@marcuspuchalla/nachos 0.1.1 → 0.1.4

package/src/parser/__tests__/cbor-security-dos-protection.test.ts

@@ -10,9 +10,10 @@
  * These tests verify protections against known CBOR implementation vulnerabilities.
  */
 
-import { describe, it, expect } from 'vitest'
+import { describe, it, expect, vi, afterEach } from 'vitest'
 import { useCborTag } from '../composables/useCborTag'
 import { useCborParser } from '../composables/useCborParser'
+import type { TaggedValue } from '../types'
 import { useCborCollection } from '../composables/useCborCollection'
 
 describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
@@ -26,10 +27,10 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(bignum, { limits: { maxBignumBytes: 1024 } })
 
-      expect(result.value.tag).toBe(2)
-      expect(typeof result.value.value).toBe('bigint')
+      expect((result.value as TaggedValue).tag).toBe(2)
+      expect(typeof (result.value as TaggedValue).value).toBe('bigint')
       // 512 bytes of 0x00 = BigInt 0
-      expect(result.value.value).toBe(0n)
+      expect((result.value as TaggedValue).value).toBe(0n)
     })
 
     it('should reject tag 2 bignum exceeding size limit', () => {
@@ -64,11 +65,11 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(bignum, { limits: { maxBignumBytes: 1024 } })
 
-      expect(result.value.tag).toBe(2)
-      expect(typeof result.value.value).toBe('bigint')
+      expect((result.value as TaggedValue).tag).toBe(2)
+      expect(typeof (result.value as TaggedValue).value).toBe('bigint')
       // 1024 bytes of 0xff should be a large positive bigint
       // 2^(1024*8) - 1
-      expect(result.value.value > 0n).toBe(true)
+      expect(((result.value as TaggedValue).value as bigint) > 0n).toBe(true)
     })
 
     it('should reject tag 2 with 1 byte over limit', () => {
@@ -102,10 +103,10 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(bignum, { limits: { maxBignumBytes: 4096 } })
 
-      expect(result.value.tag).toBe(2)
-      expect(typeof result.value.value).toBe('bigint')
+      expect((result.value as TaggedValue).tag).toBe(2)
+      expect(typeof (result.value as TaggedValue).value).toBe('bigint')
       // 2048 bytes of 0xbb should be a large positive bigint
-      expect(result.value.value > 0n).toBe(true)
+      expect(((result.value as TaggedValue).value as bigint) > 0n).toBe(true)
     })
 
     it('should accept empty bignum (edge case)', () => {
@@ -116,10 +117,10 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(bignum, { limits: { maxBignumBytes: 1024 } })
 
-      expect(result.value.tag).toBe(2)
-      expect(typeof result.value.value).toBe('bigint')
+      expect((result.value as TaggedValue).tag).toBe(2)
+      expect(typeof (result.value as TaggedValue).value).toBe('bigint')
       // Empty byte string = BigInt 0
-      expect(result.value.value).toBe(0n)
+      expect((result.value as TaggedValue).value).toBe(0n)
     })
   })
 
@@ -133,11 +134,11 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(bignum, { limits: { maxBignumBytes: 1024 } })
 
-      expect(result.value.tag).toBe(3)
-      expect(typeof result.value.value).toBe('bigint')
+      expect((result.value as TaggedValue).tag).toBe(3)
+      expect(typeof (result.value as TaggedValue).value).toBe('bigint')
       // Tag 3 = -1 - n, where n is the bignum value
       // 256 bytes of 0xff should be a large negative bigint
-      expect(result.value.value < 0n).toBe(true)
+      expect(((result.value as TaggedValue).value as bigint) < 0n).toBe(true)
     })
 
     it('should reject tag 3 bignum exceeding size limit', () => {
@@ -183,8 +184,8 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(epochTag, { limits: { maxBignumBytes: 100 } })
 
-      expect(result.value.tag).toBe(1)
-      expect(result.value.value).toBe(1363896240)
+      expect((result.value as TaggedValue).tag).toBe(1)
+      expect((result.value as TaggedValue).value).toBe(1363896240)
     })
 
     it('should NOT apply bignum limit to tag 24 (embedded CBOR)', () => {
@@ -195,8 +196,8 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(embeddedCBOR, { limits: { maxBignumBytes: 2 } })
 
