npm - qa360 - Versions diffs - 2.2.20 → 2.3.1 - Mend

qa360 2.2.20 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (507) hide show

package/dist/core/crawler/permissions-policy-handler.js ADDED Viewed

@@ -0,0 +1,402 @@
+/**
+ * Permissions Policy Handler
+ *
+ * P1 - Permissions Policy (formerly Feature Policy) management
+ *
+ * Supports:
+ * - Permissions-Policy header parsing
+ * - Feature availability checking
+ * - Allowlist validation
+ * - Policy inheritance detection
+ * - iframe-specific policies
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy
+ */
+/**
+ * Permissions Policy Handler class
+ */
+export class PermissionsPolicyHandler {
+    page;
+    constructor(page) {
+        this.page = page;
+    }
+    /**
+     * Get Permissions-Policy header
+     */
+    async getPermissionsPolicyHeader() {
+        return await this.page.evaluate(async () => {
+            try {
+                const response = await fetch(window.location.href, { method: 'HEAD' });
+                // Check both old and new header names
+                const policy = response.headers.get('Permissions-Policy') ||
+                    response.headers.get('Feature-Policy');
+                return policy;
+            }
+            catch {
+                return null;
+            }
+        });
+    }
+    /**
+     * Get Permissions-Policy from iframe
+     */
+    async getIframePermissionsPolicy(iframeSelector) {
+        return await this.page.evaluate((selector) => {
+            const iframe = document.querySelector(selector);
+            if (!iframe)
+                return null;
+            // Check allow attribute
+            const allow = iframe.getAttribute('allow');
+            return allow;
+        }, iframeSelector);
+    }
+    /**
+     * Parse Permissions-Policy header
+     */
+    parsePermissionsPolicy(header) {
+        const directives = new Map();
+        // Split by comma for each directive
+        const parts = header.split(',').map(s => s.trim()).filter(Boolean);
+        for (const part of parts) {
+            // Each part is "feature-name=allowlist"
+            const equalIndex = part.indexOf('=');
+            if (equalIndex === -1)
+                continue;
+            const feature = part.slice(0, equalIndex).trim();
+            const allowlistStr = part.slice(equalIndex + 1).trim();
+            // Parse allowlist
+            const allowlist = allowlistStr.split(/\s+/).filter(Boolean);
+            const directive = {
+                feature,
+                allowlist,
+                allowsSelf: allowlist.includes("'self'"),
+                allowsAll: allowlist.includes('*'),
+                allowsNone: allowlist.includes("'none'"),
+                allowedOrigins: allowlist.filter(v => !v.startsWith("'") && v !== '*' && v !== 'none'),
+            };
+            directives.set(feature, directive);
+        }
+        return directives;
+    }
+    /**
+     * Get full policy report
+     */
+    async getPolicyReport() {
+        const header = await this.getPermissionsPolicyHeader();
+        const directives = header ? this.parsePermissionsPolicy(header) : new Map();
+        const disabledFeatures = [];
+        const wildcardFeatures = [];
+        for (const [feature, directive] of directives) {
+            if (directive.allowsNone) {
+                disabledFeatures.push(feature);
+            }
+            if (directive.allowsAll) {
+                wildcardFeatures.push(feature);
+            }
+        }
+        // Calculate security score
+        let score = 50; // Base score
+        // Points for having a policy
+        if (header) {
+            score += 20;
+        }
+        // Deduct for wildcards on sensitive features
+        const sensitiveFeatures = [
+            'geolocation', 'camera', 'microphone', 'payment',
+            'display-capture', 'clipboard-read', 'clipboard-write',
+        ];
+        for (const feature of sensitiveFeatures) {
+            const directive = directives.get(feature);
+            if (directive?.allowsAll) {
+                score -= 10;
+            }
+            else if (directive?.allowsSelf) {
+                score += 5;
+            }
+            else if (directive?.allowsNone) {
+                score += 10;
+            }
+        }
+        // Generate recommendations
+        const recommendations = [];
+        if (!header) {
+            recommendations.push('Implement a Permissions-Policy header to restrict feature access');
+        }
+        else {
+            if (wildcardFeatures.length > 0) {
+                recommendations.push(`Review wildcard permissions for: ${wildcardFeatures.join(', ')}`);
+            }
+            const recommendedRestrictions = [
+                'geolocation', 'camera', 'microphone', 'payment',
+            ];
+            for (const feature of recommendedRestrictions) {
+                if (!directives.has(feature)) {
+                    recommendations.push(`Consider adding explicit policy for ${feature}`);
+                }
+            }
+            // Check for sensitive features that should be restricted
+            if (!directives.has('geolocation') || directives.get('geolocation')?.allowsAll) {
+                recommendations.push('Restrict geolocation to self or specific origins');
+            }
+        }
+        return {
+            header,
+            directives,
+            disabledFeatures,
+            wildcardFeatures,
+            securityScore: Math.max(0, Math.min(100, score)),
+            recommendations,
+        };
+    }
+    /**
+     * Check if a feature is available and allowed
+     */
+    async checkFeature(feature) {
+        const result = {
+            available: false,
+            allowed: false,
+        };
+        // Check feature support in browser
+        const available = await this.page.evaluate((feat) => {
+            // Check if navigator has the feature
+            const navigatorFeature = navigator[feat];
+            if (typeof navigatorFeature !== 'undefined') {
+                return true;
+            }
+            // Check specific APIs
+            switch (feat) {
+                case 'geolocation':
+                    return 'geolocation' in navigator;
+                case 'camera':
+                case 'microphone':
+                    return 'mediaDevices' in navigator;
+                case 'clipboard-read':
+                case 'clipboard-write':
+                    return 'clipboard' in navigator;
+                case 'fullscreen':
+                    return 'fullscreenEnabled' in document;
+                case 'payment':
+                    return 'PaymentRequest' in window;
+                case 'web-share':
+                    return 'share' in navigator;
+                case 'xr-spatial-tracking':
+                    return 'xr' in navigator;
+                default:
+                    return false;
+            }
+        }, feature);
+        result.available = available;
+        if (!available) {
+            return result;
+        }
+        // Check permissions policy
+        const allowed = await this.page.evaluate(async (feat) => {
+            // Check permissions policy via navigator.permissions
+            if ('permissions' in navigator) {
+                try {
+                    // Map feature names to permission names
+                    const permissionMap = {
+                        'geolocation': 'geolocation',
+                        'camera': 'camera',
+                        'microphone': 'microphone',
