@jmruthers/pace-core 0.5.73 → 0.5.75

package/src/validation/__tests__/sanitization.unit.test.ts

@@ -0,0 +1,250 @@
+/**
+ * @file Sanitization Function Tests
+ * @package @jmruthers/pace-core
+ * @module Validation/__tests__
+ * @since 0.4.0
+ * 
+ * Comprehensive tests for input sanitization functions following TEST_GUIDE_CURSOR.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { sanitizeEmail, sanitizeString } from '../sanitization';
+
+describe('[unit] Sanitization Functions', () => {
+  describe('sanitizeEmail', () => {
+    it('converts email to lowercase', () => {
+      expect(sanitizeEmail('TEST@EXAMPLE.COM')).toBe('test@example.com');
+      expect(sanitizeEmail('User@Domain.Com')).toBe('user@domain.com');
+    });
+
+    it('trims whitespace from email', () => {
+      expect(sanitizeEmail('  test@example.com  ')).toBe('test@example.com');
+      expect(sanitizeEmail('\ttest@example.com\n')).toBe('test@example.com');
+    });
+
+    it('handles mixed case and whitespace', () => {
+      expect(sanitizeEmail('  TEST@EXAMPLE.COM  ')).toBe('test@example.com');
+    });
+
+    it('handles valid email addresses', () => {
+      expect(sanitizeEmail('user@example.com')).toBe('user@example.com');
+      expect(sanitizeEmail('user.name@example.com')).toBe('user.name@example.com');
+      expect(sanitizeEmail('user+tag@example.co.uk')).toBe('user+tag@example.co.uk');
+    });
+
+    it('handles empty string', () => {
+      expect(sanitizeEmail('')).toBe('');
+    });
+
+    it('handles null input', () => {
+      expect(sanitizeEmail(null as any)).toBe('');
+    });
+
+    it('handles undefined input', () => {
+      expect(sanitizeEmail(undefined as any)).toBe('');
+    });
+
+    it('handles non-string input', () => {
+      expect(sanitizeEmail(123 as any)).toBe('');
+      expect(sanitizeEmail({} as any)).toBe('');
+      expect(sanitizeEmail([] as any)).toBe('');
+    });
+
+    it('preserves valid email structure', () => {
+      const email = 'user.name+tag@example.co.uk';
+      expect(sanitizeEmail(email)).toBe('user.name+tag@example.co.uk');
+    });
+
+    it('handles email with special characters', () => {
+      expect(sanitizeEmail('user_name@example.com')).toBe('user_name@example.com');
+      expect(sanitizeEmail('user-name@example.com')).toBe('user-name@example.com');
+      expect(sanitizeEmail('user.name@example.com')).toBe('user.name@example.com');
+    });
+  });
+
+  describe('sanitizeString', () => {
+    it('removes angle brackets from input', () => {
+      expect(sanitizeString('test<tag>value')).toBe('testtagvalue');
+      expect(sanitizeString('<script>alert("xss")</script>')).toBe('scriptalert("xss")/script');
+    });
+
+    it('removes javascript: protocol', () => {
+      expect(sanitizeString('javascript:alert("xss")')).toBe('alert("xss")');
+      expect(sanitizeString('testJAVASCRIPT:alert(1)')).toBe('testalert(1)');
+      expect(sanitizeString('testJavaScript:alert(1)')).toBe('testalert(1)');
+    });
+
+    it('removes event handlers', () => {
+      expect(sanitizeString('testOnClick="alert(1)"')).toBe('test"alert(1)"');
+      expect(sanitizeString('testOnLoad="malicious"')).toBe('test"malicious"');
+      expect(sanitizeString('testOnError="bad"')).toBe('test"bad"');
+      expect(sanitizeString('testONEVENT="evil"')).toBe('test"evil"');
+    });
+
+    it('trims whitespace', () => {
+      expect(sanitizeString('  test  ')).toBe('test');
+      expect(sanitizeString('\ttest\n')).toBe('test');
+    });
+
+    it('handles normal text safely', () => {
+      expect(sanitizeString('This is a normal string')).toBe('This is a normal string');
+      expect(sanitizeString('User name')).toBe('User name');
+    });
+
+    it('handles empty string', () => {
+      expect(sanitizeString('')).toBe('');
+    });
+
+    it('handles null input', () => {
+      expect(sanitizeString(null as any)).toBe('');
+    });
+
+    it('handles undefined input', () => {
+      expect(sanitizeString(undefined as any)).toBe('');
+    });
+
+    it('handles non-string input', () => {
+      expect(sanitizeString(123 as any)).toBe('');
+      expect(sanitizeString({} as any)).toBe('');
+      expect(sanitizeString([] as any)).toBe('');
+    });
+
+    it('removes multiple security threats in one string', () => {
+      const malicious = '  <script>javascript:alert(1)</script> onClick="bad"  ';
