@jmruthers/pace-core 0.5.4 → 0.5.6

package/src/utils/__tests__/sanitization.unit.test.ts

@@ -0,0 +1,346 @@
+/**
+ * @file Sanitization Unit Tests
+ * @package @jmruthers/pace-core
+ * @module Utils/Sanitization
+ * @since 0.4.0
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { 
+  sanitizeUserInput, 
+  sanitizeEmail, 
+  sanitizePhoneNumber, 
+  sanitizeUrl, 
+  sanitizeFileName, 
+  sanitizeSqlInput,
+  sanitizeFormData,
+  generateCSPHeader,
+  RateLimiter
+} from '../sanitization';
+import { z } from 'zod';
+
+describe('Sanitization Utilities', () => {
+  describe('sanitizeUserInput', () => {
+    it('should sanitize basic text input', () => {
+      const input = '<script>alert("xss")</script>Hello World';
+      const result = sanitizeUserInput(input);
+      expect(result).toBe('&lt;script&gt;alert(&quot;xss&quot;)&lt;&#x2F;script&gt;Hello World');
+    });
+
+    it('should handle non-string input', () => {
+      expect(sanitizeUserInput(null as any)).toBe('');
+      expect(sanitizeUserInput(undefined as any)).toBe('');
+      expect(sanitizeUserInput(123 as any)).toBe('');
+      expect(sanitizeUserInput({} as any)).toBe('');
+    });
+
+    it('should trim whitespace by default', () => {
+      const input = '  Hello World  ';
+      const result = sanitizeUserInput(input);
+      expect(result).toBe('Hello World');
+    });
+
+    it('should not trim when trim option is false', () => {
+      const input = '  Hello World  ';
+      const result = sanitizeUserInput(input, { trim: false });
+      expect(result).toBe('  Hello World  ');
+    });
+
+    it('should enforce maximum length', () => {
+      const input = 'This is a very long string that should be truncated';
+      const result = sanitizeUserInput(input, { maxLength: 10 });
+      expect(result).toBe('This is a ');
+    });
+
+    it('should allow HTML when specified', () => {
+      const input = '<strong>Hello</strong> <em>World</em>';
+      const result = sanitizeUserInput(input, { allowHtml: true });
+      expect(result).toBe(input);
+    });
+
+    it('should allow specific HTML tags', () => {
+      const input = '<strong>Hello</strong> <script>alert("xss")</script> <em>World</em>';
+      const result = sanitizeUserInput(input, { 
+        allowHtml: true, 
+        allowedTags: ['strong', 'em'] 
+      });
+      expect(result).toBe('<strong>Hello</strong> alert("xss") <em>World</em>');
+    });
+
+    it('should remove script tags and javascript protocols', () => {
+      const input = '<script>alert("xss")</script>javascript:alert("xss")vbscript:alert("xss")';
+      const result = sanitizeUserInput(input, { removeScripts: true });
+      expect(result).toBe('&lt;script&gt;alert(&quot;xss&quot;)&lt;&#x2F;script&gt;alert(&quot;xss&quot;)alert(&quot;xss&quot;)');
+    });
+
+    it('should remove event handlers', () => {
+      const input = '<div onclick="alert(\'xss\')" onmouseover="alert(\'xss\')">Click me</div>';
+      const result = sanitizeUserInput(input, { removeEvents: true });
+      expect(result).toBe('&lt;div &quot;alert(&#x27;xss&#x27;)&quot; &quot;alert(&#x27;xss&#x27;)&quot;&gt;Click me&lt;&#x2F;div&gt;');
+    });
+
+    it('should escape HTML entities', () => {
+      const input = '<>&"\'/';
+      const result = sanitizeUserInput(input);
+      expect(result).toBe('&lt;&gt;&&quot;&#x27;&#x2F;');
+    });
+  });
+
+  describe('sanitizeEmail', () => {
+    it('should sanitize valid email addresses', () => {
+      expect(sanitizeEmail('  TEST@EXAMPLE.COM  ')).toBe('test@example.com');
+      expect(sanitizeEmail('user+tag@domain.co.uk')).toBe('usertag@domain.co.uk');
+    });
+
+    it('should handle invalid input', () => {
+      expect(sanitizeEmail('')).toBe('');
+      expect(sanitizeEmail(null as any)).toBe('');
+      expect(sanitizeEmail(undefined as any)).toBe('');
+      expect(sanitizeEmail(123 as any)).toBe('');
+    });
+
+    it('should preserve valid email structure', () => {
+      const email = 'user.name+tag@subdomain.example.co.uk';
+      const result = sanitizeEmail(email);
+      expect(result).toBe('user.nametag@subdomain.example.co.uk');
+    });
+  });
+
+  describe('sanitizePhoneNumber', () => {
