@sparkleideas/security 3.0.0-alpha.10

package/__tests__/safe-executor.test.ts

@@ -0,0 +1,292 @@
+/**
+ * Safe Executor Tests - HIGH-1 Remediation Validation
+ *
+ * Tests verify:
+ * - Commands execute without shell
+ * - Command allowlist enforcement
+ * - Argument sanitization
+ * - Dangerous pattern detection
+ */
+
+import { describe, it, expect, beforeEach } from 'vitest';
+import {
+  SafeExecutor,
+  SafeExecutorError,
+  createDevelopmentExecutor,
+  createReadOnlyExecutor,
+} from '../../security/safe-executor.js';
+
+describe('SafeExecutor', () => {
+  let executor: SafeExecutor;
+
+  beforeEach(() => {
+    executor = new SafeExecutor({
+      allowedCommands: ['echo', 'ls', 'git', 'npm', 'node'],
+      timeout: 5000,
+    });
+  });
+
+  describe('Configuration', () => {
+    it('should require at least one allowed command', () => {
+      expect(() => new SafeExecutor({
+        allowedCommands: [],
+      })).toThrow(SafeExecutorError);
+    });
+
+    it('should reject dangerous commands in allowlist', () => {
+      expect(() => new SafeExecutor({
+        allowedCommands: ['rm'],
+      })).toThrow(SafeExecutorError);
+    });
+
+    it('should reject multiple dangerous commands', () => {
+      expect(() => new SafeExecutor({
+        allowedCommands: ['chmod', 'chown', 'rm'],
+      })).toThrow(SafeExecutorError);
+    });
+
+    it('should allow safe commands', () => {
+      expect(() => new SafeExecutor({
+        allowedCommands: ['git', 'npm', 'node'],
+      })).not.toThrow();
+    });
+  });
+
+  describe('Command Validation', () => {
+    it('should allow commands in allowlist', async () => {
+      const result = await executor.execute('echo', ['hello']);
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout.trim()).toBe('hello');
+    });
+
+    it('should block commands not in allowlist', async () => {
+      await expect(executor.execute('cat', ['/etc/passwd'])).rejects.toThrow(SafeExecutorError);
+    });
+
+    it('should block sudo commands by default', async () => {
+      const sudoExecutor = new SafeExecutor({
+        allowedCommands: ['sudo', 'ls'],
+        allowSudo: false,
+      });
+
+      await expect(sudoExecutor.execute('sudo', ['ls'])).rejects.toThrow(SafeExecutorError);
+    });
+
+    it('should allow sudo when configured', async () => {
+      const sudoExecutor = new SafeExecutor({
+        allowedCommands: ['sudo', 'ls'],
+        allowSudo: true,
+      });
+
+      // Will fail due to password requirement, but shouldn't throw allowlist error
+      const error = await sudoExecutor.execute('sudo', ['-n', 'ls']).catch(e => e);
+      if (error instanceof SafeExecutorError) {
+        expect(error.code).not.toBe('SUDO_NOT_ALLOWED');
+      }
+    });
+  });
+
+  describe('Argument Validation', () => {
+    it('should block null bytes in arguments', async () => {
+      await expect(executor.execute('echo', ['hello\x00world'])).rejects.toThrow(SafeExecutorError);
+    });
+
+    it('should block semicolon (command chaining)', async () => {
+      await expect(executor.execute('echo', ['hello; rm -rf /'])).rejects.toThrow(SafeExecutorError);
+    });
+
+    it('should block && (command chaining)', async () => {
+      await expect(executor.execute('echo', ['hello && rm -rf /'])).rejects.toThrow(SafeExecutorError);
+    });
+
+    it('should block || (command chaining)', async () => {
+      await expect(executor.execute('echo', ['hello || rm -rf /'])).rejects.toThrow(SafeExecutorError);
+    });
+
+    it('should block pipe character', async () => {
+      await expect(executor.execute('echo', ['hello | cat'])).rejects.toThrow(SafeExecutorError);
+    });
+
+    it('should block backticks (command substitution)', async () => {
+      await expect(executor.execute('echo', ['`whoami`'])).rejects.toThrow(SafeExecutorError);
