@olane/o-server 0.8.0 → 0.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/dist/src/interfaces/server-config.interface.d.ts +47 -1
  2. package/dist/src/interfaces/server-config.interface.d.ts.map +1 -1
  3. package/dist/src/middleware/error-handler.d.ts +9 -0
  4. package/dist/src/middleware/error-handler.d.ts.map +1 -1
  5. package/dist/src/middleware/error-handler.js +49 -3
  6. package/dist/src/middleware/jwt-auth.d.ts +54 -0
  7. package/dist/src/middleware/jwt-auth.d.ts.map +1 -0
  8. package/dist/src/middleware/jwt-auth.js +145 -0
  9. package/dist/src/o-server.d.ts.map +1 -1
  10. package/dist/src/o-server.js +53 -23
  11. package/dist/src/validation/address-validator.d.ts +13 -0
  12. package/dist/src/validation/address-validator.d.ts.map +1 -0
  13. package/dist/src/validation/address-validator.js +40 -0
  14. package/dist/src/validation/index.d.ts +17 -0
  15. package/dist/src/validation/index.d.ts.map +1 -0
  16. package/dist/src/validation/index.js +16 -0
  17. package/dist/src/validation/method-validator.d.ts +13 -0
  18. package/dist/src/validation/method-validator.d.ts.map +1 -0
  19. package/dist/src/validation/method-validator.js +36 -0
  20. package/dist/src/validation/params-sanitizer.d.ts +15 -0
  21. package/dist/src/validation/params-sanitizer.d.ts.map +1 -0
  22. package/dist/src/validation/params-sanitizer.js +51 -0
  23. package/dist/src/validation/request-validator.d.ts +53 -0
  24. package/dist/src/validation/request-validator.d.ts.map +1 -0
  25. package/dist/src/validation/request-validator.js +53 -0
  26. package/dist/src/validation/validation-error.d.ts +11 -0
  27. package/dist/src/validation/validation-error.d.ts.map +1 -0
  28. package/dist/src/validation/validation-error.js +12 -0
  29. package/dist/test/ai.spec.d.ts +0 -1
  30. package/dist/test/ai.spec.js +20 -13
  31. package/dist/test/error-security.spec.d.ts +2 -0
  32. package/dist/test/error-security.spec.d.ts.map +1 -0
  33. package/dist/test/error-security.spec.js +134 -0
  34. package/dist/test/input-validation.spec.d.ts +14 -0
  35. package/dist/test/input-validation.spec.d.ts.map +1 -0
  36. package/dist/test/input-validation.spec.js +487 -0
  37. package/dist/test/jwt-auth.spec.d.ts +2 -0
  38. package/dist/test/jwt-auth.spec.d.ts.map +1 -0
  39. package/dist/test/jwt-auth.spec.js +397 -0
  40. package/package.json +10 -4
package/dist/test/input-validation.spec.js ADDED
@@ -0,0 +1,487 @@
1
+ /**
2
+ * Input Validation & Sanitization Tests
3
+ *
4
+ * Comprehensive test suite covering:
5
+ * - Address validation (path traversal, format, control chars)
6
+ * - Method validation (private methods, prototype pollution)
7
+ * - Parameter sanitization (recursive dangerous property removal)
8
+ * - Request schema validation (Zod-based)
9
+ * - Integration tests (SQL injection, NoSQL injection, XSS, prototype pollution)
10
+ *
11
+ * Part of Phase 1 Security - Wave 2 (Input Validation)
12
+ */
13
+ import { expect } from 'aegir/chai';
14
+ import { validateAddress, validateMethod, sanitizeParams, validateRequest, useRequestSchema, streamRequestSchema, ValidationError, } from '../src/validation/index.js';
15
+ describe('Input Validation & Sanitization', () => {
16
+ // ========================================================================
17
+ // ADDRESS VALIDATION TESTS
18
+ // ========================================================================
19
+ describe('Address Validation', () => {
20
+ it('should accept valid o:// address', () => {
21
+ expect(() => validateAddress('o://my-tool')).to.not.throw();
22
+ expect(() => validateAddress('o://my-tool/resource')).to.not.throw();
23
