@jmruthers/pace-core 0.5.3 → 0.5.5

package/src/validation/__tests__/sqlInjectionProtection.unit.test.ts

@@ -0,0 +1,466 @@
+/**
+ * @file SQL Injection Protection Unit Tests
+ * @package @jmruthers/pace-core
+ * @module Validation/SQLInjectionProtection/Tests
+ * @since 0.1.0
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import {
+  detectSQLInjection,
+  sanitizeSearchQuery,
+  sanitizeFilters,
+  buildSafeQueryParams,
+  searchQuerySchema,
+  sqlIdentifierSchema,
+  orderBySchema,
+  limitOffsetSchema,
+  SafeQueryParams,
+} from '../sqlInjectionProtection';
+
+describe('SQL Injection Protection', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe('detectSQLInjection', () => {
+    it('should detect basic SQL injection patterns', () => {
+      const maliciousInputs = [
+        "'; DROP TABLE users; --",
+        "admin'; --",
+        "1 OR 1=1",
+        "UNION SELECT * FROM passwords",
+        "'; INSERT INTO users VALUES ('hacker', 'password'); --",
+        "' OR '1'='1",
+        "1; DELETE FROM users; --",
+        "'; EXEC xp_cmdshell('format C:'); --",
+        "' UNION ALL SELECT creditcard FROM creditcards WHERE 1=1--",
+      ];
+
+      maliciousInputs.forEach(input => {
+        const result = detectSQLInjection(input);
+        expect(result.isSuspicious).toBe(true);
+        expect(result.patterns.length).toBeGreaterThan(0);
+        expect(['low', 'medium', 'high', 'critical']).toContain(result.riskLevel);
+      });
+    });
+
+    it('should not detect legitimate queries', () => {
+      const legitimateInputs = [
+        "test",
+        "data", 
+        "app",
+        "web",
+        "dev",
+        "key",
+        "tag",
+        "cat",
+        "xyz",
+      ];
+
+      legitimateInputs.forEach(input => {
+        const result = detectSQLInjection(input);
+        expect(result.isSuspicious).toBe(false);
+        expect(result.patterns).toHaveLength(0);
+        expect(result.riskLevel).toBe('low');
+      });
+    });
+
+    it('should handle case-insensitive patterns', () => {
+      const caseSensitiveInputs = [
+        "admin' OR '1'='1",
+        "ADMIN' or '1'='1",
+        "Admin' Or '1'='1",
+        "'; drop table users; --",
+        "'; DROP TABLE USERS; --",
+        "'; Drop Table Users; --",
+      ];
+
+      caseSensitiveInputs.forEach(input => {
+        const result = detectSQLInjection(input);
+        expect(result.isSuspicious).toBe(true);
+        expect(result.patterns.length).toBeGreaterThan(0);
+      });
+    });
+
+    it('should assign appropriate risk levels', () => {
+      const criticalInput = "'; DROP TABLE users; --";
+      const criticalResult = detectSQLInjection(criticalInput);
+      expect(criticalResult.riskLevel).toBe('critical');
+
+      const mediumInput = "1 OR 1=1";
+      const mediumResult = detectSQLInjection(mediumInput);
+      expect(['medium', 'high', 'critical']).toContain(mediumResult.riskLevel);
+    });
+
+    it('should handle empty and null inputs', () => {
+      expect(() => detectSQLInjection('')).not.toThrow();
+      expect(() => detectSQLInjection('  ')).not.toThrow();
+    });
+  });
+
+  describe('sanitizeSearchQuery', () => {
+    it('should remove dangerous characters', () => {
+      const dangerousInput = "test';\"%\\";
+      const sanitized = sanitizeSearchQuery(dangerousInput);
+      
+      // Only these characters are removed by DANGEROUS_CHARS regex: /[';\"\\%]/g
+      expect(sanitized).not.toContain("'");
+      expect(sanitized).not.toContain(';');
+      expect(sanitized).not.toContain('"');
+      expect(sanitized).not.toContain('%');
+      expect(sanitized).not.toContain('\\');
+      expect(sanitized).toBe('test'); // All dangerous chars removed
+    });
+
+    it('should preserve safe content', () => {
+      const safeInput = "John Smith";
+      const sanitized = sanitizeSearchQuery(safeInput);
+      
+      expect(sanitized).toBe(safeInput);
+    });
+
+    it('should handle various dangerous characters', () => {
+      const inputWithDangerousChars = "test';\"%\\";
+      const sanitized = sanitizeSearchQuery(inputWithDangerousChars);
+      
+      expect(sanitized).not.toContain("'");
+      expect(sanitized).not.toContain(';');
+      expect(sanitized).not.toContain('"');
+      expect(sanitized).not.toContain('%');
+      expect(sanitized).not.toContain('\\');
+    });
+
+    it('should handle empty input', () => {
+      const empty = sanitizeSearchQuery('');
+      expect(empty).toBe('');
+    });
+  });
+
+  describe('sanitizeFilters', () => {
+    it('should sanitize valid filter objects', () => {
+      const filters = {
+        name: "test",  // Safe string that passes validation
+        age: 25,
+        active: true,
+        tags: ["web", "app", "dev"],  // Safe strings
+      };
+
+      const sanitized = sanitizeFilters(filters);
+
+      expect(sanitized.name).toBe("test");
+      expect(sanitized.age).toBe(25);
