@bractjs/bractjs 0.1.5 → 0.1.7

package/src/__tests__/middleware.test.ts

@@ -0,0 +1,216 @@
+import { test, expect, describe } from "bun:test";
+import { MiddlewarePipeline } from "../server/middleware.ts";
+import type { MiddlewareContext } from "../server/middleware.ts";
+import { cors } from "../middleware/cors.ts";
+import { authGuard } from "../middleware/authGuard.ts";
+import { requestLogger } from "../middleware/requestLogger.ts";
+
+// ── Helpers ────────────────────────────────────────────────────────────────
+
+function makeCtx(override: Partial<MiddlewareContext> = {}): MiddlewareContext {
+  return {
+    request: new Request("http://localhost/"),
+    params: {},
+    context: {},
+    ...override,
+  };
+}
+
+const ok200 = async () => new Response("ok", { status: 200 });
+
+// ── MiddlewarePipeline ─────────────────────────────────────────────────────
+
+describe("MiddlewarePipeline", () => {
+  test("calls handler when no middleware registered", async () => {
+    const pipeline = new MiddlewarePipeline();
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.status).toBe(200);
+  });
+
+  test("runs middleware in registration order", async () => {
+    const order: number[] = [];
+    const pipeline = new MiddlewarePipeline();
+    pipeline
+      .use(async (ctx, next) => { order.push(1); const r = await next(); order.push(4); return r; })
+      .use(async (ctx, next) => { order.push(2); const r = await next(); order.push(3); return r; });
+
+    await pipeline.run(makeCtx(), ok200);
+    expect(order).toEqual([1, 2, 3, 4]);
+  });
+
+  test("middleware can short-circuit without calling next()", async () => {
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(async () => new Response("blocked", { status: 403 }));
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.status).toBe(403);
+    expect(await res.text()).toBe("blocked");
+  });
+
+  test("middleware can modify the response", async () => {
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(async (ctx, next) => {
+      const res = await next();
+      const patched = new Response(res.body, res);
+      patched.headers.set("X-Test", "injected");
+      return patched;
+    });
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.headers.get("X-Test")).toBe("injected");
+  });
+
+  test("use() is chainable", () => {
+    const pipeline = new MiddlewarePipeline();
+    const ret = pipeline.use(async (_, next) => next());
+    expect(ret).toBe(pipeline);
+  });
+
+  test("multiple pipelines are independent", async () => {
+    const p1 = new MiddlewarePipeline();
+    const p2 = new MiddlewarePipeline();
+    p1.use(async () => new Response("p1", { status: 201 }));
+    const r1 = await p1.run(makeCtx(), ok200);
+    const r2 = await p2.run(makeCtx(), ok200);
+    expect(r1.status).toBe(201);
+    expect(r2.status).toBe(200);
+  });
+});
+
+// ── cors() ─────────────────────────────────────────────────────────────────
+
+describe("cors()", () => {
+  test("adds CORS headers to regular requests for allowed origin", async () => {
+    const mw = cors({ origin: "https://example.com" });
+    const ctx = makeCtx({ request: new Request("http://localhost/", { headers: { Origin: "https://example.com" } }) });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(ctx, ok200);
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBe("https://example.com");
+  });
+
+  test("wildcard origin allows any origin", async () => {
+    const mw = cors({ origin: "*" });
+    const ctx = makeCtx({ request: new Request("http://localhost/", { headers: { Origin: "https://any.com" } }) });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(ctx, ok200);
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBeTruthy();
+  });
+
+  test("responds 204 to OPTIONS preflight", async () => {
+    const mw = cors({ origin: "*" });
+    const ctx = makeCtx({ request: new Request("http://localhost/", { method: "OPTIONS" }) });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(ctx, ok200);
+    expect(res.status).toBe(204);
+  });
+
+  test("does not set CORS header for disallowed origin", async () => {
+    const mw = cors({ origin: "https://allowed.com" });
