npm - @tellescope/sdk - Versions diffs - 1.251.0 → 1.252.0 - Mend

@tellescope/sdk 1.251.0 → 1.252.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (89) hide show

package/lib/cjs/tests/api_tests/security/F-0013-sanitize-user-html.test.js ADDED Viewed

@@ -0,0 +1,148 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitize_user_html_xss_tests = void 0;
+var utilities_1 = require("@tellescope/utilities");
+// Regression test for F-0013 / F-0014 (pattern 06 — XSS via dangerouslySetInnerHTML).
+// sanitize_user_html is the canonical render-time sanitizer that replaced remove_script_tags
+// at every dangerouslySetInnerHTML sink. This asserts it neutralizes XSS vectors (incl. encoded /
+// whitespace / mixed-case / iframe-srcdoc bypass variants) while preserving legitimate
+// customization HTML (tables, headings, lists, links, images, inline styles).
+//
+// Pure-function test — no Session needed. Runs as part of the main suite and standalone:
+//   ./build_cjs.sh && cd packages/public/sdk && node -r dotenv/config lib/cjs/tests/api_tests/security/F-0013-sanitize-user-html.test.js
+var fail = function (msg) { throw new Error(msg); };
+var has_no_executable_vector = function (out) {
+    var o = out.toLowerCase();
+    // A handler smuggled into an attribute VALUE (e.g. title="&lt;img onerror=...&gt;") is inert
+    // text — strip quoted values before checking for *live* on*= attributes to avoid false positives.
+    var withoutValues = o.replace(/"[^"]*"/g, '""').replace(/'[^']*'/g, "''");
+    return !/\son[a-z]+\s*=/.test(withoutValues) // no live on*= event-handler attribute
+        && !o.includes('javascript:') // dropped schemes never appear in safe output
+        && !o.includes('vbscript:')
+        && !o.includes('<script') // literal dangerous tags (encoded &lt;script is fine)
+        && !o.includes('<iframe')
+        && !o.includes('<svg')
+        && !o.includes('<math')
+        && !o.includes('<object')
+        && !o.includes('<embed')
+        && !o.includes('<form')
+        && !o.includes('<noscript')
+        && !o.includes('<template');
+};
+var sanitize_user_html_xss_tests = function () { return __awaiter(void 0, void 0, void 0, function () {
+    var xssPayloads, _i, xssPayloads_1, _a, name_1, payload, out, clobber, heading, table, list, link, img, dataimg, fmt, mixed;
+    return __generator(this, function (_b) {
+        console.log("Running F-0013/F-0014 sanitize_user_html XSS regression tests");
+        xssPayloads = [
+            ['img onerror', "<img src=x onerror=\"alert(document.domain)\">"],
+            ['svg onload', "<svg onload=\"alert(1)\"></svg>"],
+            ['svg animate onbegin', "<svg><animate onbegin=\"alert(1)\" attributeName=\"x\" dur=\"1s\"></svg>"],
+            ['details ontoggle', "<details open ontoggle=\"alert(1)\"></details>"],
+            ['input onfocus autofocus', "<input autofocus onfocus=\"alert(1)\">"],