+ expect(() => validateAddress('o://my-tool/resource/nested')).to.not.throw();
24
+ });
25
+ it('should block path traversal with ../', () => {
26
+ expect(() => validateAddress('o://my-tool/../../../etc/passwd'))
27
+ .to.throw(ValidationError)
28
+ .with.property('code', 'INVALID_ADDRESS');
29
+ });
30
+ it('should block path traversal with ..\\', () => {
31
+ expect(() => validateAddress('o://my-tool\\..\\..\\windows\\system32'))
32
+ .to.throw(ValidationError)
33
+ .with.property('code', 'INVALID_ADDRESS');
34
+ });
35
+ it('should block URL-encoded path traversal (%2e%2e)', () => {
36
+ expect(() => validateAddress('o://my-tool/%2e%2e/%2e%2e/etc/passwd'))
37
+ .to.throw(ValidationError)
38
+ .with.property('code', 'INVALID_ADDRESS');
39
+ });
40
+ it('should block URL-encoded path traversal (uppercase %2E%2E)', () => {
41
+ expect(() => validateAddress('o://my-tool/%2E%2E/%2E%2E/etc/passwd'))
42
+ .to.throw(ValidationError)
43
+ .with.property('code', 'INVALID_ADDRESS');
44
+ });
45
+ it('should reject address without o:// protocol', () => {
46
+ expect(() => validateAddress('my-tool'))
47
+ .to.throw(ValidationError)
48
+ .with.property('code', 'INVALID_ADDRESS');
49
+ expect(() => validateAddress('http://my-tool'))
50
+ .to.throw(ValidationError)
51
+ .with.property('code', 'INVALID_ADDRESS');
52
+ });
53
+ it('should block control characters (null byte)', () => {
54
+ expect(() => validateAddress('o://my-tool\x00/resource'))
55
+ .to.throw(ValidationError)
56
+ .with.property('code', 'INVALID_ADDRESS');
57
+ });
58
+ it('should block control characters (newline)', () => {
59
+ expect(() => validateAddress('o://my-tool\n/resource'))
60
+ .to.throw(ValidationError)
61
+ .with.property('code', 'INVALID_ADDRESS');
62
+ });
63
+ it('should block backslashes in address', () => {
64
+ expect(() => validateAddress('o://my-tool\\resource'))
65
+ .to.throw(ValidationError)
66
+ .with.property('code', 'INVALID_ADDRESS');
67
+ });
68
+ it('should accept valid nested address', () => {
69
+ expect(() => validateAddress('o://parent/child/grandchild')).to.not.throw();
70
+ });
71
+ it('should reject empty address', () => {
72
+ expect(() => validateAddress(''))
73
+ .to.throw(ValidationError)
74
+ .with.property('code', 'INVALID_ADDRESS');
75
+ });
76
+ it('should reject non-string address', () => {
77
+ expect(() => validateAddress(null))
78
+ .to.throw(ValidationError)
79
+ .with.property('code', 'INVALID_ADDRESS');
80
+ expect(() => validateAddress(123))
81
+ .to.throw(ValidationError)
82
+ .with.property('code', 'INVALID_ADDRESS');
83
+ });
84
+ });
85
+ // ========================================================================
86
+ // METHOD VALIDATION TESTS
87
+ // ========================================================================
88
+ describe('Method Validation', () => {
89
+ it('should accept valid method name', () => {
90
+ expect(() => validateMethod('getUserData')).to.not.throw();
91
+ expect(() => validateMethod('processPayment')).to.not.throw();
92
+ expect(() => validateMethod('list')).to.not.throw();
93
+ });
94
+ it('should block private method starting with underscore', () => {
95
+ expect(() => validateMethod('_internalMethod'))
96
+ .to.throw(ValidationError)
97
+ .with.property('code', 'INVALID_METHOD');
98
+ expect(() => validateMethod('__privateHelper'))
99
+ .to.throw(ValidationError)
100
+ .with.property('code', 'INVALID_METHOD');
101
+ });
102
+ it('should block __proto__ method', () => {
103
+ expect(() => validateMethod('__proto__'))
104
+ .to.throw(ValidationError)
105
+ .with.property('code', 'INVALID_METHOD');
106
+ });
107
+ it('should block constructor method', () => {
108
