@lhi/tdd-audit 1.1.2 → 1.3.0

package/prompts/red-phase.md

@@ -120,3 +120,157 @@ def test_vuln_type_exploit(client, attacker_token):
     )
     assert response.status_code == 403  # currently 200 — RED
 ```
+
+### React / Next.js (Vitest + Testing Library)
+```typescript
+// Sensitive storage: token must NOT land in localStorage
+import { render, fireEvent, waitFor } from '@testing-library/react';
+import LoginForm from '../../components/LoginForm';
+
+test('SHOULD NOT store auth token in localStorage', async () => {
+  render(<LoginForm />);
+  fireEvent.submit(screen.getByRole('form'));
+  await waitFor(() => {
+    expect(localStorage.getItem('token')).toBeNull(); // currently set — RED
+  });
+});
+
+// XSS: dangerouslySetInnerHTML must not accept unsanitized input
+test('SHOULD sanitize user content before rendering', () => {
+  const xssPayload = '<script>alert(1)</script>';
+  const { container } = render(<CommentBody content={xssPayload} />);
+  expect(container.innerHTML).not.toContain('<script>'); // currently reflected — RED
+});
+```
+
+### React Native / Expo (Jest)
+```javascript
+// Route param injection: params must be validated before API use
+import { renderRouter, screen } from 'expo-router/testing-library';
+
+test('SHOULD NOT pass raw route params to API query', async () => {
+  const maliciousParam = "1 UNION SELECT * FROM users";
+  // Render the screen with a crafted route param
+  renderRouter({ initialUrl: `/item/${encodeURIComponent(maliciousParam)}` });
+  // Assert the API was NOT called with the raw param
+  expect(mockApiClient.getItem).not.toHaveBeenCalledWith(maliciousParam); // currently called — RED
+});
+
+// Sensitive storage: tokens must use SecureStore, not AsyncStorage
+import AsyncStorage from '@react-native-async-storage/async-storage';
+
+test('SHOULD NOT store token in plain AsyncStorage', async () => {
+  await simulateLogin({ username: 'user', password: 'pass' });
+  const stored = await AsyncStorage.getItem('token');
+  expect(stored).toBeNull(); // currently stored in plain AsyncStorage — RED
+});
+```
+
+### SSRF (Server-Side Request Forgery)
+Supply a user-controlled URL pointing to an internal resource (e.g., `http://169.254.169.254/` AWS metadata).
+Assert a 400 or 403 — not a 200 proxying internal content.
+```javascript
+const res = await request(app)
+  .post('/api/fetch-preview')
+  .send({ url: 'http://169.254.169.254/latest/meta-data/' });
+expect(res.status).toBe(400); // currently fetches and returns internal data — RED
+```
+
+### Open Redirect
+Supply a fully external URL as the redirect destination.
+Assert a 400 or that the redirect stays within the same origin.
+```javascript
+const res = await request(app)
+  .get('/auth/callback')
+  .query({ redirect: 'https://evil.com/steal-token' });
+expect(res.status).toBe(400); // currently 302 to attacker site — RED
+// OR assert Location header is relative:
+expect(res.headers.location).not.toMatch(/^https?:\/\//);
+```
+
+### NoSQL Injection
+Supply a MongoDB operator object instead of a plain string value.
+Assert the query is rejected or returns no data.
+```javascript
+const res = await request(app)
+  .post('/api/login')
+  .send({ username: { $gt: '' }, password: { $gt: '' } });
+expect(res.status).toBe(400); // currently returns first user record — RED
+```
+
+### Mass Assignment
+Submit extra fields that should not be user-settable (e.g., `isAdmin`, `role`).
+Assert the privileged field was ignored.
+```javascript
+const res = await request(app)
+  .post('/api/users/register')
+  .send({ username: 'attacker', password: 'pass', isAdmin: true });
+expect(res.status).toBe(201);
+const user = await User.findOne({ username: 'attacker' });
+expect(user.isAdmin).toBe(false); // currently set to true — RED
+```
+
+### Prototype Pollution
+Submit a payload that sets `__proto__` to inject properties into Object.prototype.
+Assert the injected property is not visible on a fresh `{}`.
