@sparkleideas/security 3.0.0-alpha.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. package/README.md +234 -0
  2. package/__tests__/acceptance/security-compliance.test.ts +674 -0
  3. package/__tests__/credential-generator.test.ts +310 -0
  4. package/__tests__/fixtures/configurations.ts +419 -0
  5. package/__tests__/fixtures/index.ts +21 -0
  6. package/__tests__/helpers/create-mock.ts +469 -0
  7. package/__tests__/helpers/index.ts +32 -0
  8. package/__tests__/input-validator.test.ts +381 -0
  9. package/__tests__/integration/security-flow.test.ts +606 -0
  10. package/__tests__/password-hasher.test.ts +239 -0
  11. package/__tests__/path-validator.test.ts +302 -0
  12. package/__tests__/safe-executor.test.ts +292 -0
  13. package/__tests__/token-generator.test.ts +371 -0
  14. package/__tests__/unit/credential-generator.test.ts +182 -0
  15. package/__tests__/unit/password-hasher.test.ts +359 -0
  16. package/__tests__/unit/path-validator.test.ts +509 -0
  17. package/__tests__/unit/safe-executor.test.ts +667 -0
  18. package/__tests__/unit/token-generator.test.ts +310 -0
  19. package/package.json +28 -0
  20. package/src/CVE-REMEDIATION.ts +251 -0
  21. package/src/application/index.ts +10 -0
  22. package/src/application/services/security-application-service.ts +193 -0
  23. package/src/credential-generator.ts +368 -0
  24. package/src/domain/entities/security-context.ts +173 -0
  25. package/src/domain/index.ts +17 -0
  26. package/src/domain/services/security-domain-service.ts +296 -0
  27. package/src/index.ts +271 -0
  28. package/src/input-validator.ts +466 -0
  29. package/src/password-hasher.ts +270 -0
  30. package/src/path-validator.ts +525 -0
  31. package/src/safe-executor.ts +525 -0
  32. package/src/token-generator.ts +463 -0
  33. package/tmp.json +0 -0
  34. package/tsconfig.json +9 -0
package/__tests__/input-validator.test.ts ADDED
@@ -0,0 +1,381 @@
1
+ /**
2
+ * Input Validator Tests
3
+ *
4
+ * Tests verify:
5
+ * - Zod schema validation
6
+ * - Input sanitization
7
+ * - Authentication schemas
8
+ * - Command and path schemas
9
+ */
10
+
11
+ import { describe, it, expect } from 'vitest';
12
+ import {
13
+ InputValidator,
14
+ sanitizeString,
15
+ sanitizeHtml,
16
+ sanitizePath,
17
+ SafeStringSchema,
18
+ IdentifierSchema,
19
+ EmailSchema,
20
+ PasswordSchema,
21
+ UUIDSchema,
22
+ HttpsUrlSchema,
23
+ PortSchema,
24
+ UserRoleSchema,
25
+ PermissionSchema,
26
+ LoginRequestSchema,
27
+ CreateUserSchema,
28
+ TaskInputSchema,
29
+ CommandArgumentSchema,
30
+ PathSchema,
31
+ PATTERNS,
32
+ LIMITS,
33
+ } from '../../security/input-validator.js';
34
+
35
+ describe('InputValidator', () => {
36
+ describe('SafeStringSchema', () => {
37
+ it('should accept safe strings', () => {
38
+ expect(() => SafeStringSchema.parse('hello world')).not.toThrow();
39
+ });
40
+
41
+ it('should reject empty strings', () => {
42
+ expect(() => SafeStringSchema.parse('')).toThrow();
43
+ });
44
+
45
+ it('should reject strings with shell metacharacters', () => {
46
+ const dangerous = [';', '&&', '||', '|', '`', '$()', '${}', '>', '<'];
47
+ for (const char of dangerous) {
48
+ expect(() => SafeStringSchema.parse(`hello${char}world`)).toThrow();
49
+ }
50
+ });
51
+ });
52
+
53
+ describe('IdentifierSchema', () => {
54
+ it('should accept valid identifiers', () => {
55
+ expect(() => IdentifierSchema.parse('validId')).not.toThrow();
56
+ expect(() => IdentifierSchema.parse('valid-id')).not.toThrow();
57
+ expect(() => IdentifierSchema.parse('valid_id')).not.toThrow();
58
+ expect(() => IdentifierSchema.parse('validId123')).not.toThrow();
59
+ });
60
+
61
+ it('should reject identifiers starting with number', () => {
62
+ expect(() => IdentifierSchema.parse('123invalid')).toThrow();