+            ['body onpageshow', "<body onpageshow=\"alert(1)\">"],
+            ['a javascript scheme', "<a href=\"javascript:alert(1)\">x</a>"],
+            ['a javascript entity-encoded', "<a href=\"jav&#x09;ascript:alert(1)\">x</a>"],
+            ['iframe javascript src', "<iframe src=\"javascript:alert(1)\"></iframe>"],
+            ['iframe srcdoc nested', "<iframe srcdoc=\"<img src=x onerror=alert(1)>\"></iframe>"],
+            ['script tag', "<script>alert(1)</script>"],
+            ['onerror newline before =', "<img src=x onerror\n=\"alert(1)\">"],
+            ['onerror mixed case', "<IMG SRC=x OnErRoR=\"alert(1)\">"],
+            ['marquee onstart', "<marquee onstart=\"alert(1)\">x</marquee>"],
+            // mutation / namespace confusion — svg/math/noscript/template must be stripped
+            ['mathml mglyph style mxss', "<math><mtext><table><mglyph><style><!--</style><img src=x onerror=alert(1)>"],
+            ['svg foreignObject', "<svg><foreignObject><img src=x onerror=alert(1)></foreignObject></svg>"],
+            ['noscript context confusion', "<noscript><p title=\"</noscript><img src=x onerror=alert(1)>\">"],
+            ['template content', "<template><img src=x onerror=alert(1)></template>"],
+            // comment / CDATA confusion
+            ['comment confusion', "<!--><img src=x onerror=alert(1)>-->"],
+            ['cdata confusion', "<![CDATA[<img src=x onerror=alert(1)>]]>"],
+            // markup smuggled inside an attribute value must stay inert
+            ['markup inside attr value', "<img src=\"x\" alt=\"<script>alert(1)</script>\">"],
+            // protocol obfuscation
+            ['vbscript scheme', "<a href=\"vbscript:msgbox(1)\">x</a>"],
+            ['data text/html href', "<a href=\"data:text/html,<script>alert(1)</script>\">x</a>"],
+            ['javascript decimal entity', "<a href=\"&#74;avascript:alert(1)\">x</a>"],
+            ['javascript newline entity', "<a href=\"jav&#x0A;ascript:alert(1)\">x</a>"],
+        ];
+        for (_i = 0, xssPayloads_1 = xssPayloads; _i < xssPayloads_1.length; _i++) {
+            _a = xssPayloads_1[_i], name_1 = _a[0], payload = _a[1];
+            out = (0, utilities_1.sanitize_user_html)(payload);
+            if (!has_no_executable_vector(out))
+                fail("XSS not neutralized [".concat(name_1, "] -> ").concat(out));
+        }
+        clobber = (0, utilities_1.sanitize_user_html)("<a id=\"x\" name=\"getElementById\">link</a><img name=\"y\">");
+        if (/\b(id|name)\s*=/.test(clobber))
+            fail("id/name not stripped (DOM clobbering): ".concat(clobber));
+        heading = (0, utilities_1.sanitize_user_html)("<h1>Welcome</h1><h3 style=\"color:#333\">Sub</h3>");
+        if (!(heading.includes('<h1>') && heading.includes('<h3') && heading.toLowerCase().includes('color')))
+            fail("headings/style stripped: ".concat(heading));