+ expect(() => validateMethod('constructor'))
109
+ .to.throw(ValidationError)
110
+ .with.property('code', 'INVALID_METHOD');
111
+ });
112
+ it('should block prototype method', () => {
113
+ expect(() => validateMethod('prototype'))
114
+ .to.throw(ValidationError)
115
+ .with.property('code', 'INVALID_METHOD');
116
+ });
117
+ it('should block __proto__ case-insensitively', () => {
118
+ expect(() => validateMethod('__PROTO__'))
119
+ .to.throw(ValidationError)
120
+ .with.property('code', 'INVALID_METHOD');
121
+ expect(() => validateMethod('__ProTo__'))
122
+ .to.throw(ValidationError)
123
+ .with.property('code', 'INVALID_METHOD');
124
+ });
125
+ it('should block constructor case-insensitively', () => {
126
+ expect(() => validateMethod('CONSTRUCTOR'))
127
+ .to.throw(ValidationError)
128
+ .with.property('code', 'INVALID_METHOD');
129
+ expect(() => validateMethod('Constructor'))
130
+ .to.throw(ValidationError)
131
+ .with.property('code', 'INVALID_METHOD');
132
+ });
133
+ it('should block prototype case-insensitively', () => {
134
+ expect(() => validateMethod('PROTOTYPE'))
135
+ .to.throw(ValidationError)
136
+ .with.property('code', 'INVALID_METHOD');
137
+ expect(() => validateMethod('ProtoType'))
138
+ .to.throw(ValidationError)
139
+ .with.property('code', 'INVALID_METHOD');
140
+ });
141
+ it('should block control characters in method name', () => {
142
+ expect(() => validateMethod('method\x00Name'))
143
+ .to.throw(ValidationError)
144
+ .with.property('code', 'INVALID_METHOD');
145
+ expect(() => validateMethod('method\nName'))
146
+ .to.throw(ValidationError)
147
+ .with.property('code', 'INVALID_METHOD');
148
+ });
149
+ it('should reject empty method name', () => {
150
+ expect(() => validateMethod(''))
151
+ .to.throw(ValidationError)
152
+ .with.property('code', 'INVALID_METHOD');
153
+ });
154
+ it('should reject non-string method', () => {
155
+ expect(() => validateMethod(null))
156
+ .to.throw(ValidationError)
157
+ .with.property('code', 'INVALID_METHOD');
158
+ });
159
+ });
160
+ // ========================================================================
161
+ // PARAMS SANITIZATION TESTS
162
+ // ========================================================================
163
+ describe('Params Sanitization', () => {
164
+ it('should pass through safe params unchanged', () => {
165
+ const params = { username: 'alice', age: 30, active: true };
166
+ const sanitized = sanitizeParams(params);
167
+ expect(sanitized).to.deep.equal(params);
168
+ });
169
+ it('should remove __proto__ from object', () => {
170
+ const params = { username: 'alice' };
171
+ params['__proto__'] = { isAdmin: true };
172
+ const sanitized = sanitizeParams(params);
173
+ expect(sanitized).to.deep.equal({ username: 'alice' });
174
+ expect(Object.keys(sanitized)).to.not.include('__proto__');
175
+ });
176
+ it('should remove constructor from object', () => {
177
+ const params = { username: 'alice' };
178
+ params['constructor'] = { isAdmin: true };
179
+ const sanitized = sanitizeParams(params);
180
+ expect(sanitized).to.deep.equal({ username: 'alice' });
181
+ expect(Object.keys(sanitized)).to.not.include('constructor');
182
+ });
183
+ it('should remove prototype from object', () => {
184
+ const params = { username: 'alice' };
185
+ params['prototype'] = { isAdmin: true };
186
+ const sanitized = sanitizeParams(params);
187
+ expect(sanitized).to.deep.equal({ username: 'alice' });
188
+ expect(Object.keys(sanitized)).to.not.include('prototype');
189
+ });
190
+ it('should sanitize nested objects recursively', () => {
191
+ const params = {
192
+ user: {
193
+ name: 'alice',
194
+ profile: {
195
+ bio: 'test',