-      expect(result.value.tag).toBe(24)
-      expect(result.value.value).toBeInstanceOf(Uint8Array)
+      expect((result.value as TaggedValue).tag).toBe(24)
+      expect((result.value as TaggedValue).value).toBeInstanceOf(Uint8Array)
     })
 
     it('should NOT apply bignum limit to tag 258 (set)', () => {
@@ -207,8 +208,8 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(setTag, { limits: { maxBignumBytes: 2 } })
 
-      expect(result.value.tag).toBe(258)
-      expect(result.value.value).toBeInstanceOf(Array)
+      expect((result.value as TaggedValue).tag).toBe(258)
+      expect((result.value as TaggedValue).value).toBeInstanceOf(Array)
     })
   })
 })
@@ -223,7 +224,7 @@ describe('RUSTSEC-2019-0025: Tag Nesting Stack Overflow Protection', () => {
 
       const result = parseTag(nested, { limits: { maxTagDepth: 64 } })
 
-      expect(result.value.tag).toBe(0)
+      expect((result.value as TaggedValue).tag).toBe(0)
       // Nested structure: tag 0 -> tag 0 -> ... -> 0
     })
 
@@ -255,14 +256,14 @@ describe('RUSTSEC-2019-0025: Tag Nesting Stack Overflow Protection', () => {
 
       const result = parseTag(nested, { limits: { maxTagDepth: 10 } })
 
-      expect(result.value.tag).toBe(0)
+      expect((result.value as TaggedValue).tag).toBe(0)
     })
 
     it('should use default tag depth limit when not specified', () => {
       const { parseTag } = useCborTag()
 
-      // 100 nested tags (exceeds default 64)
-      const nested = 'c0'.repeat(100) + '00'
+      // 150 nested tags (exceeds default 100)
+      const nested = 'c0'.repeat(150) + '00'
 
       expect(() => parseTag(nested)) // No options = use defaults
         .toThrow(/tag nesting depth.*exceeds/i)
@@ -276,7 +277,7 @@ describe('RUSTSEC-2019-0025: Tag Nesting Stack Overflow Protection', () => {
 
       const result = parseTag(nested, { limits: { maxTagDepth: 150 } })
 
-      expect(result.value.tag).toBe(0)
+      expect((result.value as TaggedValue).tag).toBe(0)
     })
 
     it('should handle nested tags with different tag numbers', () => {
@@ -287,9 +288,9 @@ describe('RUSTSEC-2019-0025: Tag Nesting Stack Overflow Protection', () => {
 
       const result = parseTag(nested, { limits: { maxTagDepth: 5 } })
 
-      expect(result.value.tag).toBe(1)
-      expect(result.value.value.tag).toBe(2)
-      expect((result.value.value as any).value).toHaveProperty('tag', 3)
+      expect((result.value as TaggedValue).tag).toBe(1)
+      expect(((result.value as TaggedValue).value as TaggedValue).tag).toBe(2)
+      expect(((result.value as TaggedValue).value as any).value).toHaveProperty('tag', 3)
     })
 
     it('should reject deeply nested mixed tags', () => {
@@ -312,8 +313,8 @@ describe('RUSTSEC-2019-0025: Tag Nesting Stack Overflow Protection', () => {
         limits: { maxTagDepth: 5, maxDepth: 5 }
       })
 
-      expect(result.value.tag).toBe(1)
-      expect(result.value.value).toEqual([1, 2, 3])
+      expect((result.value as TaggedValue).tag).toBe(1)
+      expect((result.value as TaggedValue).value).toEqual([1, 2, 3])
     })
 
     it('should prevent stack overflow with minimal input (< 1KB)', () => {
@@ -467,7 +468,7 @@ describe('Combined Security Protections', () => {
       }
     })
 