+        table = (0, utilities_1.sanitize_user_html)("<table><thead><tr><th>H</th></tr></thead><tbody><tr><td style=\"padding:4px\" colspan=\"2\">cell</td></tr></tbody></table>");
+        if (!(table.includes('<table') && table.includes('<td') && table.includes('colspan')))
+            fail("table stripped: ".concat(table));
+        list = (0, utilities_1.sanitize_user_html)("<ul><li>a</li></ul><ol start=\"3\"><li>c</li></ol>");
+        if (!(list.includes('<ul') && list.includes('<li') && list.includes('<ol')))
+            fail("list stripped: ".concat(list));
+        link = (0, utilities_1.sanitize_user_html)("<a href=\"https://example.com\">link</a>");
+        if (!link.includes('href="https://example.com"'))
+            fail("safe link stripped: ".concat(link));
+        if (!link.toLowerCase().includes('noopener'))
+            fail("external link not hardened: ".concat(link));
+        img = (0, utilities_1.sanitize_user_html)("<img src=\"https://cdn.example.com/a.png\" alt=\"pic\" width=\"200\">");
+        if (!(img.includes('src="https://cdn.example.com/a.png"') && img.includes('alt="pic"')))
+            fail("http image stripped: ".concat(img));
+        dataimg = (0, utilities_1.sanitize_user_html)("<img src=\"data:image/png;base64,iVBORw0KGgo=\">");
+        if (!dataimg.includes('data:image/png'))
+            fail("data: image stripped: ".concat(dataimg));
+        fmt = (0, utilities_1.sanitize_user_html)("<p><strong>b</strong> <em>i</em> <span style=\"font-size:14px\">s</span></p><blockquote>q</blockquote>");
+        if (!(fmt.includes('<strong>') && fmt.includes('<span') && fmt.toLowerCase().includes('font-size')))
+            fail("formatting stripped: ".concat(fmt));
+        mixed = (0, utilities_1.sanitize_user_html)("<p>Hello <b>name</b></p><img src=x onerror=\"steal()\">");
+        if (!(mixed.includes('<b>name</b>') && !/\son[a-z]+\s*=/.test(mixed.toLowerCase())))
+            fail("mixed content not handled: ".concat(mixed));
+        console.log("✅ F-0013/F-0014 sanitize_user_html XSS regression tests passed");
+        return [2 /*return*/];
+    });
+}); };
+exports.sanitize_user_html_xss_tests = sanitize_user_html_xss_tests;
+if (require.main === module) {
+    (0, exports.sanitize_user_html_xss_tests)()
+        .then(function () { console.log("✅ suite completed"); process.exit(0); })
+        .catch(function (err) { console.error("❌ suite failed:", err); process.exit(1); });
+}
+//# sourceMappingURL=F-0013-sanitize-user-html.test.js.map

