anyvali 0.3.1 → 0.3.4

package/tests/unit/object.test.ts

@@ -1,208 +1,208 @@
-import { describe, it, expect } from "vitest";
-import { object, string, int, optional, bool, RefSchema } from "../../src/index.js";
-
-describe("ObjectSchema", () => {
-  it("accepts valid objects", () => {
-    const s = object({
-      name: string(),
-      age: int(),
-    });
-    const result = s.parse({ name: "Alice", age: 30 });
-    expect(result).toEqual({ name: "Alice", age: 30 });
-  });
-
-  it("rejects missing required fields", () => {
-    const s = object({
-      name: string(),
-      age: int(),
-    });
-    const result = s.safeParse({ name: "Alice" });
-    expect(result.success).toBe(false);
-    if (!result.success) {
-      expect(result.issues[0].code).toBe("required");
-      expect(result.issues[0].path).toEqual(["age"]);
-    }
-  });
-
-  it("strips unknown keys by default", () => {
-    const s = object({ name: string() });
-    const result = s.parse({ name: "Alice", extra: true });
-    expect(result).toEqual({ name: "Alice" });
-  });
-
-  it("rejects unknown keys when configured", () => {
-    const s = object({ name: string() }).unknownKeys("reject");
-    const result = s.safeParse({ name: "Alice", extra: true });
-    expect(result.success).toBe(false);
-    if (!result.success) {
-      expect(result.issues[0].code).toBe("unknown_key");
-    }
-  });
-
-  it("allows unknown keys when configured", () => {
-    const s = object({ name: string() }).unknownKeys("allow");
-    const result = s.parse({ name: "Alice", extra: true });
-    expect(result).toEqual({ name: "Alice", extra: true });
-  });
-
-  it("handles optional fields", () => {
-    const s = object({
-      name: string(),
-      nickname: optional(string()),
-    });
-    const result = s.parse({ name: "Alice" });
-    expect(result).toEqual({ name: "Alice" });
-  });
-
-  it("keeps object modifiers immutable", () => {
-    const base = object({ name: string() });
-    const rejected = base.unknownKeys("reject");
-
-    expect(base.parse({ name: "Alice", extra: true })).toEqual({
-      name: "Alice",
-    });
-    expect(rejected.safeParse({ name: "Alice", extra: true }).success).toBe(
-      false
-    );
-  });
-
-  it("handles defaults on fields", () => {
-    const s = object({
-      name: string(),
-      role: string().default("user"),
-    });
-    const result = s.parse({ name: "Alice" });
-    expect(result).toEqual({ name: "Alice", role: "user" });
-  });
-
-  it("does not overwrite present values with defaults", () => {
-    const s = object({
-      role: string().default("user"),
-    });
-    const result = s.parse({ role: "admin" });
-    expect(result).toEqual({ role: "admin" });
-  });
-
-  it("validates nested objects", () => {
-    const s = object({
-      user: object({
-        name: string(),
-      }),
-    });
-    const result = s.safeParse({ user: { name: 42 } });
-    expect(result.success).toBe(false);
-    if (!result.success) {
-      expect(result.issues[0].path).toEqual(["user", "name"]);
-    }
-  });
-
-  it("collects multiple nested issues with precise paths", () => {
-    const s = object({
-      user: object({
-        name: string().minLength(2),
-        age: int().min(18),
-      }),
-      active: bool(),
-    });
-
-    const result = s.safeParse({
-      user: { name: "", age: 12 },
-      active: "yes",
-    });
-
-    expect(result.success).toBe(false);
-    if (!result.success) {
-      expect(result.issues.map((issue) => issue.path)).toEqual(
-        expect.arrayContaining([
-          ["user", "name"],
-          ["user", "age"],
-          ["active"],
-        ])
-      );
-    }
-  });
-
-  it("treats inherited properties as absent", () => {
-    const base = { name: "Alice" };
-    const input = Object.create(base) as Record<string, unknown>;
-    input.age = 30;
-
-    const s = object({
-      name: string(),
-      age: int(),
-    });
-
-    const result = s.safeParse(input);
-    expect(result.success).toBe(false);
-    if (!result.success) {
-      expect(result.issues).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            code: "required",