+    const ctx = makeCtx({ request: new Request("http://localhost/", { headers: { Origin: "https://evil.com" } }) });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(ctx, ok200);
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBeNull();
+  });
+
+  test("accepts array of origins", async () => {
+    const mw = cors({ origin: ["https://a.com", "https://b.com"] });
+    const ctx = makeCtx({ request: new Request("http://localhost/", { headers: { Origin: "https://b.com" } }) });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(ctx, ok200);
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBe("https://b.com");
+  });
+
+  test("sets Access-Control-Allow-Methods header", async () => {
+    const mw = cors({ origin: "*", methods: ["GET", "POST"] });
+    const ctx = makeCtx({ request: new Request("http://localhost/", { method: "OPTIONS" }) });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(ctx, ok200);
+    expect(res.headers.get("Access-Control-Allow-Methods")).toBe("GET, POST");
+  });
+});
+
+// ── authGuard() ───────────────────────────────────────────────────────────
+
+describe("authGuard()", () => {
+  function makeSession(user: unknown) {
+    return {
+      getSession: async () => ({ get: (key: string) => (key === "user" ? user : undefined) }),
+    };
+  }
+
+  test("sets ctx.context.user from session", async () => {
+    const mw = authGuard({ session: makeSession({ id: 1 }) });
+    const ctx = makeCtx();
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    await pipeline.run(ctx, ok200);
+    expect(ctx.context.user).toEqual({ id: 1 });
+  });
+
+  test("sets ctx.context.user to null when no session user", async () => {
+    const mw = authGuard({ session: makeSession(undefined) });
+    const ctx = makeCtx();
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    await pipeline.run(ctx, ok200);
+    expect(ctx.context.user).toBeNull();
+  });
+
+  test("required=true returns 401 when no user", async () => {
+    const mw = authGuard({ session: makeSession(undefined), required: true });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.status).toBe(401);
+    const body = await res.json() as { error: string };
+    expect(body.error).toBe("Unauthorized");
+  });
+
+  test("required=true allows request when user is present", async () => {
+    const mw = authGuard({ session: makeSession({ id: 99 }), required: true });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.status).toBe(200);
+  });
+
+  test("required=false (default) allows unauthenticated request", async () => {
+    const mw = authGuard({ session: makeSession(undefined), required: false });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.status).toBe(200);
+  });
+});
+
+// ── requestLogger() ───────────────────────────────────────────────────────
+
+describe("requestLogger()", () => {
+  test("passes the response through unchanged", async () => {
+    const mw = requestLogger();
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.status).toBe(200);
+    expect(await res.text()).toBe("ok");
+  });
+
+  test("logs path and status to console (smoke test)", async () => {
+    const logs: string[] = [];
+    const original = console.log;
+    console.log = (...args: unknown[]) => logs.push(args.join(" "));
+    const mw = requestLogger();
+    const ctx = makeCtx({ request: new Request("http://localhost/hello") });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    await pipeline.run(ctx, ok200);
+    console.log = original;
+    expect(logs.length).toBeGreaterThan(0);
+    expect(logs[0]).toContain("/hello");
+    expect(logs[0]).toContain("200");
+  });
+});

package/src/__tests__/response.test.ts

@@ -0,0 +1,106 @@
+import { test, expect, describe } from "bun:test";
+import { redirect, json, error } from "../server/response.ts";
+
+describe("redirect", () => {
+  test("returns 302 by default with Location header", () => {
+    const res = redirect("/dashboard");
+    expect(res.status).toBe(302);
+    expect(res.headers.get("Location")).toBe("/dashboard");
+  });
+
+  test("accepts custom status codes (301, 307, 308)", () => {
+    expect(redirect("/old", 301).status).toBe(301);
+    expect(redirect("/tmp", 307).status).toBe(307);
+    expect(redirect("/perm", 308).status).toBe(308);
