@gblikas/querykit 0.0.0 → 0.1.0

package/src/security/validator.test.ts

@@ -331,6 +331,374 @@ describe('QuerySecurityValidator', () => {
     });
   });
 
+  describe('validateDenyValues', () => {
+    it('should accept queries when no denyValues are configured', () => {
+      const validator = new QuerySecurityValidator({});
+      const query = parser.parse('status:"deleted"');
+      expect(() => validator.validate(query)).not.toThrow();
+    });
+
+    it('should accept queries when value is not in denyValues list', () => {
+      const validator = new QuerySecurityValidator({
+        denyValues: {
+          status: ['deleted', 'banned']
+        }
+      });
+      const query = parser.parse('status:"active"');
+      expect(() => validator.validate(query)).not.toThrow();
+    });
+
+    it('should reject queries with denied string values', () => {
+      const validator = new QuerySecurityValidator({
+        denyValues: {
+          status: ['deleted', 'banned']
+        }
+      });
+      const query = parser.parse('status:"deleted"');
+      expect(() => validator.validate(query)).toThrow(QuerySecurityError);
+      expect(() => validator.validate(query)).toThrow(
+        'Invalid query parameters'
+      );
+    });
+
+    it('should reject queries with denied numeric values', () => {
+      const validator = new QuerySecurityValidator({
+        denyValues: {
+          priority: [0, -1]
+        }
+      });
+      const mockQuery: QueryExpression = {
+        type: 'comparison',
+        field: 'priority',
+        operator: '==',
+        value: 0
+      };
+      expect(() => validator.validate(mockQuery)).toThrow(QuerySecurityError);
+      expect(() => validator.validate(mockQuery)).toThrow(
+        'Invalid query parameters'
+      );
+    });
+
+    it('should reject queries with denied boolean values', () => {
+      const validator = new QuerySecurityValidator({
+        denyValues: {
+          isAdmin: [true]
+        }
+      });
+      const mockQuery: QueryExpression = {
+        type: 'comparison',
+        field: 'isAdmin',
+        operator: '==',
+        value: true
+      };
+      expect(() => validator.validate(mockQuery)).toThrow(QuerySecurityError);
+      expect(() => validator.validate(mockQuery)).toThrow(
+        'Invalid query parameters'
+      );
+    });
+
+    it('should reject queries with denied null values', () => {
+      const validator = new QuerySecurityValidator({
+        denyValues: {
+          deletedAt: [null]
+        }
+      });
+      const mockQuery: QueryExpression = {
+        type: 'comparison',
+        field: 'deletedAt',
+        operator: '==',
+        value: null
+      };
+      expect(() => validator.validate(mockQuery)).toThrow(QuerySecurityError);
+      expect(() => validator.validate(mockQuery)).toThrow(
+        'Invalid query parameters'
+      );
+    });
+
+    it('should reject queries with denied values in IN operator arrays', () => {
+      const validator = new QuerySecurityValidator({
+        denyValues: {
+          role: ['superadmin', 'system']
+        }
+      });
+      const mockQuery: QueryExpression = {
+        type: 'comparison',
+        field: 'role',
+        operator: 'IN',
+        value: ['admin', 'superadmin'] // Contains 'superadmin' which is denied
+      };
+      expect(() => validator.validate(mockQuery)).toThrow(QuerySecurityError);
+      expect(() => validator.validate(mockQuery)).toThrow(
+        'Invalid query parameters'
+      );
+    });
+
+    it('should accept IN operator arrays without denied values', () => {
+      const validator = new QuerySecurityValidator({
+        denyValues: {
+          role: ['superadmin', 'system']
+        }
+      });
+      const mockQuery: QueryExpression = {
+        type: 'comparison',
+        field: 'role',
+        operator: 'IN',
+        value: ['admin', 'user', 'moderator']
+      };
+      expect(() => validator.validate(mockQuery)).not.toThrow();
+    });
+
+    it('should validate denied values in nested logical expressions', () => {
+      const validator = new QuerySecurityValidator({
+        denyValues: {
+          status: ['deleted']
+        }
+      });
+      const query = parser.parse('name:"John" AND status:"deleted"');
+      expect(() => validator.validate(query)).toThrow(QuerySecurityError);
+      expect(() => validator.validate(query)).toThrow(
+        'Invalid query parameters'
+      );
+    });
+
+    it('should validate denied values in complex nested expressions', () => {
+      const validator = new QuerySecurityValidator({