+      expect(sanitizeString(malicious)).toBe('scriptalert(1)/script "bad"');
+    });
+
+    it('preserves valid HTML-like text that is safe', () => {
+      expect(sanitizeString('User &amp; Company')).toBe('User &amp; Company');
+      expect(sanitizeString('5 < 10')).toBe('5  10');
+      expect(sanitizeString('10 > 5')).toBe('10  5');
+    });
+
+    it('handles SQL injection attempts', () => {
+      expect(sanitizeString("'; DROP TABLE users; --")).toBe("'; DROP TABLE users; --");
+      // sanitizeString doesn't specifically target SQL, but removes dangerous patterns
+      // This test ensures it doesn't corrupt legitimate apostrophes
+    });
+
+    it('handles XSS payloads', () => {
+      // The function removes 'onerror=' but keeps the equals sign
+      expect(sanitizeString('<img src=x onerror=alert(1)>')).toBe('img src=x alert(1)');
+      expect(sanitizeString('<svg/onload=alert(1)>')).toBe('svg/alert(1)');
+    });
+
+    it('preserves special characters in safe contexts', () => {
+      expect(sanitizeString('User@example.com')).toBe('User@example.com');
+      expect(sanitizeString('$100')).toBe('$100');
+      expect(sanitizeString('Test%20String')).toBe('Test%20String');
+    });
+
+    it('handles very long strings', () => {
+      const longString = 'a'.repeat(10000);
+      expect(sanitizeString(longString)).toBe('a'.repeat(10000));
+    });
+
+    it('handles strings with only whitespace', () => {
+      expect(sanitizeString('   ')).toBe('');
+      expect(sanitizeString('\t\n\r')).toBe('');
+    });
+
+    it('removes consecutive dangerous patterns', () => {
+      const multipleAttacks = 'test<script>alert(1)</script><script>alert(2)</script>javascript:doEvil()';
+      expect(sanitizeString(multipleAttacks)).toBe('testscriptalert(1)/scriptscriptalert(2)/scriptdoEvil()');
+    });
+  });
+
+  describe('Edge Cases', () => {
+    it('sanitizeEmail handles unicode characters', () => {
+      expect(sanitizeEmail('café@example.com')).toBe('café@example.com');
+      expect(sanitizeEmail('test@例え.com')).toBe('test@例え.com');
+    });
+
+    it('sanitizeString handles unicode correctly', () => {
+      expect(sanitizeString('Test café')).toBe('Test café');
+      expect(sanitizeString('中文测试')).toBe('中文测试');
+      expect(sanitizeString('مرحبا')).toBe('مرحبا');
+    });
+
+    it('sanitizeEmail handles international domains', () => {
+      expect(sanitizeEmail('test@xn--example.com')).toBe('test@xn--example.com');
+    });
+
+    it('sanitizeString handles emoji', () => {
+      expect(sanitizeString('Hello 😀')).toBe('Hello 😀');
+      expect(sanitizeString('User <script>😀</script>')).toBe('User script😀/script');
+    });
+
+    it('handles mixed scripts and vulnerabilities', () => {
+      const mixed = '  User Name<script>alert(1)</script>  ';
+      expect(sanitizeString(mixed)).toBe('User Namescriptalert(1)/script');
+    });
+  });
+
+  describe('Performance', () => {
+    it('sanitizeEmail handles large inputs efficiently', () => {
+      const largeEmail = 'a'.repeat(1000) + '@' + 'b'.repeat(1000) + '.com';
+      const start = performance.now();
+      const result = sanitizeEmail(largeEmail);
+      const end = performance.now();
+
+      expect(result).toBeDefined();
+      expect(end - start).toBeLessThan(100); // Should complete in under 100ms
+    });
+
+    it('sanitizeString handles large inputs efficiently', () => {
+      const largeString = 'a'.repeat(10000);
+      const start = performance.now();
+      const result = sanitizeString(largeString);
+      const end = performance.now();
+
+      expect(result).toBeDefined();
+      expect(end - start).toBeLessThan(100); // Should complete in under 100ms
+    });
+  });
+
+  describe('Security Validation', () => {
+    it('sanitizeString prevents basic XSS attacks', () => {
+      const xssAttempts = [
+        '<script>alert("xss")</script>',
+        '<img src=x onerror=alert(1)>',
+        '<svg/onload=alert(1)>',
+        '<iframe src=javascript:alert(1)>',
+      ];
+
+      xssAttempts.forEach(attempt => {
+        const sanitized = sanitizeString(attempt);
+        expect(sanitized).not.toContain('<script>');
+        expect(sanitized).not.toContain('javascript:');
+        expect(sanitized).not.toContain('onerror=');
+        expect(sanitized).not.toContain('onload=');
+      });
+    });
+
+    it('sanitizeString removes event handlers regardless of case', () => {
+      const cases = [