-            path: ["name"],
-          }),
-        ])
-      );
-    }
-  });
-
-  it("returns a detached parsed object", () => {
-    const s = object({
-      user: object({
-        name: string(),
-      }),
-    });
-
-    const input = { user: { name: "Alice" } };
-    const result = s.parse(input);
-
-    expect(result).toEqual(input);
-    expect(result).not.toBe(input);
-    expect(result.user).not.toBe(input.user);
-  });
-
-  it("preserves __proto__ as data when unknown keys are allowed", () => {
-    const s = object({ name: string() }).unknownKeys("allow");
-    const input = JSON.parse(
-      '{"name":"Alice","__proto__":{"polluted":"yes"}}'
-    ) as Record<string, unknown>;
-
-    const result = s.parse(input) as Record<string, unknown>;
-
-    expect(result.name).toBe("Alice");
-    expect(Object.getPrototypeOf(result)).toBe(Object.prototype);
-    expect(Object.prototype.hasOwnProperty.call(result, "__proto__")).toBe(true);
-    expect(
-      Object.getOwnPropertyDescriptor(result, "__proto__")?.value
-    ).toEqual({ polluted: "yes" });
-    expect(({} as Record<string, unknown>).polluted).toBeUndefined();
-  });
-
-  it("fails closed on cyclic input for recursive schemas", () => {
-    let node!: ReturnType<typeof object>;
-    const next = optional(new RefSchema("#/definitions/Node", () => node));
-    node = object({
-      value: string(),
-      next,
-    });
-
-    const input: Record<string, unknown> = { value: "root" };
-    input.next = input;
-
-    let result:
-      | ReturnType<typeof node.safeParse>
-      | undefined;
-
-    expect(() => {
-      result = node.safeParse(input);
-    }).not.toThrow();
-    expect(result?.success).toBe(false);
-  });
-
-  it("rejects non-objects", () => {
-    const s = object({ name: string() });
-    expect(s.safeParse("string").success).toBe(false);
-    expect(s.safeParse(null).success).toBe(false);
-    expect(s.safeParse([]).success).toBe(false);
-  });
-});
+import { describe, it, expect } from "vitest";
+import { object, string, int, optional, bool, RefSchema } from "../../src/index.js";
+
+describe("ObjectSchema", () => {
+  it("accepts valid objects", () => {
+    const s = object({
+      name: string(),
+      age: int(),
+    });
+    const result = s.parse({ name: "Alice", age: 30 });
+    expect(result).toEqual({ name: "Alice", age: 30 });
+  });
+
+  it("rejects missing required fields", () => {
+    const s = object({
+      name: string(),
+      age: int(),
+    });
+    const result = s.safeParse({ name: "Alice" });
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.issues[0].code).toBe("required");
+      expect(result.issues[0].path).toEqual(["age"]);
+    }
+  });
+
+  it("strips unknown keys by default", () => {
+    const s = object({ name: string() });
+    const result = s.parse({ name: "Alice", extra: true });
+    expect(result).toEqual({ name: "Alice" });
+  });
+
+  it("rejects unknown keys when configured", () => {
+    const s = object({ name: string() }).unknownKeys("reject");
+    const result = s.safeParse({ name: "Alice", extra: true });
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.issues[0].code).toBe("unknown_key");
+    }
+  });
+
+  it("allows unknown keys when configured", () => {
+    const s = object({ name: string() }).unknownKeys("allow");
+    const result = s.parse({ name: "Alice", extra: true });
+    expect(result).toEqual({ name: "Alice", extra: true });
+  });
+
+  it("handles optional fields", () => {
+    const s = object({
+      name: string(),
+      nickname: optional(string()),
+    });
+    const result = s.parse({ name: "Alice" });
+    expect(result).toEqual({ name: "Alice" });
+  });
+
+  it("keeps object modifiers immutable", () => {
+    const base = object({ name: string() });
+    const rejected = base.unknownKeys("reject");
+
+    expect(base.parse({ name: "Alice", extra: true })).toEqual({
+      name: "Alice",
+    });
+    expect(rejected.safeParse({ name: "Alice", extra: true }).success).toBe(
+      false
+    );
+  });
+
