@sparkleideas/security 3.0.0-alpha.10

package/__tests__/password-hasher.test.ts

@@ -0,0 +1,239 @@
+/**
+ * Password Hasher Tests - CVE-2 Remediation Validation
+ *
+ * Tests verify:
+ * - bcrypt is used instead of SHA-256
+ * - 12 rounds minimum
+ * - Password validation rules
+ * - Timing-safe comparison
+ */
+
+import { describe, it, expect, beforeEach } from 'vitest';
+import {
+  PasswordHasher,
+  PasswordHashError,
+  createPasswordHasher,
+} from '../../security/password-hasher.js';
+
+describe('PasswordHasher', () => {
+  let hasher: PasswordHasher;
+
+  beforeEach(() => {
+    hasher = new PasswordHasher({ rounds: 12 });
+  });
+
+  describe('Configuration', () => {
+    it('should create hasher with default 12 rounds', () => {
+      const defaultHasher = new PasswordHasher();
+      expect(defaultHasher.getConfig().rounds).toBe(12);
+    });
+
+    it('should reject rounds below 10', () => {
+      expect(() => new PasswordHasher({ rounds: 8 })).toThrow(PasswordHashError);
+    });
+
+    it('should reject rounds above 20', () => {
+      expect(() => new PasswordHasher({ rounds: 22 })).toThrow(PasswordHashError);
+    });
+
+    it('should reject minimum password length below 8', () => {
+      expect(() => new PasswordHasher({ minLength: 4 })).toThrow(PasswordHashError);
+    });
+  });
+
+  describe('Password Validation', () => {
+    it('should reject empty password', () => {
+      const result = hasher.validate('');
+      expect(result.isValid).toBe(false);
+      expect(result.errors).toContain('Password is required');
+    });
+
+    it('should reject password shorter than minimum', () => {
+      const result = hasher.validate('short');
+      expect(result.isValid).toBe(false);
+      expect(result.errors.some(e => e.includes('at least'))).toBe(true);
+    });
+
+    it('should reject password without uppercase', () => {
+      const result = hasher.validate('password123');
+      expect(result.isValid).toBe(false);
+      expect(result.errors.some(e => e.includes('uppercase'))).toBe(true);
+    });
+
+    it('should reject password without lowercase', () => {
+      const result = hasher.validate('PASSWORD123');
+      expect(result.isValid).toBe(false);
+      expect(result.errors.some(e => e.includes('lowercase'))).toBe(true);
+    });
+
+    it('should reject password without digit', () => {
+      const result = hasher.validate('PasswordNoDigit');
+      expect(result.isValid).toBe(false);
+      expect(result.errors.some(e => e.includes('digit'))).toBe(true);
+    });
+
+    it('should accept valid password', () => {
+      const result = hasher.validate('SecurePass123');
+      expect(result.isValid).toBe(true);
+      expect(result.errors).toHaveLength(0);
+    });
+
+    it('should optionally require special character', () => {
+      const strictHasher = new PasswordHasher({ requireSpecial: true });
+      const result = strictHasher.validate('SecurePass123');
+      expect(result.isValid).toBe(false);
+      expect(result.errors.some(e => e.includes('special'))).toBe(true);
+    });
+
+    it('should accept password with special character when required', () => {
+      const strictHasher = new PasswordHasher({ requireSpecial: true });
+      const result = strictHasher.validate('SecurePass123!');
+      expect(result.isValid).toBe(true);
+    });
+  });
+
+  describe('Password Hashing', () => {
+    it('should hash password with bcrypt', async () => {
+      const hash = await hasher.hash('SecurePass123');
+
+      // bcrypt hashes start with $2a$, $2b$, or $2y$
+      expect(hash).toMatch(/^\$2[aby]\$\d{2}\$/);
+    });
+
+    it('should produce different hashes for same password', async () => {
+      const hash1 = await hasher.hash('SecurePass123');
+      const hash2 = await hasher.hash('SecurePass123');
+
+      expect(hash1).not.toBe(hash2); // Different salts
+    });
+
+    it('should include rounds in hash', async () => {
+      const hash = await hasher.hash('SecurePass123');
+
+      // Hash format: $2b$12$...