+```javascript
+const res = await request(app)
+  .post('/api/settings/merge')
+  .send({ '__proto__': { polluted: true } });
+expect(res.status).toBe(200);
+expect({}.polluted).toBeUndefined(); // currently true — RED
+```
+
+### Weak Crypto (Password Hashing)
+Hash a known password and assert the resulting hash is not a raw MD5/SHA1 hex string.
+```javascript
+const bcrypt = require('bcrypt');
+const user = await User.create({ email: 'x@x.com', password: 'mypassword' });
+// An MD5 hash of 'mypassword' is 34819d7beeabb9260a5c854bc85b3e44
+expect(user.passwordHash).not.toBe('34819d7beeabb9260a5c854bc85b3e44');
+// A proper bcrypt hash starts with $2b$
+expect(user.passwordHash).toMatch(/^\$2[aby]\$/); // currently fails — RED
+```
+
+### Missing Rate Limiting
+Send 10 rapid login attempts; assert the 11th is throttled (429).
+```javascript
+for (let i = 0; i < 10; i++) {
+  await request(app).post('/api/auth/login').send({ email: 'x@x.com', password: 'wrong' });
+}
+const res = await request(app).post('/api/auth/login').send({ email: 'x@x.com', password: 'wrong' });
+expect(res.status).toBe(429); // currently 401 — rate limit not enforced — RED
+```
+
+### Missing Security Headers
+Assert a response includes the `X-Content-Type-Options` and `X-Frame-Options` headers set by Helmet.
+```javascript
+const res = await request(app).get('/');
+expect(res.headers['x-content-type-options']).toBe('nosniff'); // currently absent — RED
+expect(res.headers['x-frame-options']).toBeDefined(); // currently absent — RED
+```
+
+### Flutter / Dart (flutter_test)
+```dart
+import 'package:flutter_test/flutter_test.dart';
+import 'package:shared_preferences/shared_preferences.dart';
+
+void main() {
+  // Sensitive storage: token must NOT be in unencrypted SharedPreferences
+  test('SHOULD NOT store auth token in SharedPreferences', () async {
+    SharedPreferences.setMockInitialValues({});
+    await simulateLogin(username: 'user', password: 'password');
+    final prefs = await SharedPreferences.getInstance();
+    expect(prefs.getString('token'), isNull,
+        reason: 'Tokens must not be in unencrypted SharedPreferences — use flutter_secure_storage'); // currently stored — RED
+  });
+
+  // TLS bypass: HTTP client must not disable certificate validation
+  test('SHOULD enforce TLS certificate verification', () {
+    final client = buildHttpClient(); // the app's HTTP client factory
+    // Inspect that no badCertificateCallback bypasses verification
+    expect(client.badCertificateCallback, isNull,
+        reason: 'badCertificateCallback must not be set to bypass TLS'); // currently bypassed — RED
+  });
+}
+```

package/prompts/refactor-phase.md

@@ -22,6 +22,32 @@ Go through this checklist before closing the vulnerability:
 - [ ] **Performance acceptable** — the patch doesn't add unbounded DB queries or blocking I/O
 - [ ] **No secrets in code** — patch doesn't hardcode keys, tokens, or credentials
 
+**React / Next.js additions:**
+- [ ] **`dangerouslySetInnerHTML` removed or wrapped** — confirm DOMPurify is imported and called before all remaining usages
+- [ ] **Next.js middleware matcher is correct** — `/api/:path*` or tighter; public routes (health checks, webhooks) still reachable
+- [ ] **`app.json` / `.env.local` clean** — no API keys or secrets committed; `*.env` is in `.gitignore`
+
+**React Native / Expo additions:**
+- [ ] **`AsyncStorage` fully migrated** — no remaining `setItem('token', ...)` calls; `expo-secure-store` in `package.json`
+- [ ] **Offline token refresh still works** — `SecureStore.getItemAsync` is called in the right lifecycle (not before `SecureStore.isAvailableAsync()` on web)
+- [ ] **Deep link params validated** — any `route.params` passed to API calls are sanitized or type-checked
+
+**New vulnerability class additions:**
+- [ ] **SSRF allowlist verified** — `validateExternalUrl` throws on internal IPs and non-allowlisted hosts; confirm `169.254.x.x` and `10.x.x.x` are blocked
+- [ ] **Open redirect uses relative-only check** — `/^https?:\/\//` and `//` prefix both rejected; confirm legitimate in-app redirects still work