+  it("handles defaults on fields", () => {
+    const s = object({
+      name: string(),
+      role: string().default("user"),
+    });
+    const result = s.parse({ name: "Alice" });
+    expect(result).toEqual({ name: "Alice", role: "user" });
+  });
+
+  it("does not overwrite present values with defaults", () => {
+    const s = object({
+      role: string().default("user"),
+    });
+    const result = s.parse({ role: "admin" });
+    expect(result).toEqual({ role: "admin" });
+  });
+
+  it("validates nested objects", () => {
+    const s = object({
+      user: object({
+        name: string(),
+      }),
+    });
+    const result = s.safeParse({ user: { name: 42 } });
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.issues[0].path).toEqual(["user", "name"]);
+    }
+  });
+
+  it("collects multiple nested issues with precise paths", () => {
+    const s = object({
+      user: object({
+        name: string().minLength(2),
+        age: int().min(18),
+      }),
+      active: bool(),
+    });
+
+    const result = s.safeParse({
+      user: { name: "", age: 12 },
+      active: "yes",
+    });
+
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.issues.map((issue) => issue.path)).toEqual(
+        expect.arrayContaining([
+          ["user", "name"],
+          ["user", "age"],
+          ["active"],
+        ])
+      );
+    }
+  });
+
+  it("treats inherited properties as absent", () => {
+    const base = { name: "Alice" };
+    const input = Object.create(base) as Record<string, unknown>;
+    input.age = 30;
+
+    const s = object({
+      name: string(),
+      age: int(),
+    });
+
+    const result = s.safeParse(input);
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.issues).toEqual(
+        expect.arrayContaining([
+          expect.objectContaining({
+            code: "required",
+            path: ["name"],
+          }),
+        ])
+      );
+    }
+  });
+
+  it("returns a detached parsed object", () => {
+    const s = object({
+      user: object({
+        name: string(),
+      }),
+    });
+
+    const input = { user: { name: "Alice" } };
+    const result = s.parse(input);
+
+    expect(result).toEqual(input);
+    expect(result).not.toBe(input);
+    expect(result.user).not.toBe(input.user);
+  });
+
+  it("preserves __proto__ as data when unknown keys are allowed", () => {
+    const s = object({ name: string() }).unknownKeys("allow");
+    const input = JSON.parse(
+      '{"name":"Alice","__proto__":{"polluted":"yes"}}'
+    ) as Record<string, unknown>;
+
+    const result = s.parse(input) as Record<string, unknown>;
+
+    expect(result.name).toBe("Alice");
+    expect(Object.getPrototypeOf(result)).toBe(Object.prototype);
+    expect(Object.prototype.hasOwnProperty.call(result, "__proto__")).toBe(true);
+    expect(
+      Object.getOwnPropertyDescriptor(result, "__proto__")?.value
+    ).toEqual({ polluted: "yes" });
+    expect(({} as Record<string, unknown>).polluted).toBeUndefined();
+  });
+
+  it("fails closed on cyclic input for recursive schemas", () => {
+    let node!: ReturnType<typeof object>;
+    const next = optional(new RefSchema("#/definitions/Node", () => node));
+    node = object({
+      value: string(),
+      next,
+    });
+
+    const input: Record<string, unknown> = { value: "root" };
+    input.next = input;
+
+    let result:
+      | ReturnType<typeof node.safeParse>
+      | undefined;
+
+    expect(() => {
+      result = node.safeParse(input);
+    }).not.toThrow();
+    expect(result?.success).toBe(false);
+  });
+
+  it("rejects non-objects", () => {
+    const s = object({ name: string() });
+    expect(s.safeParse("string").success).toBe(false);
+    expect(s.safeParse(null).success).toBe(false);
+    expect(s.safeParse([]).success).toBe(false);
+  });
+});

package/tests/unit/security-recursion.test.ts

@@ -1,105 +1,105 @@
-import { describe, it, expect } from "vitest";
-import { importSchema } from "../../src/index.js";
-import type { AnyValiDocument } from "../../src/types.js";
-
-// Recursive schema: Node = object({ value: int, next: optional(ref Node) }).