+    });
+
+    it('should block $() (command substitution)', async () => {
+      await expect(executor.execute('echo', ['$(whoami)'])).rejects.toThrow(SafeExecutorError);
+    });
+
+    it('should block redirect operators', async () => {
+      await expect(executor.execute('echo', ['hello > /etc/passwd'])).rejects.toThrow(SafeExecutorError);
+    });
+
+    it('should block newlines', async () => {
+      await expect(executor.execute('echo', ['hello\nrm -rf /'])).rejects.toThrow(SafeExecutorError);
+    });
+
+    it('should allow safe arguments', async () => {
+      const result = await executor.execute('echo', ['hello', 'world']);
+      expect(result.exitCode).toBe(0);
+    });
+
+    it('should allow arguments with dashes', async () => {
+      const result = await executor.execute('echo', ['-n', 'hello']);
+      expect(result.exitCode).toBe(0);
+    });
+
+    it('should allow arguments with equals', async () => {
+      const result = await executor.execute('echo', ['KEY=value']);
+      expect(result.exitCode).toBe(0);
+    });
+  });
+
+  describe('Argument Sanitization', () => {
+    it('should sanitize null bytes', () => {
+      const sanitized = executor.sanitizeArgument('hello\x00world');
+      expect(sanitized).not.toContain('\x00');
+    });
+
+    it('should sanitize shell metacharacters', () => {
+      const sanitized = executor.sanitizeArgument('hello; rm -rf /');
+      expect(sanitized).not.toContain(';');
+    });
+  });
+
+  describe('Command Execution', () => {
+    it('should return stdout', async () => {
+      const result = await executor.execute('echo', ['hello']);
+      expect(result.stdout.trim()).toBe('hello');
+    });
+
+    it('should return stderr', async () => {
+      // Use node to generate stderr
+      const result = await executor.execute('node', ['-e', 'console.error("error")']);
+      expect(result.stderr.trim()).toBe('error');
+    });
+
+    it('should return exit code', async () => {
+      const result = await executor.execute('node', ['-e', 'process.exit(42)']);
+      expect(result.exitCode).toBe(42);
+    });
+
+    it('should track execution duration', async () => {
+      const result = await executor.execute('echo', ['hello']);
+      expect(result.duration).toBeGreaterThanOrEqual(0);
+    });
+
+    it('should include command in result', async () => {
+      const result = await executor.execute('echo', ['hello']);
+      expect(result.command).toBe('echo');
+      expect(result.args).toEqual(['hello']);
+    });
+  });
+
+  describe('Timeout Handling', () => {
+    it('should timeout long-running commands', async () => {
+      const shortTimeoutExecutor = new SafeExecutor({
+        allowedCommands: ['node'],
+        timeout: 100,
+      });
+
+      await expect(
+        shortTimeoutExecutor.execute('node', ['-e', 'setTimeout(() => {}, 10000)'])
+      ).rejects.toThrow(SafeExecutorError);
+    });
+  });
+
+  describe('Streaming Execution', () => {
+    it('should return process handle', () => {
+      const streaming = executor.executeStreaming('echo', ['hello']);
+      expect(streaming.process).toBeDefined();
+      expect(streaming.promise).toBeInstanceOf(Promise);
+
+      // Clean up
+      streaming.process.kill();
+    });
+
+    it('should stream stdout', async () => {
+      const streaming = executor.executeStreaming('echo', ['hello']);
+      const result = await streaming.promise;
+      expect(result.stdout.trim()).toBe('hello');
+    });
+  });
+
+  describe('Dynamic Allowlist', () => {
+    it('should check if command is allowed', () => {
+      expect(executor.isCommandAllowed('echo')).toBe(true);
+      expect(executor.isCommandAllowed('cat')).toBe(false);
+    });
+
+    it('should add commands at runtime', () => {