63
+ });
64
+
65
+ it('should reject identifiers with special characters', () => {
66
+ expect(() => IdentifierSchema.parse('invalid@id')).toThrow();
67
+ expect(() => IdentifierSchema.parse('invalid id')).toThrow();
68
+ });
69
+
70
+ it('should reject empty identifiers', () => {
71
+ expect(() => IdentifierSchema.parse('')).toThrow();
72
+ });
73
+ });
74
+
75
+ describe('EmailSchema', () => {
76
+ it('should accept valid emails', () => {
77
+ expect(() => EmailSchema.parse('user@example.com')).not.toThrow();
78
+ expect(() => EmailSchema.parse('user.name@example.co.uk')).not.toThrow();
79
+ });
80
+
81
+ it('should reject invalid emails', () => {
82
+ expect(() => EmailSchema.parse('notanemail')).toThrow();
83
+ expect(() => EmailSchema.parse('@nodomain.com')).toThrow();
84
+ expect(() => EmailSchema.parse('no@')).toThrow();
85
+ });
86
+
87
+ it('should lowercase emails', () => {
88
+ const result = EmailSchema.parse('USER@EXAMPLE.COM');
89
+ expect(result).toBe('user@example.com');
90
+ });
91
+
92
+ it('should reject too long emails', () => {
93
+ const longEmail = 'a'.repeat(300) + '@example.com';
94
+ expect(() => EmailSchema.parse(longEmail)).toThrow();
95
+ });
96
+ });
97
+
98
+ describe('PasswordSchema', () => {
99
+ it('should accept valid passwords', () => {
100
+ expect(() => PasswordSchema.parse('SecurePass123')).not.toThrow();
101
+ });
102
+
103
+ it('should reject short passwords', () => {
104
+ expect(() => PasswordSchema.parse('Short1')).toThrow();
105
+ });
106
+
107
+ it('should reject passwords without uppercase', () => {
108
+ expect(() => PasswordSchema.parse('lowercase123')).toThrow();
109
+ });
110
+
111
+ it('should reject passwords without lowercase', () => {
112
+ expect(() => PasswordSchema.parse('UPPERCASE123')).toThrow();
113
+ });
114
+
115
+ it('should reject passwords without digits', () => {
116
+ expect(() => PasswordSchema.parse('NoDigitsHere')).toThrow();
117
+ });
118
+ });
119
+
120
+ describe('UUIDSchema', () => {
121
+ it('should accept valid UUIDs', () => {
122
+ expect(() => UUIDSchema.parse('550e8400-e29b-41d4-a716-446655440000')).not.toThrow();
123
+ });
124
+
125
+ it('should reject invalid UUIDs', () => {
126
+ expect(() => UUIDSchema.parse('not-a-uuid')).toThrow();
127
+ expect(() => UUIDSchema.parse('550e8400-e29b-41d4-a716')).toThrow();
128
+ });
129
+ });
130
+
131
+ describe('HttpsUrlSchema', () => {
132
+ it('should accept HTTPS URLs', () => {
133
+ expect(() => HttpsUrlSchema.parse('https://example.com')).not.toThrow();
134
+ expect(() => HttpsUrlSchema.parse('https://example.com/path')).not.toThrow();
135
+ });
136
+
137
+ it('should reject HTTP URLs', () => {
138
+ expect(() => HttpsUrlSchema.parse('http://example.com')).toThrow();
139
+ });
140
+
141
+ it('should reject invalid URLs', () => {
142
+ expect(() => HttpsUrlSchema.parse('not-a-url')).toThrow();
143
+ });
144
+ });
145
+
146
+ describe('PortSchema', () => {
147
+ it('should accept valid ports', () => {
148
+ expect(() => PortSchema.parse(80)).not.toThrow();
149
+ expect(() => PortSchema.parse(443)).not.toThrow();
150
+ expect(() => PortSchema.parse(3000)).not.toThrow();
151
+ expect(() => PortSchema.parse(65535)).not.toThrow();
152
+ });
153
+
154
+ it('should reject invalid ports', () => {
155
+ expect(() => PortSchema.parse(0)).toThrow();
156
+ expect(() => PortSchema.parse(-1)).toThrow();
157
+ expect(() => PortSchema.parse(65536)).toThrow();
158
+ expect(() => PortSchema.parse(3.14)).toThrow();
159
+ });
160
+ });
161
+
162
+ describe('UserRoleSchema', () => {
163
+ it('should accept valid roles', () => {
164
+ expect(() => UserRoleSchema.parse('admin')).not.toThrow();
165
+ expect(() => UserRoleSchema.parse('operator')).not.toThrow();