+                        'clipboard-read': 'clipboard-read',
+                        'clipboard-write': 'clipboard-write',
+                        'notifications': 'notifications',
+                    };
+                    const permissionName = permissionMap[feat];
+                    if (permissionName) {
+                        const status = await navigator.permissions.query({ name: permissionName });
+                        return status.state !== 'denied';
+                    }
+                }
+                catch {
+                    // Ignore
+                }
+            }
+            // Check via feature detection
+            switch (feat) {
+                case 'fullscreen':
+                    return document.fullscreenEnabled;
+                case 'payment':
+                    return 'PaymentRequest' in window;
+                default:
+                    return true;
+            }
+        }, feature);
+        result.allowed = allowed;
+        // Get directive if available
+        const report = await this.getPolicyReport();
+        for (const [policyFeature, directive] of report.directives) {
+            if (policyFeature === feature) {
+                result.directive = directive;
+                break;
+            }
+        }
+        return result;
+    }
+    /**
+     * Check multiple features at once
+     */
+    async checkFeatures(features) {
+        const results = new Map();
+        for (const feature of features) {
+            const result = await this.checkFeature(feature);
+            results.set(feature, result);
+        }
+        return results;
+    }
+    /**
+     * Get all iframe policies on the page
+     */
+    async getIframePolicies() {
+        return await this.page.evaluate(() => {
+            const iframes = document.querySelectorAll('iframe[allow]');
+            const policies = new Map();
+            iframes.forEach((iframe, index) => {
+                const selector = `iframe:nth-of-type(${index + 1})`;
+                const allow = iframe.getAttribute('allow');
+                if (allow) {
+                    policies.set(selector, allow);
+                }
+            });
+            return Object.fromEntries(policies);
+        });
+    }
+    /**
+     * Test if iframe can access a feature
+     */
+    async testIframeFeatureAccess(iframeSelector, feature) {
+        return await this.page.evaluate(async (selector, feat) => {
+            const iframe = document.querySelector(selector);
+            if (!iframe || !iframe.contentWindow)
+                return false;
+            try {
+                // Try to access feature in iframe
+                switch (feat) {
+                    case 'fullscreen':
+                        return iframe.contentWindow.document.fullscreenEnabled;
+                    case 'geolocation':
+                        return 'geolocation' in iframe.contentWindow.navigator;
+                    case 'camera':
+                    case 'microphone':
+                        return 'mediaDevices' in iframe.contentWindow.navigator;
+                    default:
+                        return true;
+                }
+            }
+            catch {
+                // Access blocked - likely due to permissions policy
+                return false;
+            }
+        }, iframeSelector, feature);
+    }
+    /**
+     * Validate security of permissions policy
+     */
+    async validateSecurity() {
+        const report = await this.getPolicyReport();
+        const issues = [];
+        const warnings = [];
+        if (!report.header) {
+            issues.push('No Permissions-Policy header set');
+            return { secure: false, issues, warnings };
+        }
+        // Check for overly permissive policies
+        const sensitiveFeatures = [
+            'geolocation', 'camera', 'microphone', 'payment',
+            'display-capture', 'clipboard-read',
+        ];
+        for (const feature of sensitiveFeatures) {
+            const directive = report.directives.get(feature);
+            if (directive?.allowsAll) {
+                issues.push(`${feature} allows all origins (*) - security risk`);
+            }
+            else if (directive?.allowsSelf && directive.allowedOrigins.length > 0) {
+                warnings.push(`${feature} allows self + specific origins - review if necessary`);
+            }
+        }
+        // Check for features that should be disabled
+        const shouldBeDisabled = [
+            'document-domain', // Modifies document.domain (deprecated)
+            'execution-while-out-of-viewport',
+            'execution-while-not-rendered',
+        ];
+        for (const feature of shouldBeDisabled) {
+            const directive = report.directives.get(feature);
+            if (directive && !directive.allowsNone) {
+                warnings.push(`${feature} should be disabled for security`);
+            }
+        }
+        // Check iframes with allow attributes
+        const iframePolicies = await this.getIframePolicies();
+        if (Object.keys(iframePolicies).length > 0) {
+            for (const [selector, policy] of Object.entries(iframePolicies)) {
+                if (policy.includes('*')) {
+                    warnings.push(`Iframe ${selector} has wildcard permissions in allow attribute`);
+                }
+            }
+        }
+        return {
+            secure: issues.length === 0,
+            issues,
+            warnings,
+        };
+    }
+    /**
+     * Generate recommended Permissions-Policy header
+     */
+    generateRecommendedPolicy(options = {}) {
+        const { allowGeolocation = false, allowCamera = false, allowMicrophone = false, allowPayment = false, allowedOrigins = [], } = options;
+        const policies = [];
+        // Geolocation
+        if (allowGeolocation) {
+            const origins = allowedOrigins.length > 0 ? allowedOrigins.join(' ') : "'self'";
+            policies.push(`geolocation=${origins}`);
+        }
+        else {
+            policies.push('geolocation=(none)');
+        }
+        // Camera
+        if (allowCamera) {
+            const origins = allowedOrigins.length > 0 ? allowedOrigins.join(' ') : "'self'";
+            policies.push(`camera=${origins}`);
+        }
+        else {
+            policies.push('camera=(none)');
+        }
+        // Microphone
+        if (allowMicrophone) {
+            const origins = allowedOrigins.length > 0 ? allowedOrigins.join(' ') : "'self'";
+            policies.push(`microphone=${origins}`);
+        }
+        else {
+            policies.push('microphone=(none)');
+        }
+        // Payment
+        if (allowPayment) {
+            const origins = allowedOrigins.length > 0 ? allowedOrigins.join(' ') : "'self'";
+            policies.push(`payment=${origins}`);
+        }
+        else {
+            policies.push('payment=(none)');
+        }
+        // Recommended defaults for other features
+        const defaults = [
+            'clipboard-write=self',
+            'display-capture=self',
+            'fullscreen=self',
+            'picture-in-picture=self',
+            'sync-xhr=self',
+            'usb=(none)',
+            'midi=(none)',
+        ];
+        return [...policies, ...defaults].join(', ');
+    }
+}
+/**
+ * Factory function to create Permissions Policy Handler
+ */
+export function createPermissionsPolicyHandler(page) {
+    return new PermissionsPolicyHandler(page);
+}
+export default PermissionsPolicyHandler;