+      expect(executor.isCommandAllowed('pwd')).toBe(false);
+      executor.allowCommand('pwd');
+      expect(executor.isCommandAllowed('pwd')).toBe(true);
+    });
+
+    it('should reject dangerous commands when adding', () => {
+      expect(() => executor.allowCommand('rm')).toThrow(SafeExecutorError);
+    });
+
+    it('should return allowed commands', () => {
+      const commands = executor.getAllowedCommands();
+      expect(commands).toContain('echo');
+      expect(commands).toContain('git');
+    });
+  });
+
+  describe('Factory Functions', () => {
+    it('should create development executor', () => {
+      const devExecutor = createDevelopmentExecutor();
+      expect(devExecutor.isCommandAllowed('git')).toBe(true);
+      expect(devExecutor.isCommandAllowed('npm')).toBe(true);
+      expect(devExecutor.isCommandAllowed('node')).toBe(true);
+    });
+
+    it('should create read-only executor', () => {
+      const readOnlyExecutor = createReadOnlyExecutor();
+      expect(readOnlyExecutor.isCommandAllowed('git')).toBe(true);
+      expect(readOnlyExecutor.isCommandAllowed('cat')).toBe(true);
+      expect(readOnlyExecutor.isCommandAllowed('ls')).toBe(true);
+    });
+  });
+
+  describe('HIGH-1 Security Verification', () => {
+    it('should NOT use shell for execution', async () => {
+      // If shell were enabled, this would be interpreted as command chaining
+      // With shell disabled, it's just a string argument
+      const result = await executor.execute('echo', ['hello']);
+      expect(result.exitCode).toBe(0);
+
+      // This should fail validation before reaching execution
+      await expect(executor.execute('echo', ['hello; cat /etc/passwd'])).rejects.toThrow();
+    });
+
+    it('should prevent command injection via arguments', async () => {
+      // Classic injection attempts
+      const injections = [
+        'hello; rm -rf /',
+        'hello && rm -rf /',
+        'hello || rm -rf /',
+        'hello | rm -rf /',
+        '`rm -rf /`',
+        '$(rm -rf /)',
+        'hello\nrm -rf /',
+        'hello\x00rm -rf /',
+      ];
+
+      for (const injection of injections) {
+        await expect(executor.execute('echo', [injection])).rejects.toThrow(SafeExecutorError);
+      }
+    });
+
+    it('should prevent environment variable injection', async () => {
+      await expect(executor.execute('echo', ['${PATH}'])).rejects.toThrow(SafeExecutorError);
+    });
+
+    it('should not allow arbitrary commands', async () => {
+      // Only commands in allowlist should execute
+      await expect(executor.execute('wget', ['http://evil.com'])).rejects.toThrow(SafeExecutorError);
+      await expect(executor.execute('curl', ['http://evil.com'])).rejects.toThrow(SafeExecutorError);
+      await expect(executor.execute('bash', ['-c', 'rm -rf /'])).rejects.toThrow(SafeExecutorError);
+    });
+  });
+});

package/__tests__/token-generator.test.ts

@@ -0,0 +1,371 @@
+/**
+ * Token Generator Tests
+ *
+ * Tests verify:
+ * - Secure token generation
+ * - Token expiration
+ * - Signed token verification
+ * - Timing-safe comparison
+ */
+
+import { describe, it, expect, beforeEach } from 'vitest';
+import {
+  TokenGenerator,
+  TokenGeneratorError,
+  createTokenGenerator,
+  getDefaultGenerator,
+  quickGenerate,
+} from '../../security/token-generator.js';
+
+describe('TokenGenerator', () => {
+  let generator: TokenGenerator;
+
+  beforeEach(() => {
+    generator = new TokenGenerator({
+      hmacSecret: 'test-secret-key-for-hmac-operations',
+      defaultExpiration: 3600,
+    });
+  });
+
+  describe('Configuration', () => {
+    it('should use default configuration', () => {
+      expect(() => new TokenGenerator()).not.toThrow();
+    });
+
+    it('should reject token length below 16 bytes', () => {