166
+ expect(() => UserRoleSchema.parse('developer')).not.toThrow();
167
+ expect(() => UserRoleSchema.parse('viewer')).not.toThrow();
168
+ expect(() => UserRoleSchema.parse('service')).not.toThrow();
169
+ });
170
+
171
+ it('should reject invalid roles', () => {
172
+ expect(() => UserRoleSchema.parse('superuser')).toThrow();
173
+ expect(() => UserRoleSchema.parse('root')).toThrow();
174
+ });
175
+ });
176
+
177
+ describe('PermissionSchema', () => {
178
+ it('should accept valid permissions', () => {
179
+ expect(() => PermissionSchema.parse('swarm.create')).not.toThrow();
180
+ expect(() => PermissionSchema.parse('agent.spawn')).not.toThrow();
181
+ expect(() => PermissionSchema.parse('system.admin')).not.toThrow();
182
+ });
183
+
184
+ it('should reject invalid permissions', () => {
185
+ expect(() => PermissionSchema.parse('invalid.permission')).toThrow();
186
+ });
187
+ });
188
+
189
+ describe('LoginRequestSchema', () => {
190
+ it('should accept valid login request', () => {
191
+ expect(() => LoginRequestSchema.parse({
192
+ email: 'user@example.com',
193
+ password: 'password123',
194
+ })).not.toThrow();
195
+ });
196
+
197
+ it('should accept login with MFA code', () => {
198
+ expect(() => LoginRequestSchema.parse({
199
+ email: 'user@example.com',
200
+ password: 'password123',
201
+ mfaCode: '123456',
202
+ })).not.toThrow();
203
+ });
204
+
205
+ it('should reject invalid MFA code length', () => {
206
+ expect(() => LoginRequestSchema.parse({
207
+ email: 'user@example.com',
208
+ password: 'password123',
209
+ mfaCode: '12345', // 5 digits instead of 6
210
+ })).toThrow();
211
+ });
212
+ });
213
+
214
+ describe('CreateUserSchema', () => {
215
+ it('should accept valid user creation', () => {
216
+ expect(() => CreateUserSchema.parse({
217
+ email: 'user@example.com',
218
+ password: 'SecurePass123',
219
+ role: 'developer',
220
+ })).not.toThrow();
221
+ });
222
+
223
+ it('should require strong password', () => {
224
+ expect(() => CreateUserSchema.parse({
225
+ email: 'user@example.com',
226
+ password: 'weak',
227
+ role: 'developer',
228
+ })).toThrow();
229
+ });
230
+ });
231
+
232
+ describe('TaskInputSchema', () => {
233
+ it('should accept valid task input', () => {
234
+ expect(() => TaskInputSchema.parse({
235
+ taskId: '550e8400-e29b-41d4-a716-446655440000',
236
+ content: 'Implement new feature',
237
+ agentType: 'coder',
238
+ })).not.toThrow();
239
+ });
240
+
241
+ it('should reject task with shell characters in content', () => {
242
+ expect(() => TaskInputSchema.parse({
243
+ taskId: '550e8400-e29b-41d4-a716-446655440000',
244
+ content: 'Implement feature; rm -rf /',
245
+ agentType: 'coder',
246
+ })).toThrow();
247
+ });
248
+ });
249
+
250
+ describe('CommandArgumentSchema', () => {
251
+ it('should accept safe arguments', () => {
252
+ expect(() => CommandArgumentSchema.parse('--flag')).not.toThrow();
253
+ expect(() => CommandArgumentSchema.parse('value')).not.toThrow();
254
+ expect(() => CommandArgumentSchema.parse('path/to/file')).not.toThrow();
255
+ });
256
+
257
+ it('should reject arguments with null bytes', () => {
258
+ expect(() => CommandArgumentSchema.parse('arg\x00injected')).toThrow();
259
+ });
260
+
261
+ it('should reject arguments with shell metacharacters', () => {
262
+ expect(() => CommandArgumentSchema.parse('arg;injected')).toThrow();
263
+ expect(() => CommandArgumentSchema.parse('arg&&injected')).toThrow();
264
+ expect(() => CommandArgumentSchema.parse('arg|injected')).toThrow();
265
+ });
266
+ });
267
+
268
+ describe('PathSchema', () => {
269
+ it('should accept valid paths', () => {
270
+ expect(() => PathSchema.parse('/path/to/file.ts')).not.toThrow();
271