+        'onClick',
+        'ONCLICK',
+        'onclick',
+        'onClick',
+        'ONCLICK',
+      ];
+
+      cases.forEach(eventHandler => {
+        const test = `test ${eventHandler}="malicious" test`;
+        const sanitized = sanitizeString(test);
+        expect(sanitized).not.toContain(`${eventHandler}=`);
+      });
+    });
+
+    it('sanitizeEmail does not introduce security vulnerabilities', () => {
+      const safe = 'user@example.com';
+      const sanitized = sanitizeEmail(safe);
+      expect(sanitized).toBe('user@example.com');
+      expect(sanitized).not.toContain('<');
+      expect(sanitized).not.toContain('>');
+      expect(sanitized).not.toContain('javascript:');
+    });
+  });
+});
+

package/src/validation/__tests__/schemaUtils.unit.test.ts

@@ -0,0 +1,451 @@
+/**
+ * @file Schema Utility Functions Tests
+ * @package @jmruthers/pace-core
+ * @module Validation/__tests__
+ * @since 0.4.0
+ * 
+ * Comprehensive tests for schema utility functions following TEST_GUIDE_CURSOR.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { z } from 'zod';
+import { pickSchema, combineSchemas } from '../schemaUtils';
+
+describe('[unit] Schema Utility Functions', () => {
+  describe('pickSchema', () => {
+    it('creates a subset schema with selected keys', () => {
+      const originalSchema = z.object({
+        name: z.string(),
+        email: z.string().email(),
+        age: z.number(),
+      });
+
+      const pickedSchema = pickSchema(originalSchema, ['name', 'email']);
+      const result = pickedSchema.safeParse({
+        name: 'John Doe',
+        email: 'john@example.com',
+        age: 30, // This should be ignored
+      });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data).toEqual({
+          name: 'John Doe',
+          email: 'john@example.com',
+        });
+      }
+    });
+
+    it('validates only picked fields', () => {
+      const originalSchema = z.object({
+        name: z.string().min(3),
+        email: z.string().email(),
+        phone: z.string().optional(),
+      });
+
+      const pickedSchema = pickSchema(originalSchema, ['name']);
+      const validResult = pickedSchema.safeParse({ name: 'John Doe' });
+      expect(validResult.success).toBe(true);
+
+      const invalidResult = pickedSchema.safeParse({ name: 'Jo' }); // Too short
+      expect(invalidResult.success).toBe(false);
+    });
+
+    it('handles single field selection', () => {
+      const originalSchema = z.object({
+        id: z.string(),
+        name: z.string(),
+        email: z.string(),
+      });
+
+      const pickedSchema = pickSchema(originalSchema, ['id']);
+      const result = pickedSchema.safeParse({ id: '123' });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data).toEqual({ id: '123' });
+      }
+    });
+
+    it('preserves validation rules', () => {
+      const originalSchema = z.object({
+        email: z.string().email(),
+        password: z.string().min(8),
+      });
+
+      const pickedSchema = pickSchema(originalSchema, ['email']);
+      
+      const validResult = pickedSchema.safeParse({ email: 'test@example.com' });
+      expect(validResult.success).toBe(true);
+
+      const invalidResult = pickedSchema.safeParse({ email: 'invalid-email' });
+      expect(invalidResult.success).toBe(false);
+    });
+
+    it('handles empty key array', () => {
+      const originalSchema = z.object({
+        name: z.string(),
+        email: z.string(),
+      });
+
+      const pickedSchema = pickSchema(originalSchema, []);
+      const result = pickedSchema.safeParse({ name: 'Test' });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data).toEqual({});
+      }
+    });
+
+    it('handles key array with invalid keys', () => {
+      const originalSchema = z.object({
+        name: z.string(),
+        email: z.string(),
+      });
+
+      // Picking keys that don't exist should result in empty schema
+      const pickedSchema = pickSchema(originalSchema, ['invalidKey' as any]);
+      const result = pickedSchema.safeParse({ name: 'Test' });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(Object.keys(result.data)).toHaveLength(0);
+      }
+    });
+
+    it('handles complex nested validation', () => {
+      const originalSchema = z.object({
+        user: z.object({
+          name: z.string(),
+          email: z.string().email(),
+        }),
+        settings: z.object({