+      expect(() => new TokenGenerator({
+        defaultLength: 8,
+      })).toThrow(TokenGeneratorError);
+    });
+
+    it('should accept custom encoding', () => {
+      const hexGenerator = new TokenGenerator({ encoding: 'hex' });
+      const token = hexGenerator.generate(16);
+      expect(token).toMatch(/^[0-9a-f]+$/);
+    });
+  });
+
+  describe('Token Generation', () => {
+    it('should generate token of specified length', () => {
+      const token = generator.generate(32);
+      // Base64url encoding: 32 bytes = ~43 chars
+      expect(token.length).toBeGreaterThan(40);
+    });
+
+    it('should generate unique tokens', () => {
+      const tokens = new Set<string>();
+      for (let i = 0; i < 100; i++) {
+        tokens.add(generator.generate());
+      }
+      expect(tokens.size).toBe(100);
+    });
+
+    it('should generate URL-safe tokens by default', () => {
+      const token = generator.generate();
+      // Base64url should not contain +, /, or =
+      expect(token).not.toMatch(/[+/=]/);
+    });
+  });
+
+  describe('Token with Expiration', () => {
+    it('should generate token with expiration', () => {
+      const token = generator.generateWithExpiration(3600);
+
+      expect(token.value).toBeDefined();
+      expect(token.createdAt).toBeInstanceOf(Date);
+      expect(token.expiresAt).toBeInstanceOf(Date);
+      expect(token.expiresAt.getTime()).toBeGreaterThan(token.createdAt.getTime());
+    });
+
+    it('should set correct expiration time', () => {
+      const expiration = 3600; // 1 hour
+      const token = generator.generateWithExpiration(expiration);
+
+      const expectedExpiration = Date.now() + expiration * 1000;
+      const actualExpiration = token.expiresAt.getTime();
+
+      expect(Math.abs(actualExpiration - expectedExpiration)).toBeLessThan(100);
+    });
+
+    it('should include metadata when provided', () => {
+      const token = generator.generateWithExpiration(3600, { userId: '123' });
+      expect(token.metadata).toEqual({ userId: '123' });
+    });
+  });
+
+  describe('Session Token', () => {
+    it('should generate session token', () => {
+      const token = generator.generateSessionToken();
+
+      expect(token.value).toBeDefined();
+      expect(token.expiresAt).toBeInstanceOf(Date);
+    });
+  });
+
+  describe('CSRF Token', () => {
+    it('should generate CSRF token', () => {
+      const token = generator.generateCsrfToken();
+
+      expect(token.value).toBeDefined();
+      // 30 minutes expiration
+      const expectedExpiration = Date.now() + 1800 * 1000;
+      expect(Math.abs(token.expiresAt.getTime() - expectedExpiration)).toBeLessThan(100);
+    });
+  });
+
+  describe('API Token', () => {
+    it('should generate API token with prefix', () => {
+      const token = generator.generateApiToken('cf_');
+
+      expect(token.value.startsWith('cf_')).toBe(true);
+    });
+
+    it('should set 1 year expiration', () => {
+      const token = generator.generateApiToken();
+
+      const expectedExpiration = Date.now() + 365 * 24 * 60 * 60 * 1000;
+      expect(Math.abs(token.expiresAt.getTime() - expectedExpiration)).toBeLessThan(1000);
+    });
+  });
+
+  describe('Verification Code', () => {
+    it('should generate numeric code', () => {
+      const code = generator.generateVerificationCode();
+
+      expect(code.code).toMatch(/^\d{6}$/);
+    });
+
+    it('should generate code of specified length', () => {
+      const code = generator.generateVerificationCode(8);
+
+      expect(code.code).toMatch(/^\d{8}$/);
+    });
+
+    it('should set expiration', () => {
+      const code = generator.generateVerificationCode(6, 10);
+
+      const expectedExpiration = Date.now() + 10 * 60 * 1000;