+  });
+
+  test("body is null", async () => {
+    const res = redirect("/");
+    expect(await res.text()).toBe("");
+  });
+
+  describe("open-redirect guard", () => {
+    test("rejects absolute http(s) URLs", () => {
+      expect(() => redirect("https://evil.com/")).toThrow();
+      expect(() => redirect("http://evil.com")).toThrow();
+    });
+
+    test("rejects protocol-relative URLs (//evil.com)", () => {
+      expect(() => redirect("//evil.com/path")).toThrow();
+    });
+
+    test("rejects backslash protocol-relative variant", () => {
+      expect(() => redirect("/\\evil.com")).toThrow();
+    });
+
+    test("rejects javascript: and data: schemes", () => {
+      expect(() => redirect("javascript:alert(1)")).toThrow();
+      expect(() => redirect("data:text/html,x")).toThrow();
+    });
+
+    test("allows same-path redirects", () => {
+      expect(redirect("/foo").headers.get("Location")).toBe("/foo");
+      expect(redirect("/foo?q=1#x").headers.get("Location")).toBe("/foo?q=1#x");
+    });
+
+    test("opt-in: allowExternal lets through absolute URL", () => {
+      const res = redirect("https://allowed.example/path", 302, undefined, { allowExternal: true });
+      expect(res.headers.get("Location")).toBe("https://allowed.example/path");
+    });
+  });
+});
+
+describe("json", () => {
+  test("sets Content-Type to application/json", () => {
+    const res = json({ ok: true });
+    expect(res.headers.get("Content-Type")).toContain("application/json");
+  });
+
+  test("serializes data to JSON body", async () => {
+    const res = json({ name: "bract", version: 1 });
+    const body = await res.json() as { name: string; version: number };
+    expect(body.name).toBe("bract");
+    expect(body.version).toBe(1);
+  });
+
+  test("defaults to 200 status", () => {
+    expect(json({}).status).toBe(200);
+  });
+
+  test("respects custom status in init", () => {
+    expect(json({}, { status: 201 }).status).toBe(201);
+  });
+
+  test("merges custom headers while preserving Content-Type", () => {
+    const res = json({}, { headers: { "X-Custom": "yes" } });
+    expect(res.headers.get("X-Custom")).toBe("yes");
+    expect(res.headers.get("Content-Type")).toContain("application/json");
+  });
+
+  test("serializes arrays", async () => {
+    const res = json([1, 2, 3]);
+    const body = await res.json() as number[];
+    expect(body).toEqual([1, 2, 3]);
+  });
+
+  test("serializes null", async () => {
+    const res = json(null);
+    expect(await res.text()).toBe("null");
+  });
+});
+
+describe("error", () => {
+  test("returns 500 by default", () => {
+    expect(error("internal").status).toBe(500);
+  });
+
+  test("body is JSON with error field", async () => {
+    const res = error("something failed");
+    const body = await res.json() as { error: string };
+    expect(body.error).toBe("something failed");
+  });
+
+  test("accepts custom status", () => {
+    expect(error("not allowed", 403).status).toBe(403);
+  });
+});

package/src/__tests__/security.test.ts

@@ -0,0 +1,348 @@
+import { test, expect, describe, beforeAll, afterAll } from "bun:test";
+import { mkdir, rm, writeFile, symlink } from "node:fs/promises";
+import { resolve, join } from "node:path";
+import { tmpdir } from "node:os";
+import { createServer } from "../server/serve.ts";
+import { handleActionRequest } from "../server/action-handler.ts";
+import { loadServerActions } from "../server/action-registry.ts";
+import { safeStringify } from "../server/env.ts";
+import { cors } from "../middleware/cors.ts";
+import { createCookieSession } from "../server/session.ts";
+import { MiddlewarePipeline, type MiddlewareContext } from "../server/middleware.ts";
+import { serveStatic } from "../server/static.ts";
+import { handleImageRequest } from "../image/handler.ts";
+
+const ACTION_TMP = resolve(import.meta.dir, ".tmp-security-action");
+let registeredActionId = "";
+
+async function computeId(filePath: string, name: string): Promise<string> {
+  const raw = new TextEncoder().encode(filePath + "#" + name);
+  const buf = await crypto.subtle.digest("SHA-256", raw);
+  return Array.from(new Uint8Array(buf))
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("")