+        denyValues: {
+          role: ['superadmin']
+        }
+      });
+      const query = parser.parse(
+        '(name:"John" OR name:"Jane") AND (role:"superadmin" OR status:"active")'
+      );
+      expect(() => validator.validate(query)).toThrow(QuerySecurityError);
+      expect(() => validator.validate(query)).toThrow(
+        'Invalid query parameters'
+      );
+    });
+
+    it('should support dot-notation field names in denyValues', () => {
+      const validator = new QuerySecurityValidator({
+        denyValues: {
+          'user.role': ['superadmin', 'system']
+        }
+      });
+      const query = parser.parse('user.role:"superadmin"');
+      expect(() => validator.validate(query)).toThrow(QuerySecurityError);
+      expect(() => validator.validate(query)).toThrow(
+        'Invalid query parameters'
+      );
+    });
+
+    it('should allow same value for different fields when only one is denied', () => {
+      const validator = new QuerySecurityValidator({
+        denyValues: {
+          role: ['admin']
+        }
+      });
+      // Query for 'type' field with value 'admin' should pass since only 'role' field denies 'admin'
+      const query = parser.parse('type:"admin"');
+      expect(() => validator.validate(query)).not.toThrow();
+    });
+
+    it('should handle multiple fields with denyValues', () => {
+      const validator = new QuerySecurityValidator({
+        denyValues: {
+          status: ['deleted', 'banned'],
+          role: ['superadmin'],
+          priority: [0]
+        }
+      });
+
+      // Should reject when any denied value is used
+      const query1 = parser.parse('status:"active" AND role:"superadmin"');
+      expect(() => validator.validate(query1)).toThrow(QuerySecurityError);
+
+      // Should accept when all values are allowed
+      const query2 = parser.parse('status:"active" AND role:"admin"');
+      expect(() => validator.validate(query2)).not.toThrow();
+    });
+
+    it('should work in combination with denyFields', () => {
+      const validator = new QuerySecurityValidator({
+        denyFields: ['password'],
+        denyValues: {
+          status: ['deleted']
+        }
+      });
+
+      // Should reject due to denyFields
+      const query1 = parser.parse('password:"secret"');
+      expect(() => validator.validate(query1)).toThrow(QuerySecurityError);
+
+      // Should reject due to denyValues
+      const query2 = parser.parse('status:"deleted"');
+      expect(() => validator.validate(query2)).toThrow(QuerySecurityError);
+
+      // Should accept when both are satisfied
+      const query3 = parser.parse('status:"active" AND username:"john"');
+      expect(() => validator.validate(query3)).not.toThrow();
+    });
+
+    it('should work in combination with allowedFields', () => {
+      const validator = new QuerySecurityValidator({
+        allowedFields: ['status', 'name'],
+        denyValues: {
+          status: ['deleted']
+        }
+      });
+
+      // Should reject due to denyValues
+      const query1 = parser.parse('status:"deleted"');
+      expect(() => validator.validate(query1)).toThrow(QuerySecurityError);
+
+      // Should accept when value is allowed
+      const query2 = parser.parse('status:"active" AND name:"John"');
+      expect(() => validator.validate(query2)).not.toThrow();
+    });
+
+    it('should handle string-number type coercion for denied values', () => {
+      const validator = new QuerySecurityValidator({
+        denyValues: {
+          code: [123, 456]
+        }
+      });
+      // Query with string "123" should match numeric 123 in denyValues
+      const query = parser.parse('code:"123"');
+      expect(() => validator.validate(query)).toThrow(QuerySecurityError);
+    });
+  });
+
+  describe('validateNoDotNotation (allowDotNotation)', () => {
+    it('should allow dot notation by default', () => {
+      const validator = new QuerySecurityValidator({});
+      const query = parser.parse('user.name:"John"');
+      expect(() => validator.validate(query)).not.toThrow();
+    });
+
+    it('should allow dot notation when explicitly enabled', () => {
+      const validator = new QuerySecurityValidator({
+        allowDotNotation: true
+      });
+      const query = parser.parse('user.name:"John" AND user.role:"admin"');
+      expect(() => validator.validate(query)).not.toThrow();
+    });
+
+    it('should reject dot notation when disabled', () => {
+      const validator = new QuerySecurityValidator({
+        allowDotNotation: false
