolve({ ok: true, json: () => Promise.resolve({ results: [] }) });
|
|
};
|
|
|
|
sandbox.authToken = null;
|
|
await sandbox.loadMenuDataFromAPI();
|
|
if (fetchCalled) {
|
|
console.error("❌ FAIL: loadMenuDataFromAPI attempted fetch without token!");
|
|
process.exit(1);
|
|
}
|
|
|
|
fetchCalled = false;
|
|
await sandbox.refreshFlaggedItems();
|
|
if (fetchCalled) {
|
|
console.error("❌ FAIL: refreshFlaggedItems attempted fetch without token!");
|
|
process.exit(1);
|
|
}
|
|
console.log("✅ PASS: Auth guards prevented unauthenticated API calls.");
|
|
|
|
console.log("\n✨ ALL SECURITY TESTS PASSED! ✨");
|
|
}
|
|
|
|
runTests().catch(err => {
|
|
console.error("Test execution failed:", err);
|
|
process.exit(1);
|
|
});
|