-    expect(result.value.tag).toBe(1)
+    expect((result.value as TaggedValue).tag).toBe(1)
   })
 
   it('should reject when any single limit is exceeded', () => {
@@ -501,3 +502,135 @@ describe('Combined Security Protections', () => {
       .toThrow(/duplicate/i)
   })
 })
+
+describe('maxParseTime Timeout Protection for Standard decode() Path', () => {
+  afterEach(() => {
+    vi.restoreAllMocks()
+  })
+
+  describe('useCborCollection: parseItem timeout', () => {
+    it('should enforce maxParseTime when parsing deeply nested arrays via standard path', () => {
+      // Mock Date.now: first call returns start time, subsequent calls simulate time passing
+      let callCount = 0
+      vi.spyOn(Date, 'now').mockImplementation(() => {
+        callCount++
+        // First call sets parseStartTime, subsequent calls check elapsed
+        return callCount <= 1 ? 1000 : 1100
+      })
+
+      const { parseArray } = useCborCollection()
+
+      // Build a deeply nested array: [[[[...]]]]
+      // 10 levels of nesting, innermost value is 0x00 (integer 0)
+      const nested = '81'.repeat(10) + '00'
+
+      // maxParseTime=50ms, but mocked time shows 100ms elapsed
+      expect(() => parseArray(nested, { limits: { maxParseTime: 50, maxDepth: 200 } }))
+        .toThrow(/parse timeout/i)
+    })
+
+    it('should enforce maxParseTime when parsing deeply nested maps via standard path', () => {
+      let callCount = 0
+      vi.spyOn(Date, 'now').mockImplementation(() => {
+        callCount++
+        return callCount <= 1 ? 1000 : 1100
+      })
+
+      const { parseMap } = useCborCollection()
+
+      // Build nested map: {"a": {"a": ... 0 }}
+      const nested = 'a16161'.repeat(10) + '00'
+
+      expect(() => parseMap(nested, { limits: { maxParseTime: 50, maxDepth: 200 } }))
+        .toThrow(/parse timeout/i)
+    })
+
+    it('should enforce maxParseTime via the top-level decode() function', () => {
+      let callCount = 0
+      vi.spyOn(Date, 'now').mockImplementation(() => {
+        callCount++
+        return callCount <= 1 ? 1000 : 1100
+      })
+
+      const { parse } = useCborParser()
+
+      // Nested arrays through the standard parse() path
+      const nested = '81'.repeat(10) + '00'
+
+      expect(() => parse(nested, { limits: { maxParseTime: 50, maxDepth: 200 } }))
+        .toThrow(/parse timeout/i)
+    })
+
+    it('should NOT timeout when parsing completes quickly with generous maxParseTime', () => {
+      // Mock Date.now to always return same value (no time passes)
+      vi.spyOn(Date, 'now').mockReturnValue(1000)
+
+      const { parse } = useCborParser()
+
+      // Simple array [1, 2, 3]
+      const result = parse('83010203', { limits: { maxParseTime: 5000 } })
+      expect(result.value).toEqual([1, 2, 3])
+    })
+
+    it('should NOT timeout for simple values when maxParseTime is set', () => {
+      vi.spyOn(Date, 'now').mockReturnValue(1000)
+
+      const { parse } = useCborParser()
+
+      const result = parse('1864', { limits: { maxParseTime: 5000 } })
+      expect(result.value).toBe(100)
+    })
+  })
+
+  describe('useCborTag: parseItem timeout', () => {
+    it('should enforce maxParseTime when parsing tags containing deeply nested structures', () => {
+      let callCount = 0
+      vi.spyOn(Date, 'now').mockImplementation(() => {
+        callCount++
+        return callCount <= 1 ? 1000 : 1100
+      })
+
+      const { parseTag } = useCborTag()
+
+      // Tag 1 wrapping deeply nested arrays
+      const nested = 'c1' + '81'.repeat(10) + '00'
+
+      expect(() => parseTag(nested, { limits: { maxParseTime: 50, maxDepth: 200, maxTagDepth: 200 } }))
+        .toThrow(/parse timeout/i)
+    })
+
+    it('should enforce maxParseTime for deeply nested tags', () => {
+      let callCount = 0
+      vi.spyOn(Date, 'now').mockImplementation(() => {
+        callCount++
+        return callCount <= 1 ? 1000 : 1100
+      })
+
+      const { parseTag } = useCborTag()
+
+      // 10 nested tags wrapping an integer
+      const nested = 'c0'.repeat(10) + '00'
+
+      expect(() => parseTag(nested, { limits: { maxParseTime: 50, maxTagDepth: 200 } }))
+        .toThrow(/parse timeout/i)
+    })
+  })
+
+  describe('parseSequence timeout', () => {
+    it('should enforce maxParseTime when parsing a CBOR sequence', () => {
+      let callCount = 0
+      vi.spyOn(Date, 'now').mockImplementation(() => {
+        callCount++
+        return callCount <= 1 ? 1000 : 1100
+      })
+
+      const { parseSequence } = useCborParser()
+
+      // Sequence of nested arrays
+      const nested = '81'.repeat(10) + '00'
+
+      expect(() => parseSequence(nested, { limits: { maxParseTime: 50, maxDepth: 200 } }))
+        .toThrow(/parse timeout/i)
+    })
+  })
+})