+- [ ] **NoSQL injection sanitized** — `express-mongo-sanitize` or equivalent applied globally; confirm `{ $gt: '' }` payloads return 400
+- [ ] **Mass assignment uses field allowlist** — no `req.body` passed directly to ORM; confirm privileged fields (`isAdmin`, `role`) cannot be set by user
+- [ ] **Prototype pollution sanitizes keys** — `__proto__`, `constructor`, `prototype` keys stripped before any merge; confirm `{}.polluted` is still `undefined` after merge
+- [ ] **Passwords use bcrypt/argon2** — no `createHash('md5')` or `createHash('sha1')` for passwords; `bcrypt.compare` used on login
+- [ ] **Rate limiting active on auth routes** — `/login` and `/register` return 429 after threshold; general API routes have a broader limit
+- [ ] **Helmet applied before all routes** — `X-Content-Type-Options: nosniff` and `X-Frame-Options` present in response; CSP header present
+
+**Flutter additions:**
+- [ ] **`flutter_secure_storage` in `pubspec.yaml`** — dependency present and `flutter pub get` ran
+- [ ] **No remaining `SharedPreferences` calls for sensitive keys** — grep for `prefs.getString('token')`, `prefs.setString('password', ...)`
+- [ ] **TLS `badCertificateCallback` fully removed** — grep the entire `lib/` directory for `badCertificateCallback`
+- [ ] **iOS entitlements updated if needed** — `flutter_secure_storage` requires Keychain Sharing capability on iOS
+
 ### Step 3: Clean the patch
 - Remove any debugging `console.log` or `print` statements added during patching
 - Extract reusable security logic into middleware or utility functions if it appears in more than one place

package/templates/sample.exploit.test.dart

@@ -0,0 +1,52 @@
+/// TDD Remediation: Red Phase Sample Test (Flutter / Dart)
+///
+/// Replace the boilerplate below with the specific exploit you are verifying.
+/// This test MUST fail initially (Red Phase). Once you apply the fix, it MUST pass (Green Phase).
+///
+/// Run with: flutter test test/security/
+
+import 'package:flutter_test/flutter_test.dart';
+// import 'package:shared_preferences/shared_preferences.dart';
+// import 'package:flutter_secure_storage/flutter_secure_storage.dart';
+// import '../../lib/services/auth_service.dart'; // update with your auth service path
+
+void main() {
+  group('Security Vulnerability Remediation - Red Phase', () {
+
+    // ── Example 1: Sensitive Storage ─────────────────────────────────────────
+    // test('SHOULD NOT store auth token in plain SharedPreferences', () async {
+    //   SharedPreferences.setMockInitialValues({});
+    //
+    //   // Act: simulate what the app does after login
+    //   // await AuthService().login(username: 'user', password: 'pass');
+    //
+    //   // Assert: token must NOT be in unencrypted SharedPreferences
+    //   final prefs = await SharedPreferences.getInstance();
+    //   expect(prefs.getString('token'), isNull,
+    //       reason: 'Use flutter_secure_storage instead');  // currently stored — RED
+    // });
+
+    // ── Example 2: TLS Bypass ─────────────────────────────────────────────────
+    // test('SHOULD enforce TLS certificate verification', () {
+    //   final client = buildHttpClient(); // your app's HTTP client factory
+    //   expect(client.badCertificateCallback, isNull,
+    //       reason: 'badCertificateCallback must not bypass TLS');  // currently bypassed — RED
+    // });
+
+    // ── Example 3: Navigation Param Injection ─────────────────────────────────
+    // test('SHOULD NOT use raw route params in API calls', () async {
+    //   const maliciousId = "1; DROP TABLE users";
+    //   // Simulate screen loading with a crafted route argument
+    //   // final result = await ItemService().fetchItem(id: maliciousId);
+    //   //
+    //   // Assert the input was validated / rejected
+    //   // expect(result, isNull);  // currently fetches — RED
+    // });
+
+    test('PLACEHOLDER — replace with your exploit assertion', () {
+      // Remove this placeholder and uncomment one of the examples above.