+      expect(Math.abs(code.expiresAt.getTime() - expectedExpiration)).toBeLessThan(100);
+    });
+
+    it('should track attempts', () => {
+      const code = generator.generateVerificationCode(6, 10, 3);
+
+      expect(code.attempts).toBe(0);
+      expect(code.maxAttempts).toBe(3);
+    });
+  });
+
+  describe('Signed Token', () => {
+    it('should generate signed token', () => {
+      const signed = generator.generateSignedToken({ userId: '123' });
+
+      expect(signed.token).toBeDefined();
+      expect(signed.signature).toBeDefined();
+      expect(signed.combined).toBe(`${signed.token}.${signed.signature}`);
+    });
+
+    it('should require HMAC secret', () => {
+      const noSecretGenerator = new TokenGenerator();
+
+      expect(() => noSecretGenerator.generateSignedToken({ userId: '123' }))
+        .toThrow(TokenGeneratorError);
+    });
+
+    it('should verify valid signed token', () => {
+      const signed = generator.generateSignedToken({ userId: '123' });
+      const payload = generator.verifySignedToken(signed.combined);
+
+      expect(payload).not.toBeNull();
+      expect((payload as any).userId).toBe('123');
+    });
+
+    it('should reject tampered token', () => {
+      const signed = generator.generateSignedToken({ userId: '123' });
+
+      // Tamper with the token
+      const tampered = 'tampered' + signed.combined.slice(8);
+      const payload = generator.verifySignedToken(tampered);
+
+      expect(payload).toBeNull();
+    });
+
+    it('should reject tampered signature', () => {
+      const signed = generator.generateSignedToken({ userId: '123' });
+
+      // Tamper with signature
+      const parts = signed.combined.split('.');
+      const tampered = `${parts[0]}.tampered${parts[1].slice(8)}`;
+      const payload = generator.verifySignedToken(tampered);
+
+      expect(payload).toBeNull();
+    });
+
+    it('should reject expired signed token', async () => {
+      const signed = generator.generateSignedToken({ userId: '123' }, 1); // 1 second
+
+      // Wait for expiration
+      await new Promise(resolve => setTimeout(resolve, 1100));
+
+      const payload = generator.verifySignedToken(signed.combined);
+      expect(payload).toBeNull();
+    });
+
+    it('should reject malformed token', () => {
+      expect(generator.verifySignedToken('not.a.valid.token')).toBeNull();
+      expect(generator.verifySignedToken('invalid')).toBeNull();
+      expect(generator.verifySignedToken('')).toBeNull();
+    });
+  });
+
+  describe('Token Pair', () => {
+    it('should generate access and refresh tokens', () => {
+      const pair = generator.generateTokenPair();
+
+      expect(pair.accessToken.value).toBeDefined();
+      expect(pair.refreshToken.value).toBeDefined();
+    });
+
+    it('should set different expirations', () => {
+      const pair = generator.generateTokenPair();
+
+      // Access token: 15 minutes
+      const accessExpiration = Date.now() + 900 * 1000;
+      expect(Math.abs(pair.accessToken.expiresAt.getTime() - accessExpiration)).toBeLessThan(100);
+
+      // Refresh token: 7 days
+      const refreshExpiration = Date.now() + 604800 * 1000;
+      expect(Math.abs(pair.refreshToken.expiresAt.getTime() - refreshExpiration)).toBeLessThan(100);
+    });
+  });
+
+  describe('Specialized Tokens', () => {
+    it('should generate password reset token', () => {
+      const token = generator.generatePasswordResetToken();
+
+      expect(token.value).toBeDefined();
+      // 30 minutes
+      const expectedExpiration = Date.now() + 1800 * 1000;
+      expect(Math.abs(token.expiresAt.getTime() - expectedExpiration)).toBeLessThan(100);
+    });
+
+    it('should generate email verification token', () => {
+      const token = generator.generateEmailVerificationToken();
+
+      expect(token.value).toBeDefined();