package/src/parser/__tests__/cbor-standard-tags.test.ts

@@ -20,11 +20,9 @@
 
 import { describe, it, expect } from 'vitest'
 import { useCborParser } from '../composables/useCborParser'
-import { useCborTag } from '../composables/useCborTag'
 
 describe('CBOR Standard Tags (RFC 8949)', () => {
   const { parse } = useCborParser()
-  const { parseTag } = useCborTag()
 
   describe('Tag 0: Date/Time String (RFC 3339)', () => {
     it('should parse valid ISO 8601 date/time string', () => {
@@ -149,17 +147,57 @@ describe('CBOR Standard Tags (RFC 8949)', () => {
     })
 
     it('should reject non-integer exponent in strict mode', () => {
-      // Tag 4 + [3.14, 500] (invalid - exponent must be integer)
+      // Tag 4 + [3.14, 500] (invalid - exponent must be integer per RFC 8949)
       // fb 40091eb851eb851f = float64 3.14
       // 1901f4 = uint 500
       const hex = 'c482fb40091eb851eb851f1901f4' // [3.14, 500]
 
-      // Note: The parser validates that exponent is number|bigint, and 3.14 is a number
-      // So this passes parsing but semantically the exponent should be integer
-      // The current implementation accepts floats as exponents, which is RFC-compliant
-      // (RFC says "integer" but implementations often accept any number)
+      expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
+        .toThrow(/exponent must be an integer/)
+    })
+
+    it('should reject non-integer mantissa in strict mode', () => {
+      // Tag 4 + [-2, 3.14] (invalid - mantissa must be integer per RFC 8949)
+      // 21 = -2
+      // fb 40091eb851eb851f = float64 3.14
+      const hex = 'c48221fb40091eb851eb851f' // [-2, 3.14]
+
+      expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
+        .toThrow(/mantissa must be an integer/)
+    })
+
+    it('should accept integer exponent and mantissa values', () => {
+      // Tag 4 + [0, 42]
+      // 00 = 0, 1829 = 42 (wrong, 182a = 42)
+      // Actually: 00 = 0, 18 2a = 42
+      const hex = 'c48200182a' // [0, 42]
+      const result = parse(hex, { strict: true, validateTagSemantics: true })
+      expect(result.value).toMatchObject({ tag: 4 })
+      const arr = (result.value as any).value as number[]
+      expect(arr[0]).toBe(0)
+      expect(arr[1]).toBe(42)
+    })
+
+    it('should accept negative integer exponent', () => {
+      // Tag 4 + [-1, 500]
+      // 20 = -1, 1901f4 = 500
+      const hex = 'c482201901f4' // [-1, 500]
       const result = parse(hex, { strict: true, validateTagSemantics: true })
       expect(result.value).toMatchObject({ tag: 4 })
+      const arr = (result.value as any).value as number[]
+      expect(arr[0]).toBe(-1)
+      expect(arr[1]).toBe(500)
+    })
+
+    it('should accept zero exponent and large mantissa', () => {
+      // Tag 4 + [0, 12345]
+      // 00 = 0, 193039 = 12345
+      const hex = 'c48200193039'
+      const result = parse(hex, { strict: true, validateTagSemantics: true })
+      expect(result.value).toMatchObject({ tag: 4 })
+      const arr = (result.value as any).value as number[]
+      expect(arr[0]).toBe(0)
+      expect(arr[1]).toBe(12345)
     })
   })
 