196
+ },
197
+ },
198
+ };
199
+ params.user['__proto__'] = { isAdmin: true };
200
+ params.user.profile['constructor'] = { evil: true };
201
+ const sanitized = sanitizeParams(params);
202
+ expect(sanitized).to.deep.equal({
203
+ user: {
204
+ name: 'alice',
205
+ profile: {
206
+ bio: 'test',
207
+ },
208
+ },
209
+ });
210
+ expect(Object.keys(sanitized.user)).to.not.include('__proto__');
211
+ expect(Object.keys(sanitized.user.profile)).to.not.include('constructor');
212
+ });
213
+ it('should sanitize arrays recursively', () => {
214
+ const params = {
215
+ users: [
216
+ { name: 'alice', '__proto__': { isAdmin: true } },
217
+ { name: 'bob', 'constructor': { evil: true } },
218
+ ],
219
+ };
220
+ const sanitized = sanitizeParams(params);
221
+ expect(sanitized).to.deep.equal({
222
+ users: [
223
+ { name: 'alice' },
224
+ { name: 'bob' },
225
+ ],
226
+ });
227
+ });
228
+ it('should handle null and undefined', () => {
229
+ expect(sanitizeParams(null)).to.equal(null);
230
+ expect(sanitizeParams(undefined)).to.equal(undefined);
231
+ });
232
+ it('should handle primitives', () => {
233
+ expect(sanitizeParams('string')).to.equal('string');
234
+ expect(sanitizeParams(123)).to.equal(123);
235
+ expect(sanitizeParams(true)).to.equal(true);
236
+ });
237
+ it('should handle arrays of primitives', () => {
238
+ const params = [1, 2, 3, 'test'];
239
+ const sanitized = sanitizeParams(params);
240
+ expect(sanitized).to.deep.equal(params);
241
+ });
242
+ it('should handle deeply nested structures', () => {
243
+ const params = {
244
+ level1: {
245
+ level2: {
246
+ level3: {
247
+ data: 'safe',
248
+ },
249
+ },
250
+ },
251
+ };
252
+ params.level1.level2.level3['__proto__'] = { evil: true };
253
+ const sanitized = sanitizeParams(params);
254
+ expect(sanitized).to.deep.equal({
255
+ level1: {
256
+ level2: {
257
+ level3: {
258
+ data: 'safe',
259
+ },
260
+ },
261
+ },
262
+ });
263
+ expect(Object.keys(sanitized.level1.level2.level3)).to.not.include('__proto__');
264
+ });
265
+ it('should remove dangerous keys case-insensitively', () => {
266
+ const params = { username: 'alice' };
267
+ params['__PROTO__'] = { evil: true };
268
+ params['CONSTRUCTOR'] = { bad: true };
269
+ params['ProtoType'] = { wrong: true };
270
+ const sanitized = sanitizeParams(params);
271
+ expect(sanitized).to.deep.equal({ username: 'alice' });
272
+ expect(Object.keys(sanitized)).to.deep.equal(['username']);
273
+ });
274
+ });
275
+ // ========================================================================
276
+ // REQUEST SCHEMA VALIDATION TESTS
277
+ // ========================================================================
278
+ describe('Request Schema Validation', () => {
279
+ it('should validate valid POST /use request', () => {
280
+ const request = {
281
+ address: 'o://my-tool',
282
+ method: 'getData',
283
+ params: { id: 123 },
284
+ id: 'req-123',
285
+ };
286
+ const validated = validateRequest(request, useRequestSchema);
287
+ expect(validated).to.deep.equal(request);
288
+ });
289
+ it('should accept minimal POST /use request (address and method)', () => {
290
+ const request = { address: 'o://my-tool', method: 'getData' };
291
+ const validated = validateRequest(request, useRequestSchema);
292
+ expect(validated).to.deep.equal(request);
293
+ });
294
+ it('should reject POST /use request with missing address', () => {
295
+ const request = { method: 'getData', params: {} };
296
+ expect(() => validateRequest(request, useRequestSchema))
297
+ .to.throw(ValidationError)
298
+ .with.property('code', 'INVALID_PARAMS');
299
+ });
300
+ it('should reject POST /use request with missing method', () => {