+    it('should sanitize phone numbers', () => {
+      expect(sanitizePhoneNumber('  +1 (555) 123-4567  ')).toBe('+1 (555) 123-4567');
+      expect(sanitizePhoneNumber('555.123.4567')).toBe('5551234567');
+      expect(sanitizePhoneNumber('555-123-4567')).toBe('555-123-4567');
+    });
+
+    it('should handle invalid input', () => {
+      expect(sanitizePhoneNumber('')).toBe('');
+      expect(sanitizePhoneNumber(null as any)).toBe('');
+      expect(sanitizePhoneNumber(undefined as any)).toBe('');
+    });
+
+    it('should preserve international format', () => {
+      expect(sanitizePhoneNumber('+44 20 7946 0958')).toBe('+44 20 7946 0958');
+    });
+  });
+
+  describe('sanitizeUrl', () => {
+    it('should sanitize valid URLs', () => {
+      expect(sanitizeUrl('  HTTPS://EXAMPLE.COM/PATH  ')).toBe('HTTPS://EXAMPLE.COM/PATH');
+      expect(sanitizeUrl('http://subdomain.example.co.uk/path?param=value')).toBe('http://subdomain.example.co.uk/path?param=value');
+    });
+
+    it('should handle invalid input', () => {
+      expect(sanitizeUrl('')).toBe('');
+      expect(sanitizeUrl(null as any)).toBe('');
+      expect(sanitizeUrl(undefined as any)).toBe('');
+    });
+
+    it('should reject URLs without protocol', () => {
+      expect(sanitizeUrl('example.com')).toBe('');
+      expect(sanitizeUrl('//example.com')).toBe('');
+    });
+
+    it('should preserve query parameters and fragments', () => {
+      const url = 'https://example.com/path?param=value&other=123#fragment';
+      const result = sanitizeUrl(url);
+      expect(result).toBe(url);
+    });
+  });
+
+  describe('sanitizeFileName', () => {
+    it('should sanitize file names', () => {
+      expect(sanitizeFileName('  My File Name.txt  ')).toBe('My File Name.txt');
+      expect(sanitizeFileName('file/with\\invalid:chars')).toBe('filewithinvalidchars');
+    });
+
+    it('should handle invalid input', () => {
+      expect(sanitizeFileName('')).toBe('');
+      expect(sanitizeFileName(null as any)).toBe('');
+      expect(sanitizeFileName(undefined as any)).toBe('');
+    });
+
+    it('should preserve file extensions', () => {
+      expect(sanitizeFileName('document.pdf')).toBe('document.pdf');
+      expect(sanitizeFileName('image.jpg')).toBe('image.jpg');
+    });
+
+    it('should remove dangerous characters', () => {
+      expect(sanitizeFileName('file<script>.txt')).toBe('filescript.txt');
+      expect(sanitizeFileName('file"name".txt')).toBe('filename.txt');
+    });
+  });
+
+  describe('sanitizeSqlInput', () => {
+    it('should sanitize SQL input', () => {
+      expect(sanitizeSqlInput("'; DROP TABLE users; --")).toBe("DROP TABLE users");
+      expect(sanitizeSqlInput("' OR '1'='1")).toBe("OR 1=1");
+    });
+
+    it('should handle invalid input', () => {
+      expect(sanitizeSqlInput('')).toBe('');
+      expect(sanitizeSqlInput(null as any)).toBe('');
+      expect(sanitizeSqlInput(undefined as any)).toBe('');
+    });
+
+    it('should escape single quotes', () => {
+      expect(sanitizeSqlInput("O'Connor")).toBe("OConnor");
+      expect(sanitizeSqlInput("user's data")).toBe("users data");
+    });
+  });
+
+  describe('sanitizeFormData', () => {
+    const testSchema = z.object({
+      name: z.string().min(1),
+      email: z.string().email(),
+      age: z.number().min(0)
+    });
+
+    it('should sanitize and validate form data', () => {
+      const data = {
+        name: '  John Doe  ',
+        email: '  TEST@EXAMPLE.COM  ',
+        age: 25
+      };
+
+      const result = sanitizeFormData(data, testSchema);
+      expect(result.success).toBe(false); // Email validation will fail
+      expect(result.error).toBeDefined();
+    });
+
+    it('should handle validation errors', () => {
+      const data = {
+        name: '',
+        email: 'invalid-email',
+        age: -1
+      };
+
+      const result = sanitizeFormData(data, testSchema);
+      expect(result.success).toBe(false);
+      expect(result.error).toBeDefined();
+    });
+
+    it('should apply custom sanitization rules', () => {
+      const data = {
+        name: '<script>alert("xss")</script>John',