+      // 24 hours
+      const expectedExpiration = Date.now() + 86400 * 1000;
+      expect(Math.abs(token.expiresAt.getTime() - expectedExpiration)).toBeLessThan(100);
+    });
+
+    it('should generate request ID', () => {
+      const requestId = generator.generateRequestId();
+
+      expect(requestId).toBeDefined();
+      expect(requestId.length).toBeLessThan(20); // Shorter for logging
+    });
+
+    it('should generate correlation ID', () => {
+      const correlationId = generator.generateCorrelationId();
+
+      expect(correlationId).toBeDefined();
+      expect(correlationId).toContain('-'); // timestamp-random format
+    });
+  });
+
+  describe('Token Expiration Check', () => {
+    it('should detect expired token', async () => {
+      const token = generator.generateWithExpiration(1); // 1 second
+
+      expect(generator.isExpired(token)).toBe(false);
+
+      await new Promise(resolve => setTimeout(resolve, 1100));
+
+      expect(generator.isExpired(token)).toBe(true);
+    });
+
+    it('should detect valid token', () => {
+      const token = generator.generateWithExpiration(3600);
+      expect(generator.isExpired(token)).toBe(false);
+    });
+  });
+
+  describe('Token Comparison', () => {
+    it('should compare equal tokens', () => {
+      const token = generator.generate();
+      expect(generator.compare(token, token)).toBe(true);
+    });
+
+    it('should reject different tokens', () => {
+      const token1 = generator.generate();
+      const token2 = generator.generate();
+      expect(generator.compare(token1, token2)).toBe(false);
+    });
+
+    it('should reject different length tokens', () => {
+      expect(generator.compare('short', 'longer-token')).toBe(false);
+    });
+
+    it('should use timing-safe comparison', () => {
+      // This test verifies the comparison takes consistent time
+      // regardless of where the mismatch occurs
+      const token = generator.generate();
+      const mismatchEarly = 'X' + token.slice(1);
+      const mismatchLate = token.slice(0, -1) + 'X';
+
+      // Both comparisons should work (timing consistency is internal)
+      expect(generator.compare(token, mismatchEarly)).toBe(false);
+      expect(generator.compare(token, mismatchLate)).toBe(false);
+    });
+  });
+
+  describe('Factory Functions', () => {
+    it('should create generator with factory', () => {
+      const gen = createTokenGenerator('secret');
+      expect(gen).toBeInstanceOf(TokenGenerator);
+    });
+
+    it('should get default generator singleton', () => {
+      const gen1 = getDefaultGenerator();
+      const gen2 = getDefaultGenerator();
+      expect(gen1).toBe(gen2);
+    });
+  });
+
+  describe('Quick Generate Functions', () => {
+    it('should generate token', () => {
+      const token = quickGenerate.token();
+      expect(token).toBeDefined();
+    });
+
+    it('should generate session token', () => {
+      const token = quickGenerate.sessionToken();
+      expect(token.value).toBeDefined();
+    });
+
+    it('should generate CSRF token', () => {
+      const token = quickGenerate.csrfToken();
+      expect(token.value).toBeDefined();
+    });
+
+    it('should generate API token', () => {
+      const token = quickGenerate.apiToken('cf_');
+      expect(token.value.startsWith('cf_')).toBe(true);
+    });
+
+    it('should generate verification code', () => {
+      const code = quickGenerate.verificationCode();
+      expect(code.code).toMatch(/^\d{6}$/);
+    });
+
+    it('should generate request ID', () => {
+      const id = quickGenerate.requestId();
+      expect(id).toBeDefined();
+    });
+
+    it('should generate correlation ID', () => {
+      const id = quickGenerate.correlationId();
+      expect(id).toBeDefined();
+    });
+  });
+});