301
+ const request = { address: 'o://my-tool' };
302
+ expect(() => validateRequest(request, useRequestSchema))
303
+ .to.throw(ValidationError)
304
+ .with.property('code', 'INVALID_PARAMS');
305
+ });
306
+ it('should reject POST /use request with empty address', () => {
307
+ const request = { address: '' };
308
+ expect(() => validateRequest(request, useRequestSchema))
309
+ .to.throw(ValidationError)
310
+ .with.property('code', 'INVALID_PARAMS');
311
+ });
312
+ it('should reject POST /use request with invalid type', () => {
313
+ const request = { address: 123 };
314
+ expect(() => validateRequest(request, useRequestSchema))
315
+ .to.throw(ValidationError)
316
+ .with.property('code', 'INVALID_PARAMS');
317
+ });
318
+ it('should validate valid POST /use/stream request', () => {
319
+ const request = {
320
+ address: 'o://my-tool',
321
+ method: 'streamData',
322
+ params: { filter: 'active' },
323
+ };
324
+ const validated = validateRequest(request, streamRequestSchema);
325
+ expect(validated).to.deep.equal(request);
326
+ });
327
+ it('should reject POST /stream request with missing address', () => {
328
+ const request = { method: 'streamData' };
329
+ expect(() => validateRequest(request, streamRequestSchema))
330
+ .to.throw(ValidationError)
331
+ .with.property('code', 'INVALID_PARAMS');
332
+ });
333
+ it('should provide readable error messages', () => {
334
+ const request = { wrongField: 'test' };
335
+ try {
336
+ validateRequest(request, useRequestSchema);
337
+ expect.fail('Should have thrown');
338
+ }
339
+ catch (error) {
340
+ expect(error).to.be.instanceOf(ValidationError);
341
+ expect(error.message).to.include('address');
342
+ expect(error.message.toLowerCase()).to.include('required');
343
+ }
344
+ });
345
+ });
346
+ // ========================================================================
347
+ // INTEGRATION TESTS - ATTACK PREVENTION
348
+ // ========================================================================
349
+ describe('Integration Tests - Attack Prevention', () => {
350
+ it('should handle SQL injection attempts appropriately', () => {
351
+ // SQL injection strings in params are allowed through sanitization
352
+ // because our validation focuses on structural attacks (prototype pollution)
353
+ // SQL injection prevention is the responsibility of the database layer
354
+ const maliciousParams = {
355
+ username: "admin' OR '1'='1",
356
+ password: "' OR '1'='1' --",
357
+ };
358
+ const sanitized = sanitizeParams(maliciousParams);
359
+ expect(sanitized).to.deep.equal(maliciousParams);
360
+ // However, addresses with path traversal or control chars are blocked
361
+ expect(() => validateAddress("o://users/../../../etc/passwd"))
362
+ .to.throw(ValidationError)
363
+ .with.property('code', 'INVALID_ADDRESS');
364
+ });
365
+ it('should block NoSQL injection attempt via prototype pollution', () => {
366
+ const maliciousParams = { username: 'admin' };
367
+ maliciousParams['__proto__'] = { isAdmin: true };
368
+ maliciousParams['constructor'] = { name: 'Object' };
369
+ const sanitized = sanitizeParams(maliciousParams);
370
+ expect(sanitized).to.deep.equal({ username: 'admin' });
371
+ expect(Object.keys(sanitized)).to.deep.equal(['username']);
372
+ });
373
+ it('should block XSS attempt in address', () => {
374
+ const xssAddresses = [
375
+ 'o://tool/<script>alert(1)</script>',
376
+ 'o://tool/"><script>alert(1)</script>',
377
+ "o://tool/';alert(1);//",
378
+ ];
379
+ // These would be caught by the o:// validation or by having invalid characters
380
+ xssAddresses.forEach((addr) => {
381
+ // XSS payloads typically contain characters that would be caught by validation