+      });
+      const query = parser.parse('user.name:"John"');
+      expect(() => validator.validate(query)).toThrow(QuerySecurityError);
+      expect(() => validator.validate(query)).toThrow(
+        'Dot notation is not allowed in field names'
+      );
+    });
+
+    it('should include the field name in error message', () => {
+      const validator = new QuerySecurityValidator({
+        allowDotNotation: false
+      });
+      const query = parser.parse('metadata.secret:"value"');
+      expect(() => validator.validate(query)).toThrow('metadata.secret');
+    });
+
+    it('should suggest using simple field names in error message', () => {
+      const validator = new QuerySecurityValidator({
+        allowDotNotation: false
+      });
+      const query = parser.parse('user.email:"test@example.com"');
+      expect(() => validator.validate(query)).toThrow(
+        'use a simple field name without dots'
+      );
+    });
+
+    it('should allow simple field names when dot notation is disabled', () => {
+      const validator = new QuerySecurityValidator({
+        allowDotNotation: false
+      });
+      const query = parser.parse('name:"John" AND email:"john@example.com"');
+      expect(() => validator.validate(query)).not.toThrow();
+    });
+
+    it('should reject deeply nested dot notation', () => {
+      const validator = new QuerySecurityValidator({
+        allowDotNotation: false
+      });
+      const query = parser.parse('user.profile.settings.theme:"dark"');
+      expect(() => validator.validate(query)).toThrow(QuerySecurityError);
+      expect(() => validator.validate(query)).toThrow(
+        'user.profile.settings.theme'
+      );
+    });
+
+    it('should validate dot notation in nested logical expressions', () => {
+      const validator = new QuerySecurityValidator({
+        allowDotNotation: false
+      });
+      const query = parser.parse('name:"John" AND user.role:"admin"');
+      expect(() => validator.validate(query)).toThrow(QuerySecurityError);
+      expect(() => validator.validate(query)).toThrow('user.role');
+    });
+
+    it('should validate dot notation in complex nested expressions', () => {
+      const validator = new QuerySecurityValidator({
+        allowDotNotation: false
+      });
+      const query = parser.parse(
+        '(name:"John" OR name:"Jane") AND (status:"active" OR user.type:"premium")'
+      );
+      expect(() => validator.validate(query)).toThrow(QuerySecurityError);
+      expect(() => validator.validate(query)).toThrow('user.type');
+    });
+
+    it('should validate dot notation in OR branches', () => {
+      const validator = new QuerySecurityValidator({
+        allowDotNotation: false
+      });
+      const query = parser.parse('name:"John" OR metadata.tags:"vip"');
+      expect(() => validator.validate(query)).toThrow(QuerySecurityError);
+    });
+
+    it('should work with other security options when dot notation is disabled', () => {
+      const validator = new QuerySecurityValidator({
+        allowDotNotation: false,
+        allowedFields: ['name', 'email', 'status'],
+        maxQueryDepth: 3
+      });
+
+      // Should pass - simple fields, within depth
+      const validQuery = parser.parse('name:"John" AND status:"active"');
+      expect(() => validator.validate(validQuery)).not.toThrow();
+
+      // Should fail - dot notation
+      const dotQuery = parser.parse('user.name:"John"');
+      expect(() => validator.validate(dotQuery)).toThrow(
+        'Dot notation is not allowed'
+      );
+    });
+
+    it('should reject table-qualified column access when disabled', () => {
+      const validator = new QuerySecurityValidator({
+        allowDotNotation: false
+      });
+      // Simulating attempt to access another table's column
+      const query = parser.parse('users.password:"secret"');
+      expect(() => validator.validate(query)).toThrow(QuerySecurityError);
+      expect(() => validator.validate(query)).toThrow('users.password');
+    });
+
+    it('should reject JSON path access when disabled', () => {
+      const validator = new QuerySecurityValidator({
+        allowDotNotation: false
+      });
+      // Simulating attempt to access JSON/JSONB nested field
+      const query = parser.parse(
+        'config.database.connectionString:"postgres://"'
+      );
+      expect(() => validator.validate(query)).toThrow(QuerySecurityError);
+    });
+  });
+
   describe('SQL Injection Prevention', () => {
     // Testing protection against common SQL injection patterns
 