+    .slice(0, 16);
+}
+
+const PORT = 3998;
+const BASE = `http://localhost:${PORT}`;
+const FIXTURE_APP = resolve(import.meta.dir, "fixtures/app");
+
+let handle: ReturnType<typeof createServer>;
+
+beforeAll(async () => {
+  handle = createServer({
+    port: PORT,
+    appDir: FIXTURE_APP,
+    manifest: { clientEntry: "/build/client/client.js", routes: {} },
+  });
+
+  await rm(ACTION_TMP, { recursive: true, force: true });
+  await mkdir(join(ACTION_TMP, "routes"), { recursive: true });
+  const actionFile = join(ACTION_TMP, "routes", "_index.tsx");
+  await writeFile(actionFile, `"use server";\nexport async function ping(...args) { return args; }\n`);
+  await loadServerActions(ACTION_TMP);
+  registeredActionId = await computeId(actionFile, "ping");
+});
+
+afterAll(async () => {
+  handle.stop();
+  await rm(ACTION_TMP, { recursive: true, force: true });
+});
+
+// ── Item 1 — path traversal ───────────────────────────────────────────────
+
+describe("path traversal", () => {
+  test("GET /public/../package.json returns 404, not file contents", async () => {
+    const res = await fetch(`${BASE}/public/../package.json`);
+    expect(res.status).toBe(404);
+    const body = await res.text();
+    expect(body).not.toContain("@bractjs/bractjs");
+  });
+});
+
+// ── Item 2 — action arg validation ────────────────────────────────────────
+
+describe("action-handler — arg validation", () => {
+  test("non-array JSON body → 400", async () => {
+    const req = new Request(`http://x/_action?id=${registeredActionId}`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-BractJS-Action": "1" },
+      body: JSON.stringify({ foo: "bar" }),
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).toBe(400);
+  });
+
+  test("array with __proto__ key → 400", async () => {
+    const req = new Request(`http://x/_action?id=${registeredActionId}`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-BractJS-Action": "1" },
+      // Use JSON.parse to actually inject __proto__ as an own key
+      body: '[{"__proto__":{"polluted":true}}]',
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).toBe(400);
+  });
+
+  test("array with constructor key → 400", async () => {
+    const req = new Request(`http://x/_action?id=${registeredActionId}`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-BractJS-Action": "1" },
+      body: '[{"constructor":1}]',
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).toBe(400);
+  });
+
+  test("JSON body > 1 MiB rejected with 413 (advertised via Content-Length)", async () => {
+    const huge = "a".repeat(2 * 1024 * 1024);
+    const req = new Request(`http://x/_action?id=${registeredActionId}`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-BractJS-Action": "1",
+        "Content-Length": String(2 * 1024 * 1024 + 2),
+      },
+      body: `["${huge}"]`,
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).toBe(413);
+  });
+
+  test("JSON body > 1 MiB rejected with 413 even when Content-Length lies", async () => {
+    const huge = "a".repeat(2 * 1024 * 1024);
+    const req = new Request(`http://x/_action?id=${registeredActionId}`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-BractJS-Action": "1",
+        "Content-Length": "10",
+      },
+      body: `["${huge}"]`,
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).toBe(413);
+  });
+});
+
+// ── Item 3 — CSRF ─────────────────────────────────────────────────────────
+
+describe("CSRF — cross-origin mutation", () => {
+  test("/_action without X-BractJS-Action and with cross-origin Origin → 403", async () => {
+    const req = new Request("http://localhost/_action?id=abc", {
+      method: "POST",
+      headers: { Origin: "https://evil.example" },
+      body: "[]",
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).toBe(403);
+  });
+
+  test("/_action with same-origin Origin → not 403 (404 unknown id)", async () => {
+    const req = new Request("http://localhost/_action?id=abc", {
+      method: "POST",
+      headers: { Origin: "http://localhost", "Content-Type": "application/json" },
+      body: "[]",
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).not.toBe(403);
+  });
+
+  test("route POST with mismatched Origin → 403", async () => {