package/lib/cjs/tests/api_tests/security/F-0013-sanitize-user-html.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"F-0013-sanitize-user-html.test.js","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0013-sanitize-user-html.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,mDAA0D;AAE1D,sFAAsF;AACtF,6FAA6F;AAC7F,kGAAkG;AAClG,uFAAuF;AACvF,8EAA8E;AAC9E,EAAE;AACF,yFAAyF;AACzF,yIAAyI;AAEzI,IAAM,IAAI,GAAG,UAAC,GAAW,IAAO,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,CAAA,CAAC,CAAC,CAAA;AAEtD,IAAM,wBAAwB,GAAG,UAAC,GAAW;IAC3C,IAAM,CAAC,GAAG,GAAG,CAAC,WAAW,EAAE,CAAA;IAC3B,6FAA6F;IAC7F,kGAAkG;IAClG,IAAM,aAAa,GAAG,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,CAAA;IAC3E,OAAO,CAAC,gBAAgB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAG,uCAAuC;WAC/E,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAc,8CAA8C;WACtF,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;WACxB,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAkB,sDAAsD;WAC9F,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;WACtB,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;WACnB,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;WACpB,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;WACtB,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;WACrB,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;WACpB,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;WACxB,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AACjC,CAAC,CAAA;AAEM,IAAM,4BAA4B,GAAG;;;QAC1C,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAA;QAEtE,WAAW,GAAuB;YACtC,CAAC,aAAa,EAAE,gDAA8C,CAAC;YAC/D,CAAC,YAAY,EAAE,iCAA+B,CAAC;YAC/C,CAAC,qBAAqB,EAAE,0EAAoE,CAAC;YAC7F,CAAC,kBAAkB,EAAE,gDAA8C,CAAC;YACpE,CAAC,yBAAyB,EAAE,wCAAsC,CAAC;YACnE,CAAC,iBAAiB,EAAE,gCAA8B,CAAC;YACnD,CAAC,qBAAqB,EAAE,uCAAqC,CAAC;YAC9D,CAAC,6BAA6B,EAAE,6CAA2C,CAAC;YAC5E,CAAC,uBAAuB,EAAE,+CAA6C,CAAC;YACxE,CAAC,sBAAsB,EAAE,2DAAyD,CAAC;YACnF,CAAC,YAAY,EAAE,2BAA2B,CAAC;YAC3C,CAAC,0BAA0B,EAAE,oCAAkC,CAAC;YAChE,CAAC,oBAAoB,EAAE,kCAAgC,CAAC;YACxD,CAAC,iBAAiB,EAAE,2CAAyC,CAAC;YAC9D,+EAA+E;YAC/E,CAAC,0BAA0B,EAAE,6EAA6E,CAAC;YAC3G,CAAC,mBAAmB,EAAE,wEAAwE,CAAC;YAC/F,CAAC,4BAA4B,EAAE,iEAA+D,CAAC;YAC/F,CAAC,kBAAkB,EAAE,mDAAmD,CAAC;YACzE,4BAA4B;YAC5B,CAAC,mBAAmB,EAAE,sCAAsC,CAAC;YAC7D,CAAC,iBAAiB,EAAE,0CAA0C,CAAC;YAC/D,4DAA4D;YAC5D,CAAC,0BAA0B,EAAE,mDAA+C,CAAC;YAC7E,uBAAuB;YACvB,CAAC,iBAAiB,EAAE,sCAAoC,CAAC;YACzD,CAAC,qBAAqB,EAAE,4DAA0D,CAAC;YACnF,CAAC,2BAA2B,EAAE,2CAAyC,CAAC;YACxE,CAAC,2BAA2B,EAAE,6CAA2C,CAAC;SAC3E,CAAA;QACD,WAAyC,EAAX,2BAAW,EAAX,yBAAW,EAAX,IAAW,EAAE;YAAhC,sBAAe,EAAd,cAAI,EAAE,OAAO,QAAA;YACjB,GAAG,GAAG,IAAA,8BAAkB,EAAC,OAAO,CAAC,CAAA;YACvC,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC;gBAAE,IAAI,CAAC,+BAAwB,MAAI,kBAAQ,GAAG,CAAE,CAAC,CAAA;SACpF;QAGK,OAAO,GAAG,IAAA,8BAAkB,EAAC,8DAAwD,CAAC,CAAA;QAC5F,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,IAAI,CAAC,iDAA0C,OAAO,CAAE,CAAC,CAAA;QAGxF,OAAO,GAAG,IAAA,8BAAkB,EAAC,mDAAiD,CAAC,CAAA;QACrF,IAAI,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAAE,IAAI,CAAC,mCAA4B,OAAO,CAAE,CAAC,CAAA;QAE5I,KAAK,GAAG,IAAA,8BAAkB,EAAC,4HAAwH,CAAC,CAAA;QAC1J,IAAI,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAAE,IAAI,CAAC,0BAAmB,KAAK,CAAE,CAAC,CAAA;QAEjH,IAAI,GAAG,IAAA,8BAAkB,EAAC,oDAAkD,CAAC,CAAA;QACnF,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAAE,IAAI,CAAC,yBAAkB,IAAI,CAAE,CAAC,CAAA;QAErG,IAAI,GAAG,IAAA,8BAAkB,EAAC,0CAAwC,CAAC,CAAA;QACzE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,4BAA4B,CAAC;YAAE,IAAI,CAAC,8BAAuB,IAAI,CAAE,CAAC,CAAA;QACrF,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,IAAI,CAAC,sCAA+B,IAAI,CAAE,CAAC,CAAA;QAEnF,GAAG,GAAG,IAAA,8BAAkB,EAAC,uEAAiE,CAAC,CAAA;QACjG,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,qCAAqC,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAAE,IAAI,CAAC,+BAAwB,GAAG,CAAE,CAAC,CAAA;QAEtH,OAAO,GAAG,IAAA,8BAAkB,EAAC,kDAAgD,CAAC,CAAA;QACpF,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YAAE,IAAI,CAAC,gCAAyB,OAAO,CAAE,CAAC,CAAA;QAE3E,GAAG,GAAG,IAAA,8BAAkB,EAAC,wGAAsG,CAAC,CAAA;QACtI,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAAE,IAAI,CAAC,+BAAwB,GAAG,CAAE,CAAC,CAAA;QAElI,KAAK,GAAG,IAAA,8BAAkB,EAAC,yDAAuD,CAAC,CAAA;QACzF,IAAI,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;YAAE,IAAI,CAAC,qCAA8B,KAAK,CAAE,CAAC,CAAA;QAEhI,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAA;;;KAC9E,CAAA;AAtEY,QAAA,4BAA4B,gCAsExC;AAED,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,IAAA,oCAA4B,GAAE;SAC3B,IAAI,CAAC,cAAQ,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA,CAAC,CAAC,CAAC;SACjE,KAAK,CAAC,UAAC,GAAG,IAAO,OAAO,CAAC,KAAK,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA,CAAC,CAAC,CAAC,CAAA;CAC9E"}

package/lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export declare const prototype_pollution_tests: () => Promise<void>;
2	+ //# sourceMappingURL=F-0016-prototype-pollution.test.d.ts.map

package/lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"F-0016-prototype-pollution.test.d.ts","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0016-prototype-pollution.test.ts"],"names":[],"mappings":"AAWA,eAAO,MAAM,yBAAyB,qBAgCrC,CAAA"}

package/lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.js ADDED Viewed

@@ -0,0 +1,88 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.prototype_pollution_tests = void 0;
+var utilities_1 = require("@tellescope/utilities");
+// Regression test for F-0016 (pattern 17 — prototype pollution).
+// add_value_for_dotted_key must NOT write through __proto__/constructor/prototype path segments
+// (which would pollute Object.prototype process-wide), while still performing legitimate dotted assignment.
+//
+// Pure-function test — no Session needed. Runs in the main suite and standalone:
+//   ./build_cjs.sh && cd packages/public/sdk && node -r dotenv/config lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.js
+var fail = function (msg) { throw new Error(msg); };
+var prototype_pollution_tests = function () { return __awaiter(void 0, void 0, void 0, function () {
+    var leakedA, leakedB, leakedC, obj, flat;
+    return __generator(this, function (_a) {
+        console.log("Running F-0016 prototype-pollution regression tests");
+        // 1. __proto__ path must not pollute Object.prototype