package/src/security/validator.ts

@@ -148,9 +148,17 @@ export class QuerySecurityValidator {
     expression: QueryExpression,
     schema?: Record<string, Record<string, unknown>>
   ): void {
+    // Check for dot notation if disabled
+    if (!this.options.allowDotNotation) {
+      this.validateNoDotNotation(expression);
+    }
+
     // Check for field restrictions if specified
     this.validateFields(expression, schema);
 
+    // Check for denied values if specified
+    this.validateDenyValues(expression);
+
     // Check query complexity
     this.validateQueryDepth(expression, 0);
     this.validateClauseCount(expression);
@@ -210,6 +218,115 @@ export class QuerySecurityValidator {
     }
   }
 
+  /**
+   * Validate that field names do not contain dot notation
+   *
+   * When allowDotNotation is disabled, this method ensures no field names
+   * contain dots, which could be used for:
+   * - Table-qualified column access (e.g., "users.password")
+   * - Nested JSON/JSONB field access (e.g., "metadata.secret")
+   * - Probing internal table structures
+   *
+   * @private
+   * @param expression - The query expression to validate
+   * @throws {QuerySecurityError} If a field name contains dot notation
+   */
+  private validateNoDotNotation(expression: QueryExpression): void {
+    if (expression.type === 'comparison') {
+      const { field } = expression;
+      if (field.includes('.')) {
+        throw new QuerySecurityError(
+          `Dot notation is not allowed in field names. ` +
+            `Found "${field}" - use a simple field name without dots instead.`
+        );
+      }
+    } else {
+      // Recursively validate logical expressions
+      this.validateNoDotNotation(expression.left);
+      if (expression.right) {
+        this.validateNoDotNotation(expression.right);
+      }
+    }
+  }
+
+  /**
+   * Validate that query values are not in the denied values list for their field
+   *
+   * This method checks each comparison expression to ensure the value being
+   * queried is not in the denyValues list for that field. This provides
+   * granular control over what values can be queried for specific fields.
+   *
+   * @private
+   * @param expression - The query expression to validate
+   * @throws {QuerySecurityError} If a denied value is found in the query
+   */
+  private validateDenyValues(expression: QueryExpression): void {
+    // Skip if no denyValues configured
+    if (Object.keys(this.options.denyValues).length === 0) {
+      return;
+    }
+
+    if (expression.type === 'comparison') {
+      const { field, value } = expression;
+      const deniedValues = this.options.denyValues[field];
+
+      if (deniedValues && deniedValues.length > 0) {
+        // Check if the value is an array (for IN/NOT IN operators)
+        if (Array.isArray(value)) {
+          for (const item of value) {
+            if (this.isValueDenied(item, deniedValues)) {
+              throw new QuerySecurityError('Invalid query parameters');
+            }
+          }
+        } else {
+          // Single value comparison
+          if (this.isValueDenied(value, deniedValues)) {
+            throw new QuerySecurityError('Invalid query parameters');
+          }
+        }
+      }
+    } else {
+      // Recursively validate logical expressions
+      this.validateDenyValues(expression.left);
+      if (expression.right) {
+        this.validateDenyValues(expression.right);
+      }
+    }
+  }
+
+  /**
+   * Check if a value is in the denied values list
+   *
+   * @private
+   * @param value - The value to check
+   * @param deniedValues - The list of denied values
+   * @returns true if the value is denied, false otherwise
+   */
+  private isValueDenied(
+    value: string | number | boolean | null,
+    deniedValues: Array<string | number | boolean | null>
+  ): boolean {
+    // Use strict equality to match values, handling type coercion properly
+    return deniedValues.some(deniedValue => {
+      // Handle null comparison explicitly
+      if (value === null && deniedValue === null) {
+        return true;
+      }
+      // Handle same-type comparison with strict equality
+      if (typeof value === typeof deniedValue) {
+        return value === deniedValue;
+      }
+      // Handle string/number comparison (common case)
+      if (typeof value === 'string' && typeof deniedValue === 'number') {
+        return value === String(deniedValue);
+      }
+      if (typeof value === 'number' && typeof deniedValue === 'string') {
+        return String(value) === deniedValue;
+      }
+      return false;
+    });
+  }
+
   /**
    * Validate that query depth does not exceed the maximum
    *