+    const res = await fetch(`${BASE}/`, {
+      method: "POST",
+      body: new FormData(),
+      headers: { Origin: "https://evil.example" },
+    });
+    expect(res.status).toBe(403);
+  });
+});
+
+// ── Item 5 — safeStringify ───────────────────────────────────────────────
+
+describe("safeStringify", () => {
+  test("escapes U+2028 / U+2029", () => {
+    const ls = String.fromCharCode(0x2028);
+    const ps = String.fromCharCode(0x2029);
+    const out = safeStringify({ a: `x${ls}y${ps}z` });
+    expect(out).not.toContain(ls);
+    expect(out).not.toContain(ps);
+    expect(out).toContain("\\u2028");
+    expect(out).toContain("\\u2029");
+  });
+
+  test("escapes < > &", () => {
+    const out = safeStringify({ x: "<script>&" });
+    expect(out).toContain("\\u003c");
+    expect(out).toContain("\\u003e");
+    expect(out).toContain("\\u0026");
+  });
+});
+
+// ── Item 6 — session ─────────────────────────────────────────────────────
+
+describe("session — secret validation", () => {
+  test("empty secrets throws", () => {
+    expect(() => createCookieSession({ name: "s", secrets: [] })).toThrow();
+  });
+
+  test("short secret throws", () => {
+    expect(() => createCookieSession({ name: "s", secrets: ["short"] })).toThrow();
+  });
+
+  test("valid secret roundtrips", async () => {
+    const s = createCookieSession({ name: "s", secrets: ["a-secret-that-is-long-enough-1"] });
+    const sess = await s.getSession(null);
+    sess.set("k", "v");
+    const cookie = await s.commitSession(sess);
+    const rt = await s.getSession(cookie.split(";")[0]);
+    expect(rt.get("k")).toBe("v");
+  });
+
+  test("tampered signature rejected", async () => {
+    const s = createCookieSession({ name: "s", secrets: ["a-secret-that-is-long-enough-1"] });
+    const sess = await s.getSession(null);
+    sess.set("k", "v");
+    const cookie = await s.commitSession(sess);
+    const tampered = cookie.replace(/=([^;]+)/, (_, val) => `=${val.slice(0, -1)}X`);
+    const rt = await s.getSession(tampered.split(";")[0]);
+    expect(rt.has("k")).toBe(false);
+  });
+});
+
+// ── Item 7 — CORS ────────────────────────────────────────────────────────
+
+describe("cors middleware", () => {
+  async function runOnce(mw: ReturnType<typeof cors>, req: Request): Promise<Response> {
+    const ctx: MiddlewareContext = { request: req, params: {}, context: {} };
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    return pipeline.run(ctx, () => Promise.resolve(new Response("ok")));
+  }
+
+  test("wildcard never reflects Origin", async () => {
+    const mw = cors({ origin: "*" });
+    const res = await runOnce(mw, new Request("http://x/", { headers: { Origin: "https://evil.example" } }));
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
+  });
+
+  test("always emits Vary: Origin", async () => {
+    const mw = cors({ origin: "https://ok.example" });
+    const res = await runOnce(mw, new Request("http://x/", { headers: { Origin: "https://ok.example" } }));
+    expect(res.headers.get("Vary")).toContain("Origin");
+  });
+
+  test("credentials + wildcard throws at setup", () => {
+    expect(() => cors({ origin: "*", credentials: true })).toThrow();
+  });
+});
+
+// ── Item 8 — image dim validation ────────────────────────────────────────
+
+describe("image handler — dim allowlist", () => {
+  test("w=999 (not in allowlist) → 400", async () => {
+    const res = await fetch(`${BASE}/_image?src=/public/a.jpg&w=999`);
+    expect(res.status).toBe(400);
+  });
+
+  test("w=320 (in allowlist) → not 400 (404 because file missing)", async () => {
+    const res = await fetch(`${BASE}/_image?src=/public/missing.jpg&w=320`);
+    expect(res.status).toBe(404);
+  });
+
+  test("w=3840&h=3840 (area too large) → 400", async () => {
+    const res = await fetch(`${BASE}/_image?src=/public/a.jpg&w=3840&h=3840`);
+    expect(res.status).toBe(400);
+  });
+});
+
+// ── Item 11 — HttpError → response ───────────────────────────────────────
+// (Implicitly covered: integration.test.ts hits a route; this test exercises
+// the conversion via a direct loader throw is awkward without fixtures. Skip
+// here — the request-handler change is type-checked + reachable via redirect.)