+      expect(sanitized.active).toBe(true);
+      expect(sanitized.tags).toEqual(["web", "app", "dev"]);
+    });
+
+    it('should remove invalid filter keys', () => {
+      const consoleSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      
+      const filters = {
+        "testfield": "data",  // Safe field name and value
+        "'; DROP TABLE users; --": "malicious",
+        "appkey": 123,   // Safe field name
+      };
+
+      const sanitized = sanitizeFilters(filters);
+
+      expect(sanitized.testfield).toBe("data");
+      expect(sanitized.appkey).toBe(123);
+      expect(sanitized["'; DROP TABLE users; --"]).toBeUndefined();
+      expect(consoleSpy).toHaveBeenCalled();
+      
+      consoleSpy.mockRestore();
+    });
+
+    it('should sanitize string values in filters', () => {
+      const filters = {
+        search: "test%data", // Using % which will be removed
+        category: "web",  // Safe category
+      };
+
+      const sanitized = sanitizeFilters(filters);
+
+      // The dangerous % character should be removed by sanitizeSearchQuery
+      expect(sanitized.search).toBe("testdata"); // % removed
+      expect(sanitized.category).toBe("web");
+    });
+
+    it('should handle array filters', () => {
+      const filters = {
+        categories: ["electronics", "books", "clothing"],
+        ids: [1, 2, 3, 4, 5],
+        mixed: ["valid", 123, "test';--"],
+      };
+
+      const sanitized = sanitizeFilters(filters);
+
+      expect(sanitized.categories).toEqual(["electronics", "books", "clothing"]);
+      expect(sanitized.ids).toEqual([1, 2, 3, 4, 5]);
+      expect(sanitized.mixed).toHaveLength(3);
+      expect(sanitized.mixed[2]).not.toContain("'");
+    });
+
+    it('should limit array size', () => {
+      const largeArray = Array.from({ length: 150 }, (_, i) => i);
+      const filters = {
+        ids: largeArray,
+      };
+
+      const sanitized = sanitizeFilters(filters);
+
+      expect(sanitized.ids).toHaveLength(100); // Limited to 100
+    });
+
+    it('should handle edge cases', () => {
+      const filters = {
+        nullValue: null,
+        undefinedValue: undefined,
+        objectValue: { nested: "value" },
+        functionValue: () => "test",
+        invalidNumber: NaN,
+        validNumber: 42,
+      };
+
+      const sanitized = sanitizeFilters(filters);
+
+      expect(sanitized.nullValue).toBeUndefined();
+      expect(sanitized.undefinedValue).toBeUndefined();
+      expect(sanitized.objectValue).toBeUndefined();
+      expect(sanitized.functionValue).toBeUndefined();
+      expect(sanitized.invalidNumber).toBeUndefined();
+      expect(sanitized.validNumber).toBe(42);
+    });
+  });
+
+  describe('buildSafeQueryParams', () => {
+    it('should build safe query parameters', () => {
+      const params: SafeQueryParams = {
+        select: "id, name, email",
+        filters: {
+          active: true,
+          type: "app",  // Safe string
+        },
+        orderBy: "created_at",
+        limit: 10,
+        offset: 0,
+        search: "test",  // Safe search term
+      };
+
+      const safe = buildSafeQueryParams(params);
+
+      expect(safe.select).toBe("id, name, email");
+      expect(safe.filters?.active).toBe(true);
+      expect(safe.filters?.type).toBe("app");
+      expect(safe.orderBy).toBe("created_at");
+      expect(safe.limit).toBe(10);
+      expect(safe.offset).toBe(0);
+      expect(safe.search).toBe("test");
+    });
+
+    it('should filter out invalid select fields', () => {
+      const params: SafeQueryParams = {
+        select: "id, name, '; DROP TABLE users; --, email",
+      };
+
+      const safe = buildSafeQueryParams(params);
+
+      expect(safe.select).toBe("id, name, email");
+      expect(safe.select).not.toContain("DROP");
+    });
+
+    it('should handle empty parameters', () => {
+      const safe = buildSafeQueryParams({});
+
+      expect(safe.select).toBeUndefined();
+      expect(safe.filters).toBeUndefined();
+      expect(safe.orderBy).toBeUndefined();
+      expect(safe.limit).toBeUndefined();
+      expect(safe.offset).toBeUndefined();
+      expect(safe.search).toBeUndefined();
+    });
+
+    it('should validate numeric parameters', () => {
+      const params: SafeQueryParams = {
+        limit: -5, // Should be rejected
+        offset: 1000, // Should be accepted
+      };
+
+      const safe = buildSafeQueryParams(params);
+
+      expect(safe.limit).toBeUndefined(); // Invalid negative limit
+      expect(safe.offset).toBe(1000); // Valid offset
+    });
+  });
+
+  describe('Schema Validations', () => {
+    describe('searchQuerySchema', () => {
+      it('should validate safe search queries', () => {
+        const validQueries = [
+          "test",
+          "data",
+          "app",
+          "web",
+        ];
+
+        validQueries.forEach(query => {
+          const result = searchQuerySchema.safeParse(query);