+        (0, utilities_1.add_value_for_dotted_key)({ insurance: {} }, 'insurance.__proto__.__pp_a__', 'polluted');
+        leakedA = {}.__pp_a__;
+        delete Object.prototype.__pp_a__; // clean up regardless, so a failure here can't contaminate the rest of the suite
+        if (leakedA !== undefined)
+            fail('Object.prototype polluted via __proto__ path');
+        // 2. constructor.prototype path must not pollute
+        (0, utilities_1.add_value_for_dotted_key)({ insurance: {} }, 'insurance.constructor.prototype.__pp_b__', 'polluted');
+        leakedB = {}.__pp_b__;
+        delete Object.prototype.__pp_b__;
+        if (leakedB !== undefined)
+            fail('Object.prototype polluted via constructor.prototype path');
+        // 3. a leading __proto__ segment must not pollute either
+        (0, utilities_1.add_value_for_dotted_key)({}, '__proto__.__pp_c__', 'polluted');
+        leakedC = {}.__pp_c__;
+        delete Object.prototype.__pp_c__;
+        if (leakedC !== undefined)
+            fail('Object.prototype polluted via leading __proto__ segment');
+        obj = { a: { b: {} } };
+        (0, utilities_1.add_value_for_dotted_key)(obj, 'a.b.c', 42);
+        if (obj.a.b.c !== 42)
+            fail('legitimate dotted assignment broke');
+        flat = {};
+        (0, utilities_1.add_value_for_dotted_key)(flat, 'name', 'ok');
+        if (flat.name !== 'ok')
+            fail('single-key assignment broke');
+        console.log("✅ F-0016 prototype-pollution regression tests passed");
+        return [2 /*return*/];
+    });
+}); };
+exports.prototype_pollution_tests = prototype_pollution_tests;
+if (require.main === module) {
+    (0, exports.prototype_pollution_tests)()
+        .then(function () { console.log("✅ suite completed"); process.exit(0); })
+        .catch(function (err) { console.error("❌ suite failed:", err); process.exit(1); });
+}
+//# sourceMappingURL=F-0016-prototype-pollution.test.js.map

package/lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"F-0016-prototype-pollution.test.js","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0016-prototype-pollution.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,mDAAgE;AAEhE,iEAAiE;AACjE,gGAAgG;AAChG,4GAA4G;AAC5G,EAAE;AACF,iFAAiF;AACjF,0IAA0I;AAE1I,IAAM,IAAI,GAAG,UAAC,GAAW,IAAO,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,CAAA,CAAC,CAAC,CAAA;AAE/C,IAAM,yBAAyB,GAAG;;;QACvC,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAA;QAElE,sDAAsD;QACtD,IAAA,oCAAwB,EAAC,EAAE,SAAS,EAAE,EAAE,EAAS,EAAE,8BAA8B,EAAE,UAAU,CAAC,CAAA;QACxF,OAAO,GAAI,EAAU,CAAC,QAAQ,CAAA;QACpC,OAAQ,MAAM,CAAC,SAAiB,CAAC,QAAQ,CAAA,CAAC,iFAAiF;QAC3H,IAAI,OAAO,KAAK,SAAS;YAAE,IAAI,CAAC,8CAA8C,CAAC,CAAA;QAE/E,iDAAiD;QACjD,IAAA,oCAAwB,EAAC,EAAE,SAAS,EAAE,EAAE,EAAS,EAAE,0CAA0C,EAAE,UAAU,CAAC,CAAA;QACpG,OAAO,GAAI,EAAU,CAAC,QAAQ,CAAA;QACpC,OAAQ,MAAM,CAAC,SAAiB,CAAC,QAAQ,CAAA;QACzC,IAAI,OAAO,KAAK,SAAS;YAAE,IAAI,CAAC,0DAA0D,CAAC,CAAA;QAE3F,yDAAyD;QACzD,IAAA,oCAAwB,EAAC,EAAS,EAAE,oBAAoB,EAAE,UAAU,CAAC,CAAA;QAC/D,OAAO,GAAI,EAAU,CAAC,QAAQ,CAAA;QACpC,OAAQ,MAAM,CAAC,SAAiB,CAAC,QAAQ,CAAA;QACzC,IAAI,OAAO,KAAK,SAAS;YAAE,IAAI,CAAC,yDAAyD,CAAC,CAAA;QAGpF,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,EAAS,CAAA;QACnC,IAAA,oCAAwB,EAAC,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,CAAA;QAC1C,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE;YAAE,IAAI,CAAC,oCAAoC,CAAC,CAAA;QAG1D,IAAI,GAAG,EAAS,CAAA;QACtB,IAAA,oCAAwB,EAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAA;QAC5C,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI;YAAE,IAAI,CAAC,6BAA6B,CAAC,CAAA;QAE3D,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAA;;;KACpE,CAAA;AAhCY,QAAA,yBAAyB,6BAgCrC;AAED,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,IAAA,iCAAyB,GAAE;SACxB,IAAI,CAAC,cAAQ,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA,CAAC,CAAC,CAAC;SACjE,KAAK,CAAC,UAAC,GAAG,IAAO,OAAO,CAAC,KAAK,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA,CAAC,CAAC,CAAC,CAAA;CAC9E"}

package/lib/cjs/tests/tests.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tests.d.ts","sourceRoot":"","sources":["../../../src/tests/tests.ts"],"names":[],"mappings":"~~AAqyEA~~,eAAO,MAAM,kCAAkC,qBAgJ9C,CAAA;AAED,eAAO,MAAM,mCAAmC,qBA2K/C,CAAA;AAGD,eAAO,MAAM,oBAAoB,qBAoHhC,CAAA;AAED,eAAO,MAAM,+BAA+B,qBAsF3C,CAAA;AAID,eAAO,MAAM,0BAA0B,qBAqCtC,CAAA;AA8vED,eAAO,MAAM,cAAc,qBAqC1B,CAAA;AAotBD,eAAO,MAAM,0BAA0B,qBAmFtC,CAAA;AAqED,eAAO,MAAM,eAAe,qBAmD3B,CAAA;AAED,eAAO,MAAM,oBAAoB,6BAsBhC,CAAA;AAED,eAAO,MAAM,oCAAoC,qBAylBhD,CAAA;AAED,eAAO,MAAM,mCAAmC,qBAkE/C,CAAA;AAw7CD,eAAO,MAAM,yBAAyB,qBA0DrC,CAAA;AAED,eAAO,MAAM,kBAAkB,qBAmK9B,CAAA;AAED,eAAO,MAAM,sBAAsB,qBA0BlC,CAAA;AAGD,eAAO,MAAM,mBAAmB,qBAmC/B,CAAA;AAED,eAAO,MAAM,gCAAgC,mCA2C5C,CAAA;AAED,eAAO,MAAM,cAAc,qBAwb1B,CAAA;AAGD,eAAO,MAAM,oBAAoB,uBAuBhC,CAAA;AA4wBD,eAAO,MAAM,4BAA4B,qBAoExC,CAAA;AAED,eAAO,MAAM,+BAA+B,qBA4U3C,CAAA;AAED,eAAO,MAAM,gDAAgD,qBAwC5D,CAAA;AAED,eAAO,MAAM,qBAAqB,qBAwIjC,CAAA"}
1	+ {"version":3,"file":"tests.d.ts","sourceRoot":"","sources":["../../../src/tests/tests.ts"],"names":[],"mappings":"AA6yEA,eAAO,MAAM,kCAAkC,qBAgJ9C,CAAA;AAED,eAAO,MAAM,mCAAmC,qBA2K/C,CAAA;AAGD,eAAO,MAAM,oBAAoB,qBAoHhC,CAAA;AAED,eAAO,MAAM,+BAA+B,qBAsF3C,CAAA;AAID,eAAO,MAAM,0BAA0B,qBAqCtC,CAAA;AA8vED,eAAO,MAAM,cAAc,qBAqC1B,CAAA;AAotBD,eAAO,MAAM,0BAA0B,qBAmFtC,CAAA;AAqED,eAAO,MAAM,eAAe,qBAmD3B,CAAA;AAED,eAAO,MAAM,oBAAoB,6BAsBhC,CAAA;AAED,eAAO,MAAM,oCAAoC,qBAylBhD,CAAA;AAED,eAAO,MAAM,mCAAmC,qBAkE/C,CAAA;AAw7CD,eAAO,MAAM,yBAAyB,qBA0DrC,CAAA;AAED,eAAO,MAAM,kBAAkB,qBAmK9B,CAAA;AAED,eAAO,MAAM,sBAAsB,qBA0BlC,CAAA;AAGD,eAAO,MAAM,mBAAmB,qBAmC/B,CAAA;AAED,eAAO,MAAM,gCAAgC,mCA2C5C,CAAA;AAED,eAAO,MAAM,cAAc,qBAwb1B,CAAA;AAGD,eAAO,MAAM,oBAAoB,uBAuBhC,CAAA;AA4wBD,eAAO,MAAM,4BAA4B,qBAoExC,CAAA;AAED,eAAO,MAAM,+BAA+B,qBA4U3C,CAAA;AAED,eAAO,MAAM,gDAAgD,qBAwC5D,CAAA;AAED,eAAO,MAAM,qBAAqB,qBAwIjC,CAAA"}