+          theme: z.string(),
+        }),
+      });
+
+      const pickedSchema = pickSchema(originalSchema, ['user']);
+      const result = pickedSchema.safeParse({
+        user: {
+          name: 'John',
+          email: 'john@example.com',
+        },
+      });
+
+      expect(result.success).toBe(true);
+    });
+  });
+
+  describe('combineSchemas', () => {
+    it('merges multiple schemas into one', () => {
+      const schema1 = z.object({
+        name: z.string(),
+        email: z.string(),
+      });
+
+      const schema2 = z.object({
+        age: z.number(),
+        phone: z.string(),
+      });
+
+      const combined = combineSchemas([schema1, schema2]);
+      const result = combined.safeParse({
+        name: 'John',
+        email: 'john@example.com',
+        age: 30,
+        phone: '1234567890',
+      });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data).toEqual({
+          name: 'John',
+          email: 'john@example.com',
+          age: 30,
+          phone: '1234567890',
+        });
+      }
+    });
+
+    it('validates all fields from combined schemas', () => {
+      const schema1 = z.object({
+        email: z.string().email(),
+      });
+
+      const schema2 = z.object({
+        password: z.string().min(8),
+      });
+
+      const combined = combineSchemas([schema1, schema2]);
+      
+      const validResult = combined.safeParse({
+        email: 'test@example.com',
+        password: 'SecurePass123',
+      });
+      expect(validResult.success).toBe(true);
+
+      const invalidResult = combined.safeParse({
+        email: 'invalid',
+        password: 'short',
+      });
+      expect(invalidResult.success).toBe(false);
+    });
+
+    it('handles overlapping field names (latter overwrites)', () => {
+      const schema1 = z.object({
+        name: z.string().min(1),
+        email: z.string(),
+      });
+
+      const schema2 = z.object({
+        email: z.string().email(),
+        age: z.number(),
+      });
+
+      const combined = combineSchemas([schema1, schema2]);
+      const result = combined.safeParse({
+        name: 'John',
+        email: 'john@example.com',
+        age: 30,
+      });
+
+      expect(result.success).toBe(true);
+      // email validation should be the stricter one from schema2
+      if (result.success) {
+        expect(result.data.email).toBe('john@example.com');
+      }
+    });
+
+    it('handles empty schema array', () => {
+      const combined = combineSchemas([]);
+      const result = combined.safeParse({});
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(Object.keys(result.data)).toHaveLength(0);
+      }
+    });
+
+    it('handles single schema', () => {
+      const schema1 = z.object({
+        name: z.string(),
+        email: z.string().email(),
+      });
+
+      const combined = combineSchemas([schema1]);
+      const result = combined.safeParse({
+        name: 'John',
+        email: 'john@example.com',
+      });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data).toEqual({
+          name: 'John',
+          email: 'john@example.com',
+        });
+      }
+    });
+
+    it('combines three or more schemas', () => {
+      const schema1 = z.object({ name: z.string() });
+      const schema2 = z.object({ email: z.string() });
+      const schema3 = z.object({ phone: z.string() });
+      const schema4 = z.object({ age: z.number() });
+
+      const combined = combineSchemas([schema1, schema2, schema3, schema4]);
+      const result = combined.safeParse({
+        name: 'John',
+        email: 'john@example.com',
+        phone: '1234567890',
+        age: 30,
+      });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(Object.keys(result.data)).toHaveLength(4);
+      }
+    });
+
+    it('preserves optional fields from original schemas', () => {
+      const schema1 = z.object({
+        name: z.string(),
+        email: z.string().optional(),
+      });
+
+      const schema2 = z.object({
+        phone: z.string().optional(),
+      });
+
+      const combined = combineSchemas([schema1, schema2]);
+      
+      const resultWithAll = combined.safeParse({
+        name: 'John',
+        email: 'john@example.com',
+        phone: '1234567890',
+      });
+      expect(resultWithAll.success).toBe(true);
+
+      const resultWithoutOptional = combined.safeParse({
+        name: 'John',
+      });