+      expect(hash).toContain('$12$');
+    });
+
+    it('should throw for invalid password', async () => {
+      await expect(hasher.hash('short')).rejects.toThrow(PasswordHashError);
+    });
+
+    it('should throw for empty password', async () => {
+      await expect(hasher.hash('')).rejects.toThrow(PasswordHashError);
+    });
+  });
+
+  describe('Password Verification', () => {
+    it('should verify correct password', async () => {
+      const password = 'SecurePass123';
+      const hash = await hasher.hash(password);
+
+      const isValid = await hasher.verify(password, hash);
+      expect(isValid).toBe(true);
+    });
+
+    it('should reject incorrect password', async () => {
+      const hash = await hasher.hash('SecurePass123');
+
+      const isValid = await hasher.verify('WrongPass123', hash);
+      expect(isValid).toBe(false);
+    });
+
+    it('should return false for empty password', async () => {
+      const hash = await hasher.hash('SecurePass123');
+
+      const isValid = await hasher.verify('', hash);
+      expect(isValid).toBe(false);
+    });
+
+    it('should return false for empty hash', async () => {
+      const isValid = await hasher.verify('SecurePass123', '');
+      expect(isValid).toBe(false);
+    });
+
+    it('should return false for invalid hash format', async () => {
+      const isValid = await hasher.verify('SecurePass123', 'invalid-hash');
+      expect(isValid).toBe(false);
+    });
+
+    it('should return false for SHA-256 hash (old format)', async () => {
+      // SHA-256 hash format (what we're replacing)
+      const sha256Hash = 'a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3';
+
+      const isValid = await hasher.verify('password', sha256Hash);
+      expect(isValid).toBe(false);
+    });
+  });
+
+  describe('Rehash Detection', () => {
+    it('should not need rehash for current rounds', async () => {
+      const hash = await hasher.hash('SecurePass123');
+      expect(hasher.needsRehash(hash)).toBe(false);
+    });
+
+    it('should need rehash for lower rounds', () => {
+      // Hash with 10 rounds
+      const lowRoundsHash = '$2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy';
+      expect(hasher.needsRehash(lowRoundsHash)).toBe(true);
+    });
+
+    it('should need rehash for invalid format', () => {
+      expect(hasher.needsRehash('invalid-hash')).toBe(true);
+    });
+
+    it('should need rehash for SHA-256 hash', () => {
+      const sha256Hash = 'a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3';
+      expect(hasher.needsRehash(sha256Hash)).toBe(true);
+    });
+  });
+
+  describe('Factory Function', () => {
+    it('should create hasher with specified rounds', () => {
+      const hasher12 = createPasswordHasher(12);
+      expect(hasher12.getConfig().rounds).toBe(12);
+
+      const hasher14 = createPasswordHasher(14);
+      expect(hasher14.getConfig().rounds).toBe(14);
+    });
+
+    it('should use default 12 rounds', () => {
+      const hasher = createPasswordHasher();
+      expect(hasher.getConfig().rounds).toBe(12);
+    });
+  });
+
+  describe('CVE-2 Security Verification', () => {
+    it('should NOT use hardcoded salt', async () => {
+      // Generate multiple hashes and verify they have different salts
+      const hashes = await Promise.all([
+        hasher.hash('SecurePass123'),
+        hasher.hash('SecurePass123'),
+        hasher.hash('SecurePass123'),
+      ]);
+
+      // Extract salts (22 chars after $2b$12$)
+      const salts = hashes.map(h => h.substring(7, 29));
+
+      // All salts should be unique
+      const uniqueSalts = new Set(salts);
+      expect(uniqueSalts.size).toBe(3);
+    });
+
+    it('should NOT produce same hash for same input (unlike SHA-256)', async () => {
+      // SHA-256 with hardcoded salt would produce identical output
+      const hash1 = await hasher.hash('SecurePass123');
+      const hash2 = await hasher.hash('SecurePass123');
+
+      expect(hash1).not.toBe(hash2);
+    });
+
+    it('should produce hash that takes time to compute', async () => {
+      const start = Date.now();
+      await hasher.hash('SecurePass123');
+      const duration = Date.now() - start;
+
+      // bcrypt with 12 rounds should take measurable time (>10ms typically)
+      expect(duration).toBeGreaterThan(5);
+    });
+  });
+});

package/__tests__/path-validator.test.ts

@@ -0,0 +1,302 @@
+/**
+ * Path Validator Tests - HIGH-2 Remediation Validation
+ *
+ * Tests verify:
+ * - Path traversal prevention
+ * - Prefix validation
+ * - Symlink handling
+ * - Blocked file detection
+ */
+
+import { describe, it, expect, beforeEach } from 'vitest';
+import * as path from 'path';
+import {
+  PathValidator,
+  PathValidatorError,
+  createProjectPathValidator,
+  createFullProjectPathValidator,
+} from '../../security/path-validator.js';
+
+describe('PathValidator', () => {
+  let validator: PathValidator;
+  const projectRoot = '/workspaces/project';
+
+  beforeEach(() => {
+    validator = new PathValidator({
+      allowedPrefixes: [projectRoot],
+      allowHidden: false,
+    });
+  });