package/dist/core/crawler/presets.d.ts ADDED Viewed

@@ -0,0 +1,100 @@
+/**
+ * QA360 Universal Crawler Presets
+ *
+ * Presets for different types of web applications.
+ * Each preset defines:
+ * - Test scenarios specific to the platform type
+ * - Common selectors to look for
+ * - Default test data
+ * - Navigation patterns
+ */
+export interface CrawlerPreset {
+    /** Preset identifier */
+    id: string;
+    /** Human-readable name */
+    name: string;
+    /** Description */
+    description: string;
+    /** Common selectors for this platform type (all optional) */
+    selectors?: {
+        login?: {
+            email?: string[];
+            password?: string[];
+            submit?: string[];
+        };
+        search?: {
+            input?: string[];
+            submit?: string[];
+            results?: string[];
+        };
+        navigation?: {
+            menu?: string[];
+            links?: string[];
+        };
+        actions?: {
+            add?: string[];
+            remove?: string[];
+            edit?: string[];
+            save?: string[];
+            cancel?: string[];
+        };
+        content?: {
+            title?: string[];
+            body?: string[];
+            author?: string[];
+            date?: string[];
+        };
+        pagination?: {
+            next?: string[];
+            prev?: string[];
+        };
+    };
+    /** Default test data for this platform (all optional) */
+    testData?: {
+        auth?: {
+            email?: string;
+            password?: string;
+            username?: string;
+        };
+        search?: string;
+        form?: {
+            title?: string;
+            content?: string;
+            comment?: string;
+            quantity?: number;
+            amount?: number;
+            message?: string;
+            recipient?: string;
+            coin?: string;
+        };
+        payment?: {
+            cardNumber?: string;
+            expiry?: string;
+            cvv?: string;
+        };
+    };
+    /** Common scenarios for this platform (optional) */
+    scenarios?: string[];
+    /** Pages that should be tested (optional) */
+    criticalPaths?: string[][];
+}
+/**
+ * Universal crawler presets
+ */
+export declare const PRESETS: Record<string, CrawlerPreset>;
+/**
+ * Get preset by ID
+ */
+export declare function getPreset(id: string): CrawlerPreset | undefined;
+/**
+ * Get all presets
+ */
+export declare function getAllPresets(): CrawlerPreset[];
+/**
+ * Detect preset from URL (heuristic)
+ */
+export declare function detectPresetFromUrl(url: string): CrawlerPreset;
+/**
+ * Get preset list for CLI
+ */
+export declare function getPresetList(): string;