-function recursiveSchemaDoc(): AnyValiDocument {
-  return {
-    anyvaliVersion: "1.0",
-    schemaVersion: "1",
-    root: { kind: "ref", ref: "#/definitions/Node" } as any,
-    definitions: {
-      Node: {
-        kind: "object",
-        properties: {
-          next: { kind: "ref", ref: "#/definitions/Node" },
-        },
-        required: [],
-        unknownKeys: "strip",
-      } as any,
-    },
-    extensions: {},
-  } as AnyValiDocument;
-}
-
-// Build deeply nested data: { next: { next: { ... } } }.
-function deepData(depth: number): unknown {
-  let cur: any = {};
-  for (let i = 0; i < depth; i++) cur = { next: cur };
-  return cur;
-}
-
-// Build a deeply nested schema document: array(array(array(...))).
-function deepArraySchemaDoc(depth: number): AnyValiDocument {
-  let node: any = { kind: "int" };
-  for (let i = 0; i < depth; i++) node = { kind: "array", items: node };
-  return {
-    anyvaliVersion: "1.0",
-    schemaVersion: "1",
-    root: node,
-    definitions: {},
-    extensions: {},
-  } as AnyValiDocument;
-}
-
-describe("Recursion DoS (AVV-002 / AVV-003)", () => {
-  it("safeParse must not throw on deeply nested recursive-schema input", () => {
-    const schema = importSchema(recursiveSchemaDoc());
-    const data = deepData(100_000);
-    // safeParse contract: never throws, always returns a result.
-    let result: ReturnType<typeof schema.safeParse>;
-    expect(() => {
-      result = schema.safeParse(data);
-    }).not.toThrow();
-    // Bounded: extremely deep input is rejected, not accepted blindly.
-    expect(result!.success).toBe(false);
-  });
-
-  it("depth guard is not bypassed by a union in the recursion path", () => {
-    // Node = object({ next: union(null, ref Node) }) -- the recursive ref is
-    // reached *through* a union variant. The union must propagate depth so the
-    // guard still bounds recursion.
-    const doc: AnyValiDocument = {
-      anyvaliVersion: "1.0",
-      schemaVersion: "1",
-      root: { kind: "ref", ref: "#/definitions/Node" } as any,
-      definitions: {
-        Node: {
-          kind: "object",
-          properties: {
-            next: {
-              kind: "union",
-              variants: [{ kind: "null" }, { kind: "ref", ref: "#/definitions/Node" }],
-            },
-          },
-          required: ["next"],
-          unknownKeys: "strip",
-        } as any,
-      },
-      extensions: {},
-    } as AnyValiDocument;
-    const schema = importSchema(doc);
-
-    let cur: any = { next: null };
-    for (let i = 0; i < 100_000; i++) cur = { next: cur };
-
-    let result: ReturnType<typeof schema.safeParse>;
-    expect(() => {
-      result = schema.safeParse(cur);
-    }).not.toThrow();
-    expect(result!.success).toBe(false);
-  });
-
-  it("importSchema must not stack-overflow on a deeply nested schema doc", () => {
-    const doc = deepArraySchemaDoc(100_000);
-    // Should fail in a controlled way, not throw RangeError (stack overflow).