@@ -187,6 +225,36 @@ describe('CBOR Standard Tags (RFC 8949)', () => {
       expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
         .toThrow(/exactly 2 elements/i)
     })
+
+    it('should reject non-integer exponent in strict mode', () => {
+      // Tag 5 + [3.14, 500] (invalid - exponent must be integer per RFC 8949)
+      // fb 40091eb851eb851f = float64 3.14
+      // 1901f4 = uint 500
+      const hex = 'c582fb40091eb851eb851f1901f4' // [3.14, 500]
+
+      expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
+        .toThrow(/exponent must be an integer/)
+    })
+
+    it('should reject non-integer mantissa in strict mode', () => {
+      // Tag 5 + [-2, 3.14] (invalid - mantissa must be integer per RFC 8949)
+      // 21 = -2
+      // fb 40091eb851eb851f = float64 3.14
+      const hex = 'c58221fb40091eb851eb851f' // [-2, 3.14]
+
+      expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
+        .toThrow(/mantissa must be an integer/)
+    })
+
+    it('should accept integer exponent and mantissa values', () => {
+      // Tag 5 + [-2, 500]
+      const hex = 'c5822119 01f4'.replace(/\s/g, '')
+      const result = parse(hex, { strict: true, validateTagSemantics: true })
+      expect(result.value).toMatchObject({ tag: 5 })
+      const arr = (result.value as any).value as number[]
+      expect(arr[0]).toBe(-2)
+      expect(arr[1]).toBe(500)
+    })
   })
 
   describe('Tags 21-23: Expected Encoding', () => {
@@ -221,6 +289,35 @@ describe('CBOR Standard Tags (RFC 8949)', () => {
     })
   })
 
+  describe('Tags 2-3: Bignums', () => {
+    it('should parse tag 2 with byte string', () => {
+      // c2 (tag 2) + 41 (1-byte byte string) + 01
+      const hex = 'c24101'
+      const result = parse(hex)
+
+      expect(result.value).toMatchObject({
+        tag: 2,
+        value: 1n
+      })
+    })
+
+    it('should reject non-byte-string tag 2 in strict mode', () => {
+      // c2 (tag 2) + 01 (integer)
+      const hex = 'c201'
+
+      expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
+        .toThrow(/byte string/i)
+    })
+
+    it('should reject non-byte-string tag 3 in strict mode', () => {
+      // c3 (tag 3) + 01 (integer)
+      const hex = 'c301'
+
+      expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
+        .toThrow(/byte string/i)
+    })
+  })
+
   describe('Tag 32: URI', () => {
     it('should parse valid URI', () => {
       // d8 20 (tag 32) + 76 (22-byte text) + "http://www.example.com"

package/src/parser/__tests__/cbor-string-errors.test.ts

@@ -112,8 +112,8 @@ describe('useCborString - Error Handling', () => {
       // 5f (indefinite byte string) + 6161 (text "a") + ff (break)
       const buffer = new Uint8Array([0x5f, 0x61, 0x61, 0xff])
 
-      // The error is thrown when trying to parse the text string as a byte string
-      expect(() => parseByteString(buffer, 0)).toThrow('Expected major type 2')
+      // The error is thrown when validating the chunk type
+      expect(() => parseByteString(buffer, 0)).toThrow('chunks must be byte strings')
     })
   })
 
@@ -125,8 +125,8 @@ describe('useCborString - Error Handling', () => {
       // 7f (indefinite text string) + 4161 (byte string containing 'a') + ff (break)
       const buffer = new Uint8Array([0x7f, 0x41, 0x61, 0xff])
 
-      // The error is thrown when trying to parse the byte string as a text string
-      expect(() => parseTextString(buffer, 0)).toThrow('Expected major type 3')
+      // The error is thrown when validating the chunk type
+      expect(() => parseTextString(buffer, 0)).toThrow('chunks must be text strings')
     })
   })
 

package/src/parser/__tests__/cbor-tag-errors.test.ts

@@ -20,7 +20,7 @@ describe('useCborTag - Error Handling', () => {
 
       // Tag with array that's incomplete
       // c1 (tag 1) + 82 (array of 2) + 01 (element 1) - missing element 2
-      expect(() => parseTag('c18201')).toThrow('Unexpected end of buffer at offset')
+      expect(() => parseTag('c18201')).toThrow('Unexpected end of buffer')
     })
   })