382
+ // The main protection is proper output encoding on the client side
383
+ // But we ensure no control characters pass through
384
+ if (/[\x00-\x1F\x7F]/.test(addr)) {
385
+ expect(() => validateAddress(addr))
386
+ .to.throw(ValidationError);
387
+ }
388
+ });
389
+ });
390
+ it('should block comprehensive prototype pollution attempt', () => {
391
+ const maliciousParams = {
392
+ user: {
393
+ name: 'attacker',
394
+ },
395
+ settings: {},
396
+ data: [
397
+ {
398
+ value: 'test',
399
+ },
400
+ ],
401
+ };
402
+ maliciousParams.user['__proto__'] = {
403
+ isAdmin: true,
404
+ role: 'admin',
405
+ };
406
+ maliciousParams.settings['constructor'] = {
407
+ prototype: {
408
+ isAdmin: true,
409
+ },
410
+ };
411
+ maliciousParams.data[0]['__proto__'] = { polluted: true };
412
+ const sanitized = sanitizeParams(maliciousParams);
413
+ // All dangerous properties should be removed
414
+ expect(sanitized).to.deep.equal({
415
+ user: {
416
+ name: 'attacker',
417
+ },
418
+ settings: {},
419
+ data: [
420
+ {
421
+ value: 'test',
422
+ },
423
+ ],
424
+ });
425
+ // Verify prototype is not polluted
426
+ const testObj = {};
427
+ expect(testObj.isAdmin).to.be.undefined;
428
+ expect(testObj.polluted).to.be.undefined;
429
+ });
430
+ it('should block path traversal in nested address components', () => {
431
+ const traversalAddresses = [
432
+ 'o://tool/../../etc/passwd',
433
+ 'o://tool/../../../root/.ssh/id_rsa',
434
+ 'o://tool/subpath/../../../../../../etc/shadow',
435
+ ];
436
+ traversalAddresses.forEach((addr) => {
437
+ expect(() => validateAddress(addr))
438
+ .to.throw(ValidationError)
439
+ .with.property('code', 'INVALID_ADDRESS');
440
+ });
441
+ });
442
+ it('should block method-based attacks', () => {
443
+ const dangerousMethods = [
444
+ '_privateMethod',
445
+ '__proto__',
446
+ 'constructor',
447
+ 'prototype',
448
+ '__defineGetter__',
449
+ '__defineSetter__',
450
+ '__lookupGetter__',
451
+ '__lookupSetter__',
452
+ ];
453
+ dangerousMethods.forEach((method) => {
454
+ expect(() => validateMethod(method))
455
+ .to.throw(ValidationError)
456
+ .with.property('code', 'INVALID_METHOD');
457
+ });
458
+ });
459
+ it('should handle combined attack vectors', () => {
460
+ // Address with path traversal
461
+ expect(() => validateAddress('o://tool/../../../etc'))
462
+ .to.throw(ValidationError);
463
+ // Method with private access
464
+ expect(() => validateMethod('_internal'))
465
+ .to.throw(ValidationError);
466
+ // Params with prototype pollution
467
+ const params = { data: 'test' };
468
+ params['__proto__'] = { isAdmin: true };
469
+ params['constructor'] = { evil: true };
470
+ const sanitized = sanitizeParams(params);
471
+ expect(sanitized).to.deep.equal({ data: 'test' });
472
+ expect(Object.keys(sanitized)).to.deep.equal(['data']);
473
+ });
474
+ it('should prevent null byte injection', () => {
475
+ expect(() => validateAddress('o://tool\x00/resource'))
476
+ .to.throw(ValidationError);
477
+ expect(() => validateMethod('method\x00Name'))
478
+ .to.throw(ValidationError);
479
+ });
480
+ it('should prevent CRLF injection', () => {
481
+ expect(() => validateAddress('o://tool\r\n/resource'))
482
+ .to.throw(ValidationError);
483
+ expect(() => validateMethod('method\r\nName'))
484
+ .to.throw(ValidationError);
485
+ });
486
+ });
487
+ });
package/dist/test/jwt-auth.spec.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=jwt-auth.spec.d.ts.map
package/dist/test/jwt-auth.spec.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"jwt-auth.spec.d.ts","sourceRoot":"","sources":["../../test/jwt-auth.spec.ts"],"names":[],"mappings":""}