+ expect(() => PathSchema.parse('./relative/path')).not.toThrow();
272
+ });
273
+
274
+ it('should reject paths with traversal', () => {
275
+ expect(() => PathSchema.parse('/path/../etc/passwd')).toThrow();
276
+ });
277
+
278
+ it('should reject paths with null bytes', () => {
279
+ expect(() => PathSchema.parse('/path/file\x00.jpg')).toThrow();
280
+ });
281
+ });
282
+
283
+ describe('Sanitization Functions', () => {
284
+ describe('sanitizeString', () => {
285
+ it('should remove null bytes', () => {
286
+ expect(sanitizeString('hello\x00world')).toBe('helloworld');
287
+ });
288
+
289
+ it('should remove HTML brackets', () => {
290
+ expect(sanitizeString('<script>alert(1)</script>')).toBe('scriptalert(1)/script');
291
+ });
292
+
293
+ it('should remove javascript: protocol', () => {
294
+ expect(sanitizeString('javascript:alert(1)')).toBe('alert(1)');
295
+ });
296
+
297
+ it('should trim whitespace', () => {
298
+ expect(sanitizeString(' hello ')).toBe('hello');
299
+ });
300
+ });
301
+
302
+ describe('sanitizeHtml', () => {
303
+ it('should escape HTML entities', () => {
304
+ expect(sanitizeHtml('<script>')).toBe('&lt;script&gt;');
305
+ expect(sanitizeHtml('"quoted"')).toBe('&quot;quoted&quot;');
306
+ expect(sanitizeHtml("'apostrophe'")).toBe('&#x27;apostrophe&#x27;');
307
+ expect(sanitizeHtml('a & b')).toBe('a &amp; b');
308
+ });
309
+ });
310
+
311
+ describe('sanitizePath', () => {
312
+ it('should remove null bytes', () => {
313
+ expect(sanitizePath('/path\x00/file')).toBe('path/file');
314
+ });
315
+
316
+ it('should remove traversal patterns', () => {
317
+ expect(sanitizePath('../etc/passwd')).toBe('/etc/passwd');
318
+ });
319
+
320
+ it('should normalize slashes', () => {
321
+ expect(sanitizePath('/path//to///file')).toBe('path/to/file');
322
+ });
323
+
324
+ it('should remove leading slash', () => {
325
+ expect(sanitizePath('/absolute/path')).toBe('absolute/path');
326
+ });
327
+ });
328
+ });
329
+
330
+ describe('InputValidator Class', () => {
331
+ it('should validate email', () => {
332
+ expect(InputValidator.validateEmail('user@example.com')).toBe('user@example.com');
333
+ });
334
+
335
+ it('should validate password', () => {
336
+ expect(() => InputValidator.validatePassword('SecurePass123')).not.toThrow();
337
+ });
338
+
339
+ it('should validate identifier', () => {
340
+ expect(InputValidator.validateIdentifier('myId')).toBe('myId');
341
+ });
342
+
343
+ it('should validate path', () => {
344
+ expect(InputValidator.validatePath('/valid/path')).toBe('/valid/path');
345
+ });
346
+
347
+ it('should validate command argument', () => {
348
+ expect(InputValidator.validateCommandArg('--flag')).toBe('--flag');
349
+ });
350
+
351
+ it('should validate login request', () => {
352
+ const result = InputValidator.validateLoginRequest({
353
+ email: 'USER@example.com',
354
+ password: 'password',
355
+ });
356
+ expect(result.email).toBe('user@example.com');
357
+ });
358
+
359
+ it('should safely parse with result', () => {
360
+ const success = InputValidator.safeParse(EmailSchema, 'user@example.com');
361
+ expect(success.success).toBe(true);
362
+
363
+ const failure = InputValidator.safeParse(EmailSchema, 'invalid');
364
+ expect(failure.success).toBe(false);
365
+ });
366
+ });
367
+
368
+ describe('Constants', () => {
369
+ it('should export PATTERNS', () => {
370
+ expect(PATTERNS.SAFE_IDENTIFIER).toBeDefined();
371
+ expect(PATTERNS.SAFE_FILENAME).toBeDefined();
372
+ expect(PATTERNS.NO_SHELL_CHARS).toBeDefined();
373
+ });
374
+
375
+ it('should export LIMITS', () => {
376
+ expect(LIMITS.MIN_PASSWORD_LENGTH).toBe(8);
377
+ expect(LIMITS.MAX_PASSWORD_LENGTH).toBe(128);
378
+ expect(LIMITS.MAX_PATH_LENGTH).toBe(4096);
379
+ });
380
+ });
381
+ });