+      expect(resultWithoutOptional.success).toBe(true);
+    });
+
+    it('handles complex nested schema merging', () => {
+      const schema1 = z.object({
+        user: z.object({
+          name: z.string(),
+        }),
+      });
+
+      const schema2 = z.object({
+        user: z.object({
+          email: z.string().email(),
+        }),
+      });
+
+      const combined = combineSchemas([schema1, schema2]);
+      const result = combined.safeParse({
+        user: {
+          name: 'John',
+          email: 'john@example.com',
+        },
+      });
+
+      expect(result.success).toBe(true);
+    });
+  });
+
+  describe('Edge Cases', () => {
+    it('pickSchema handles schema with no keys picked', () => {
+      const schema = z.object({
+        name: z.string(),
+        email: z.string(),
+      });
+
+      const picked = pickSchema(schema, []);
+      const result = picked.safeParse({ name: 'Test', email: 'test@example.com' });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(Object.keys(result.data)).toHaveLength(0);
+      }
+    });
+
+    it('combineSchemas handles schemas with conflicting validation rules', () => {
+      const schema1 = z.object({
+        value: z.string().min(5),
+      });
+
+      const schema2 = z.object({
+        value: z.string().max(10),
+      });
+
+      const combined = combineSchemas([schema1, schema2]);
+      
+      // When schemas are merged, the last one's validation typically wins
+      // But we can test that it validates at least something
+      const longResult = combined.safeParse({ value: '123456789012' });
+      expect(longResult.success).toBe(false); // Too long
+
+      const validResult = combined.safeParse({ value: '12345' });
+      expect(validResult.success).toBe(true);
+      
+      // Very short strings may still fail depending on merge order
+      const veryShortResult = combined.safeParse({ value: '123' });
+      // The result depends on merge order - just check it's defined
+      expect(veryShortResult.success).toBeDefined();
+    });
+
+    it('handles schemas with multiple field types', () => {
+      const schema1 = z.object({
+        string: z.string(),
+        number: z.number(),
+        boolean: z.boolean(),
+      });
+
+      const schema2 = z.object({
+        array: z.array(z.string()),
+        object: z.object({ nested: z.string() }),
+      });
+
+      const combined = combineSchemas([schema1, schema2]);
+      const result = combined.safeParse({
+        string: 'test',
+        number: 42,
+        boolean: true,
+        array: ['a', 'b'],
+        object: { nested: 'value' },
+      });
+
+      expect(result.success).toBe(true);
+    });
+  });
+
+  describe('Integration', () => {
+    it('combines picked schemas', () => {
+      const baseSchema = z.object({
+        name: z.string(),
+        email: z.string().email(),
+        age: z.number(),
+        phone: z.string(),
+      });
+
+      const userInfo = pickSchema(baseSchema, ['name', 'email']);
+      const contactInfo = pickSchema(baseSchema, ['email', 'phone']);
+
+      const combined = combineSchemas([userInfo, contactInfo]);
+      const result = combined.safeParse({
+        name: 'John',
+        email: 'john@example.com',
+        phone: '1234567890',
+      });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data).toEqual({
+          name: 'John',
+          email: 'john@example.com',
+          phone: '1234567890',
+        });
+      }
+    });
+
+    it('handles real-world user registration scenario', () => {
+      const personalInfo = z.object({
+        firstName: z.string(),
+        lastName: z.string(),
+        dateOfBirth: z.string(),
+      });
+
+      const contactInfo = z.object({
+        email: z.string().email(),
+        phone: z.string(),
+      });
+
+      const preferences = z.object({
+        newsletter: z.boolean(),
+        notifications: z.boolean(),
+      });
+
+      const registrationSchema = combineSchemas([personalInfo, contactInfo, preferences]);
+      
+      const result = registrationSchema.safeParse({
+        firstName: 'John',
+        lastName: 'Doe',
+        dateOfBirth: '1990-01-01',
+        email: 'john@example.com',
+        phone: '1234567890',
+        newsletter: true,
+        notifications: false,
+      });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(Object.keys(result.data)).toHaveLength(7);
+      }
+    });
+  });
+});
+