-    let err: unknown;
-    try {
-      importSchema(doc);
-    } catch (e) {
-      err = e;
-    }
-    expect(err).toBeInstanceOf(Error);
-    expect((err as Error) instanceof RangeError).toBe(false);
-  });
-});
+import { describe, it, expect } from "vitest";
+import { importSchema } from "../../src/index.js";
+import type { AnyValiDocument } from "../../src/types.js";
+
+// Recursive schema: Node = object({ value: int, next: optional(ref Node) }).
+function recursiveSchemaDoc(): AnyValiDocument {
+  return {
+    anyvaliVersion: "1.0",
+    schemaVersion: "1",
+    root: { kind: "ref", ref: "#/definitions/Node" } as any,
+    definitions: {
+      Node: {
+        kind: "object",
+        properties: {
+          next: { kind: "ref", ref: "#/definitions/Node" },
+        },
+        required: [],
+        unknownKeys: "strip",
+      } as any,
+    },
+    extensions: {},
+  } as AnyValiDocument;
+}
+
+// Build deeply nested data: { next: { next: { ... } } }.
+function deepData(depth: number): unknown {
+  let cur: any = {};
+  for (let i = 0; i < depth; i++) cur = { next: cur };
+  return cur;
+}
+
+// Build a deeply nested schema document: array(array(array(...))).
+function deepArraySchemaDoc(depth: number): AnyValiDocument {
+  let node: any = { kind: "int" };
+  for (let i = 0; i < depth; i++) node = { kind: "array", items: node };
+  return {
+    anyvaliVersion: "1.0",
+    schemaVersion: "1",
+    root: node,
+    definitions: {},
+    extensions: {},
+  } as AnyValiDocument;
+}
+
+describe("Recursion DoS (AVV-002 / AVV-003)", () => {
+  it("safeParse must not throw on deeply nested recursive-schema input", () => {
+    const schema = importSchema(recursiveSchemaDoc());
+    const data = deepData(100_000);
+    // safeParse contract: never throws, always returns a result.
+    let result: ReturnType<typeof schema.safeParse>;
+    expect(() => {
+      result = schema.safeParse(data);
+    }).not.toThrow();
+    // Bounded: extremely deep input is rejected, not accepted blindly.
+    expect(result!.success).toBe(false);
+  });
+
+  it("depth guard is not bypassed by a union in the recursion path", () => {
+    // Node = object({ next: union(null, ref Node) }) -- the recursive ref is
+    // reached *through* a union variant. The union must propagate depth so the
+    // guard still bounds recursion.
+    const doc: AnyValiDocument = {
+      anyvaliVersion: "1.0",
+      schemaVersion: "1",
+      root: { kind: "ref", ref: "#/definitions/Node" } as any,
+      definitions: {
+        Node: {
+          kind: "object",
+          properties: {
+            next: {
+              kind: "union",
+              variants: [{ kind: "null" }, { kind: "ref", ref: "#/definitions/Node" }],
+            },
+          },
+          required: ["next"],
+          unknownKeys: "strip",
+        } as any,
+      },
+      extensions: {},
+    } as AnyValiDocument;
+    const schema = importSchema(doc);
+
+    let cur: any = { next: null };
+    for (let i = 0; i < 100_000; i++) cur = { next: cur };
+
+    let result: ReturnType<typeof schema.safeParse>;
+    expect(() => {
+      result = schema.safeParse(cur);
+    }).not.toThrow();
+    expect(result!.success).toBe(false);
+  });
+
+  it("importSchema must not stack-overflow on a deeply nested schema doc", () => {
+    const doc = deepArraySchemaDoc(100_000);
+    // Should fail in a controlled way, not throw RangeError (stack overflow).
+    let err: unknown;
+    try {
+      importSchema(doc);
+    } catch (e) {
+      err = e;
+    }
+    expect(err).toBeInstanceOf(Error);
+    expect((err as Error) instanceof RangeError).toBe(false);
+  });
+});