+
+  describe('Configuration', () => {
+    it('should require at least one prefix', () => {
+      expect(() => new PathValidator({
+        allowedPrefixes: [],
+      })).toThrow(PathValidatorError);
+    });
+
+    it('should resolve prefixes to absolute paths', () => {
+      const relativeValidator = new PathValidator({
+        allowedPrefixes: ['./src'],
+      });
+
+      const prefixes = relativeValidator.getAllowedPrefixes();
+      expect(prefixes[0]).toMatch(/^\//);
+    });
+  });
+
+  describe('Path Traversal Prevention', () => {
+    it('should block ../ traversal', async () => {
+      const result = await validator.validate('/workspaces/project/../etc/passwd');
+      expect(result.isValid).toBe(false);
+      expect(result.errors).toContain('Path traversal pattern detected');
+    });
+
+    it('should block ..\\ traversal (Windows)', async () => {
+      const result = await validator.validate('/workspaces/project\\..\\..\\etc\\passwd');
+      expect(result.isValid).toBe(false);
+    });
+
+    it('should block URL-encoded traversal (%2e%2e)', async () => {
+      const result = await validator.validate('/workspaces/project/%2e%2e/etc/passwd');
+      expect(result.isValid).toBe(false);
+      expect(result.errors).toContain('Path traversal pattern detected');
+    });
+
+    it('should block double URL-encoded traversal', async () => {
+      const result = await validator.validate('/workspaces/project/%252e%252e/etc/passwd');
+      expect(result.isValid).toBe(false);
+    });
+
+    it('should block mixed encoding traversal', async () => {
+      const result = await validator.validate('/workspaces/project/.%2e/etc/passwd');
+      expect(result.isValid).toBe(false);
+    });
+
+    it('should block null byte injection', async () => {
+      const result = await validator.validate('/workspaces/project/file.txt\x00.jpg');
+      expect(result.isValid).toBe(false);
+      expect(result.errors).toContain('Path traversal pattern detected');
+    });
+
+    it('should block URL-encoded null byte', async () => {
+      const result = await validator.validate('/workspaces/project/file.txt%00.jpg');
+      expect(result.isValid).toBe(false);
+    });
+  });
+
+  describe('Prefix Validation', () => {
+    it('should allow paths within prefix', async () => {
+      const result = await validator.validate('/workspaces/project/src/file.ts');
+      expect(result.isValid).toBe(true);
+      expect(result.matchedPrefix).toBe(projectRoot);
+    });
+
+    it('should block paths outside prefix', async () => {
+      const result = await validator.validate('/etc/passwd');
+      expect(result.isValid).toBe(false);
+      expect(result.errors).toContain('Path is outside allowed directories');
+    });
+
+    it('should block paths that start with prefix but escape', async () => {
+      const result = await validator.validate('/workspaces/project-other/file.ts');
+      expect(result.isValid).toBe(false);
+    });
+
+    it('should handle exact prefix match', async () => {
+      const result = await validator.validate(projectRoot);
+      expect(result.isValid).toBe(true);
+    });
+
+    it('should calculate relative path correctly', async () => {
+      const result = await validator.validate('/workspaces/project/src/deep/file.ts');
+      expect(result.relativePath).toBe('src/deep/file.ts');
+    });
+  });
+
+  describe('Hidden File Handling', () => {
+    it('should block hidden files by default', async () => {
+      const result = await validator.validate('/workspaces/project/.env');
+      expect(result.isValid).toBe(false);
+      expect(result.errors.some(e => e.includes('Hidden'))).toBe(true);
+    });
+
+    it('should block hidden directories by default', async () => {
+      const result = await validator.validate('/workspaces/project/.git/config');
+      expect(result.isValid).toBe(false);
+    });
+
+    it('should allow hidden files when configured', async () => {
+      const hiddenValidator = new PathValidator({
+        allowedPrefixes: [projectRoot],
+        allowHidden: true,
+        blockedNames: [], // Remove .git from blocked names for this test
+        blockedExtensions: [],
+      });
+
+      const result = await hiddenValidator.validate('/workspaces/project/.gitignore');
+      expect(result.isValid).toBe(true);
+    });
+  });
+
+  describe('Blocked Files', () => {
+    it('should block .env files', async () => {
+      const hiddenValidator = new PathValidator({
+        allowedPrefixes: [projectRoot],
+        allowHidden: true,
+      });
+
+      const result = await hiddenValidator.validate('/workspaces/project/config/.env');
+      expect(result.isValid).toBe(false);
+      expect(result.errors.some(e => e.includes('.env'))).toBe(true);
+    });
+
+    it('should block .pem files', async () => {
+      const result = await validator.validate('/workspaces/project/certs/key.pem');
+      expect(result.isValid).toBe(false);
+    });
+
+    it('should block private key files', async () => {
+      const hiddenValidator = new PathValidator({
+        allowedPrefixes: [projectRoot],