+
+// ── Item 12 — Content-Type branching for action ──────────────────────────
+
+describe("action Content-Type branching", () => {
+  test("JSON content-type does not require multipart formData", async () => {
+    const res = await fetch(`${BASE}/`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", Origin: BASE },
+      body: JSON.stringify({ name: "bract" }),
+    });
+    // The fixture's action accepts FormData; with JSON CT, request-handler
+    // passes an empty FormData and the action returns. Should not 500 from
+    // formData() throwing.
+    expect([200, 302, 400, 404]).toContain(res.status);
+  });
+});
+
+// ── Item 14 — meta is array in __BRACTJS_DATA__ ─────────────────────────
+
+describe("render meta shape", () => {
+  test("__BRACTJS_DATA__.meta is an array", async () => {
+    const res = await fetch(`${BASE}/`);
+    const html = await res.text();
+    const match = html.match(/window\.__BRACTJS_DATA__=({[\s\S]*?});/);
+    expect(match).not.toBeNull();
+    const data = JSON.parse(match![1]) as { meta: unknown };
+    expect(Array.isArray(data.meta)).toBe(true);
+  });
+});
+
+// ── Item 20 — middleware double-next ─────────────────────────────────────
+
+describe("middleware — double next()", () => {
+  test("calling next() twice rejects", async () => {
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(async (_ctx, next) => {
+      await next();
+      return next(); // illegal
+    });
+    const ctx: MiddlewareContext = { request: new Request("http://x/"), params: {}, context: {} };
+    await expect(pipeline.run(ctx, () => Promise.resolve(new Response("ok")))).rejects.toThrow(/more than once/);
+  });
+});
+
+// ── Symlink escape (static + image) ─────────────────────────────────────
+
+describe("symlink escape — static", () => {
+  let pub: string;
+  let outside: string;
+  let buildDir: string;
+
+  beforeAll(async () => {
+    const root = await Bun.file(tmpdir()).exists() ? tmpdir() : ".";
+    pub = join(root, `bract-sym-pub-${Date.now()}`);
+    outside = join(root, `bract-sym-out-${Date.now()}`);
+    buildDir = join(root, `bract-sym-build-${Date.now()}`);
+    await mkdir(pub, { recursive: true });
+    await mkdir(outside, { recursive: true });
+    await mkdir(join(buildDir, "client"), { recursive: true });
+    await writeFile(join(outside, "secret.txt"), "PWNED");
+    // Symlink inside /public/ that points outside the root.
+    await symlink(join(outside, "secret.txt"), join(pub, "escape.txt"));
+  });
+
+  afterAll(async () => {
+    await rm(pub, { recursive: true, force: true });
+    await rm(outside, { recursive: true, force: true });
+    await rm(buildDir, { recursive: true, force: true });
+  });
+
+  test("static refuses to serve a symlink whose target is outside publicDir", async () => {
+    const res = await serveStatic("/public/escape.txt", buildDir, pub);
+    expect(res).toBeNull();
+  });
+
+  test("image /_image refuses src that symlinks outside publicDir", async () => {
+    const cacheDir = join(tmpdir(), `bract-sym-cache-${Date.now()}`);
+    await mkdir(cacheDir, { recursive: true });
+    const req = new Request(`http://x/_image?src=/public/escape.txt&w=320`);
+    const res = await handleImageRequest(req, pub, cacheDir);
+    expect(res?.status === 400 || res?.status === 404).toBe(true);
+    await rm(cacheDir, { recursive: true, force: true });
+  });
+});
+