+          expect(result.success).toBe(true);
+          if (result.success) {
+            expect(result.data).toBe(query);
+          }
+        });
+      });
+
+      it('should reject malicious queries', () => {
+        const maliciousQueries = [
+          "'; DROP TABLE users; --",
+          "admin' OR '1'='1",
+          "UNION SELECT password FROM users",
+        ];
+
+        maliciousQueries.forEach(query => {
+          const result = searchQuerySchema.safeParse(query);
+          expect(result.success).toBe(false);
+        });
+      });
+
+      it('should reject overly long queries', () => {
+        const longQuery = "a".repeat(501);
+        const result = searchQuerySchema.safeParse(longQuery);
+        
+        expect(result.success).toBe(false);
+        if (!result.success) {
+          expect(result.error.issues[0].message).toContain('too long');
+        }
+      });
+    });
+
+    describe('sqlIdentifierSchema', () => {
+      it('should validate safe SQL identifiers', () => {
+        const validIdentifiers = [
+          "user_id",
+          "firstName",
+          "created_at",
+          "table1",
+          "column_name_123",
+        ];
+
+        validIdentifiers.forEach(identifier => {
+          const result = sqlIdentifierSchema.safeParse(identifier);
+          expect(result.success).toBe(true);
+        });
+      });
+
+      it('should reject invalid SQL identifiers', () => {
+        const invalidIdentifiers = [
+          "'; DROP TABLE users; --",
+          "user id", // spaces
+          "123invalid", // starts with number
+          "user-name", // contains hyphen
+          "", // empty
+        ];
+
+        invalidIdentifiers.forEach(identifier => {
+          const result = sqlIdentifierSchema.safeParse(identifier);
+          expect(result.success).toBe(false);
+        });
+      });
+    });
+
+    describe('orderBySchema', () => {
+      it('should validate safe order by clauses', () => {
+        const validOrderBy = [
+          "created_at",
+          "name ASC",
+          "updated_at DESC",
+          "id",
+        ];
+
+        validOrderBy.forEach(orderBy => {
+          const result = orderBySchema.safeParse(orderBy);
+          expect(result.success).toBe(true);
+        });
+      });
+
+      it('should reject invalid order by clauses', () => {
+        const invalidOrderBy = [
+          "'; DROP TABLE users; --",
+          "name; DELETE FROM users",
+          "id, (SELECT password FROM users)",
+        ];
+
+        invalidOrderBy.forEach(orderBy => {
+          const result = orderBySchema.safeParse(orderBy);
+          expect(result.success).toBe(false);
+        });
+      });
+    });
+
+    describe('limitOffsetSchema', () => {
+      it('should validate positive numbers', () => {
+        const validNumbers = [1, 10, 100, 1000];
+
+        validNumbers.forEach(num => {
+          const result = limitOffsetSchema.safeParse(num);
+          expect(result.success).toBe(true);
+        });
+      });
+
+      it('should reject invalid numbers', () => {
+        const invalidNumbers = [-1, 1001, NaN, Infinity]; // Removed 0 (valid), changed 10001 to 1001
+
+        invalidNumbers.forEach(num => {
+          const result = limitOffsetSchema.safeParse(num);
+          expect(result.success).toBe(false);
+        });
+      });
+    });
+  });
+
+  describe('Performance and Edge Cases', () => {
+    it('should handle concurrent filter sanitization', async () => {
+      const filters = Array.from({ length: 100 }, (_, i) => ({
+        [`test${i}`]: `data`,  // Safe field names and values
+        active: true,
+      }));
+
+      const promises = filters.map(filter => Promise.resolve(sanitizeFilters(filter)));
+      const results = await Promise.all(promises);
+
+      expect(results).toHaveLength(100);
+      results.forEach((result, index) => {
+        expect(result[`test${index}`]).toBe(`data`);
+        expect(result.active).toBe(true);
+      });
+    });
+
+    it('should handle large filter objects efficiently', () => {
+      const largeFilters: Record<string, any> = {};
+      for (let i = 0; i < 1000; i++) {
+        largeFilters[`test${i}`] = `data`;  // Safe field names and values
+      }
+
+      const startTime = Date.now();
+      const sanitized = sanitizeFilters(largeFilters);
+      const endTime = Date.now();
+
+      expect(endTime - startTime).toBeLessThan(100); // Should complete quickly
+      expect(Object.keys(sanitized)).toHaveLength(1000);
+    });
+
+    it('should handle deeply nested objects safely', () => {
+      const nestedFilters = {
+        level1: {
+          level2: {
+            level3: "value"
+          }
+        }
+      };
+
+      // Should not process nested objects
+      const sanitized = sanitizeFilters(nestedFilters);
+      expect(sanitized.level1).toBeUndefined();
+    });
+  });
+});