+        email: 'test@example.com',
+        age: 25
+      };
+
+      const sanitizationRules = {
+        name: { removeScripts: true, trim: true }
+      };
+
+      const result = sanitizeFormData(data, testSchema, sanitizationRules);
+      expect(result.success).toBe(true);
+      expect(result.data?.name).toBe('&lt;script&gt;alert(&quot;xss&quot;)&lt;&#x2F;script&gt;John');
+    });
+
+    it('should handle invalid input', () => {
+      const result = sanitizeFormData(null as any, testSchema);
+      expect(result.success).toBe(false);
+      expect(result.error).toBeDefined();
+    });
+  });
+
+  describe('generateCSPHeader', () => {
+    it('should generate default CSP header', () => {
+      const header = generateCSPHeader();
+      expect(header).toContain("default-src 'self'");
+      expect(header).toContain("script-src 'self'");
+      expect(header).toContain("style-src 'self'");
+    });
+
+    it('should include custom directives', () => {
+      const customDirectives = {
+        script: "'self' 'unsafe-inline'",
+        img: "'self' data: https:"
+      };
+
+      const header = generateCSPHeader(customDirectives);
+      expect(header).toContain("'self' 'unsafe-inline'");
+      expect(header).toContain("'self' data: https:");
+    });
+  });
+
+  describe('RateLimiter', () => {
+    let rateLimiter: RateLimiter;
+
+    beforeEach(() => {
+      rateLimiter = new RateLimiter(3, 1000); // 3 attempts per second
+    });
+
+    it('should allow requests within limit', () => {
+      expect(rateLimiter.isAllowed('user1')).toBe(true);
+      expect(rateLimiter.isAllowed('user1')).toBe(true);
+      expect(rateLimiter.isAllowed('user1')).toBe(true);
+    });
+
+    it('should block requests over limit', () => {
+      expect(rateLimiter.isAllowed('user1')).toBe(true);
+      expect(rateLimiter.isAllowed('user1')).toBe(true);
+      expect(rateLimiter.isAllowed('user1')).toBe(true);
+      expect(rateLimiter.isAllowed('user1')).toBe(false);
+    });
+
+    it('should track different identifiers separately', () => {
+      expect(rateLimiter.isAllowed('user1')).toBe(true);
+      expect(rateLimiter.isAllowed('user2')).toBe(true);
+      expect(rateLimiter.isAllowed('user1')).toBe(true);
+      expect(rateLimiter.isAllowed('user2')).toBe(true);
+    });
+
+    it('should return remaining attempts', () => {
+      expect(rateLimiter.getRemainingAttempts('user1')).toBe(3);
+      rateLimiter.isAllowed('user1');
+      expect(rateLimiter.getRemainingAttempts('user1')).toBe(2);
+    });
+
+    it('should reset attempts', () => {
+      rateLimiter.isAllowed('user1');
+      rateLimiter.isAllowed('user1');
+      expect(rateLimiter.getRemainingAttempts('user1')).toBe(1);
+      
+      rateLimiter.reset('user1');
+      expect(rateLimiter.getRemainingAttempts('user1')).toBe(3);
+    });
+
+    it('should handle time-based expiration', () => {
+      // Mock Date.now to simulate time passing
+      const originalNow = Date.now;
+      let mockTime = 1000;
+      Date.now = vi.fn(() => mockTime);
+
+      rateLimiter.isAllowed('user1');
+      rateLimiter.isAllowed('user1');
+      rateLimiter.isAllowed('user1');
+      expect(rateLimiter.isAllowed('user1')).toBe(false);
+
+      // Advance time beyond window
+      mockTime = 2001;
+      expect(rateLimiter.isAllowed('user1')).toBe(true);
+
+      Date.now = originalNow;
+    });
+  });
+
+  describe('Edge Cases', () => {
+    it('should handle very long inputs', () => {
+      const longInput = 'a'.repeat(10000);
+      const result = sanitizeUserInput(longInput, { maxLength: 100 });
+      expect(result.length).toBe(100);
+    });
+
+    it('should handle special characters in URLs', () => {
+      const url = 'https://example.com/path with spaces/and+plus/signs?param=value with spaces#fragment';
+      const result = sanitizeUrl(url);
+      expect(result).toBe(url);
+    });
+
+    it('should handle empty sanitization rules', () => {
+      const data = { name: 'John', email: 'test@example.com' };
+      const result = sanitizeFormData(data, z.object({ name: z.string(), email: z.string() }));
+      expect(result.success).toBe(true);
+    });
+  });
+});