+      expect(true, isTrue);
+    });
+
+  });
+}

package/templates/sample.exploit.test.react.tsx

@@ -0,0 +1,59 @@
+/**
+ * TDD Remediation: Red Phase Sample Test (React / Next.js — Testing Library + Vitest)
+ *
+ * For UI-layer security tests: XSS via dangerouslySetInnerHTML, sensitive data
+ * rendering, unauthenticated route access, client-side auth bypass, etc.
+ *
+ * Replace the boilerplate below with the specific exploit you are verifying.
+ * This test MUST fail initially (Red Phase). Once you apply the fix, it MUST pass (Green Phase).
+ *
+ * Run with: vitest run __tests__/security/
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { render, screen, waitFor } from '@testing-library/react';
+// import ComponentUnderTest from '../../components/ComponentUnderTest'; // update path
+
+describe('Security Vulnerability Remediation - Red Phase (UI)', () => {
+
+  // ── Example 1: XSS via dangerouslySetInnerHTML ───────────────────────────
+  // it('SHOULD sanitize user content before rendering as HTML', () => {
+  //   const xssPayload = '<script>window.__xss = true</script>';
+  //   render(<CommentBody content={xssPayload} />);
+  //
+  //   // Script tag must not be injected into the DOM
+  //   expect(document.querySelector('script')).toBeNull(); // currently rendered — RED
+  //   expect((window as any).__xss).toBeUndefined();
+  // });
+
+  // ── Example 2: Sensitive data must not appear in rendered output ─────────
+  // it('SHOULD NOT expose auth token in the DOM', () => {
+  //   render(<UserProfile token="super-secret-jwt" />);
+  //   expect(screen.queryByText('super-secret-jwt')).toBeNull(); // currently visible — RED
+  // });
+
+  // ── Example 3: Protected route must reject unauthenticated users ─────────
+  // it('SHOULD NOT render protected content without a valid session', () => {
+  //   render(<ProtectedPage />, { wrapper: UnauthenticatedProvider });
+  //   expect(screen.queryByRole('main')).toBeNull();       // currently renders — RED
+  //   expect(screen.getByText(/sign in/i)).toBeInTheDocument();
+  // });
+
+  // ── Example 4: Form input must be sanitized before submission ────────────
+  // it('SHOULD strip script tags from form input before submit', async () => {
+  //   const user = userEvent.setup();
+  //   render(<CommentForm onSubmit={mockSubmit} />);
+  //   await user.type(screen.getByRole('textbox'), '<script>alert(1)</script>');
+  //   await user.click(screen.getByRole('button', { name: /submit/i }));
+  //
+  //   expect(mockSubmit).toHaveBeenCalledWith(
+  //     expect.not.objectContaining({ body: expect.stringContaining('<script>') })
+  //   ); // currently passes raw payload — RED
+  // });
+
+  it('PLACEHOLDER — replace with your exploit assertion', () => {
+    // Remove this placeholder and uncomment one of the examples above.
+    expect(true).toBe(true);
+  });
+
+});

package/templates/workflows/security-tests.flutter.yml

@@ -0,0 +1,26 @@
+name: Security Tests
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  security-tests:
+    name: Exploit Test Suite
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: subosito/flutter-action@v2
+        with:
+          flutter-version: 'stable'
+          cache: true
+
+      - name: Install dependencies
+        run: flutter pub get
+
+      - name: Run security exploit tests
+        run: flutter test test/security/

package/workflows/tdd-audit.md

@@ -11,6 +11,13 @@ Follow the full Auto-Audit protocol from `auto-audit.md`:
    - Write the exploit test (Red — must fail)
    - Apply the patch (Green — test must pass)
    - Run the full suite (Refactor — no regressions)
-4. **Report** a final Remediation Summary table when all issues are addressed.
+4. **Harden** the codebase proactively after all vulnerabilities are patched:
+   - Security headers (Helmet / CSP)
+   - Rate limiting on auth routes
+   - Dependency vulnerability audit (npm audit / pip-audit / govulncheck)
+   - Secret history scan (gitleaks / trufflehog)
+   - Production error handling (no stack traces)
+   - CSRF protection and secure cookie flags
+5. **Report** a final Remediation Summary table when all issues are addressed.
 
 Do not skip steps. Do not advance to the next vulnerability until the current one is fully proven closed by a passing test.