+        allowHidden: true,
+      });
+
+      const result = await hiddenValidator.validate('/workspaces/project/.ssh/id_rsa');
+      expect(result.isValid).toBe(false);
+    });
+
+    it('should block .htpasswd files', async () => {
+      const hiddenValidator = new PathValidator({
+        allowedPrefixes: [projectRoot],
+        allowHidden: true,
+      });
+
+      const result = await hiddenValidator.validate('/workspaces/project/.htpasswd');
+      expect(result.isValid).toBe(false);
+    });
+  });
+
+  describe('Path Length', () => {
+    it('should block paths exceeding max length', async () => {
+      const longPath = '/workspaces/project/' + 'a'.repeat(5000);
+      const result = await validator.validate(longPath);
+      expect(result.isValid).toBe(false);
+      expect(result.errors.some(e => e.includes('maximum length'))).toBe(true);
+    });
+
+    it('should allow paths within max length', async () => {
+      const result = await validator.validate('/workspaces/project/src/file.ts');
+      expect(result.isValid).toBe(true);
+    });
+  });
+
+  describe('Empty Path', () => {
+    it('should reject empty path', async () => {
+      const result = await validator.validate('');
+      expect(result.isValid).toBe(false);
+      expect(result.errors).toContain('Path is empty');
+    });
+
+    it('should reject whitespace-only path', async () => {
+      const result = await validator.validate('   ');
+      expect(result.isValid).toBe(false);
+      expect(result.errors).toContain('Path is empty');
+    });
+  });
+
+  describe('Synchronous Validation', () => {
+    it('should validate synchronously', () => {
+      const result = validator.validateSync('/workspaces/project/src/file.ts');
+      expect(result.isValid).toBe(true);
+    });
+
+    it('should detect traversal synchronously', () => {
+      const result = validator.validateSync('/workspaces/project/../etc/passwd');
+      expect(result.isValid).toBe(false);
+    });
+  });
+
+  describe('validateOrThrow', () => {
+    it('should return path when valid', async () => {
+      const resolved = await validator.validateOrThrow('/workspaces/project/src/file.ts');
+      expect(resolved).toBe('/workspaces/project/src/file.ts');
+    });
+
+    it('should throw when invalid', async () => {
+      await expect(
+        validator.validateOrThrow('/etc/passwd')
+      ).rejects.toThrow(PathValidatorError);
+    });
+  });
+
+  describe('securePath', () => {
+    it('should join paths securely', async () => {
+      const resolved = await validator.securePath(projectRoot, 'src', 'file.ts');
+      expect(resolved).toBe('/workspaces/project/src/file.ts');
+    });
+
+    it('should block traversal in segments', async () => {
+      await expect(
+        validator.securePath(projectRoot, '..', 'etc', 'passwd')
+      ).rejects.toThrow(PathValidatorError);
+    });
+  });
+
+  describe('isWithinAllowed', () => {
+    it('should return true for allowed paths', () => {
+      expect(validator.isWithinAllowed('/workspaces/project/src')).toBe(true);
+    });
+
+    it('should return false for disallowed paths', () => {
+      expect(validator.isWithinAllowed('/etc/passwd')).toBe(false);
+    });
+  });
+
+  describe('Factory Functions', () => {
+    it('should create project path validator', () => {
+      const projectValidator = createProjectPathValidator('/workspaces/project');
+      const prefixes = projectValidator.getAllowedPrefixes();
+
+      expect(prefixes).toContain('/workspaces/project/src');
+      expect(prefixes).toContain('/workspaces/project/tests');
+      expect(prefixes).toContain('/workspaces/project/docs');
+    });
+
+    it('should create full project path validator', () => {
+      const fullValidator = createFullProjectPathValidator('/workspaces/project');
+      const prefixes = fullValidator.getAllowedPrefixes();
+
+      expect(prefixes).toContain('/workspaces/project');
+    });
+  });
+
+  describe('HIGH-2 Security Verification', () => {
+    it('should prevent access to system files via traversal', async () => {
+      const attacks = [
+        '../../../etc/passwd',
+        '..\\..\\..\\windows\\system32\\config\\sam',
+        '....//....//....//etc/passwd',
+        '..%252f..%252f..%252fetc/passwd',
+        '..%c0%af..%c0%af..%c0%afetc/passwd',
+      ];
+
+      for (const attack of attacks) {
+        const result = await validator.validate(`/workspaces/project/${attack}`);
+        expect(result.isValid).toBe(false);
+      }
+    });
+
+    it('should resolve symlink-like path attempts', async () => {
+      // Even if the path looks like it's within bounds, resolution should catch escapes
+      const result = await validator.validate('/workspaces/project/symlink/../../../etc/passwd');
+      expect(result.isValid).toBe(false);
+    });
+
+    it('should not allow prefix manipulation', async () => {
+      // Path starts with project root but escapes via traversal
+      const result = await validator.validate('/workspaces/project/../../etc/passwd');
+      expect(result.isValid).toBe(false);
+    });
+  });
+});