tlc-claude-code 1.4.8 → 1.4.9

package/server/lib/security/error-sanitizer.test.js

@@ -0,0 +1,331 @@
+/**
+ * Error Sanitizer Tests
+ *
+ * Tests for sanitizing error messages for production.
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import {
+  sanitizeError,
+  createErrorSanitizer,
+  formatErrorResponse,
+  isOperationalError,
+} from './error-sanitizer.js';
+
+describe('error-sanitizer', () => {
+  describe('sanitizeError', () => {
+    it('removes stack trace in production', () => {
+      const error = new Error('Something went wrong');
+      error.stack = 'Error: Something went wrong\n    at /app/src/handler.js:42:15';
+
+      const result = sanitizeError(error, { production: true });
+
+      expect(result.stack).toBeUndefined();
+    });
+
+    it('preserves stack trace in development', () => {
+      const error = new Error('Something went wrong');
+      error.stack = 'Error: Something went wrong\n    at /app/src/handler.js:42:15';
+
+      const result = sanitizeError(error, { production: false });
+
+      expect(result.stack).toBeDefined();
+      expect(result.stack).toContain('handler.js');
+    });
+
+    it('removes file paths from error message', () => {
+      const error = new Error('Failed to read /home/user/app/secrets/config.json');
+
+      const result = sanitizeError(error, { production: true });
+
+      expect(result.message).not.toContain('/home/user');
+      expect(result.message).not.toContain('secrets');
+    });
+
+    it('removes Windows file paths', () => {
+      const error = new Error('Cannot find C:\\Users\\admin\\app\\config.json');
+
+      const result = sanitizeError(error, { production: true });
+
+      expect(result.message).not.toContain('C:\\Users');
+    });
+
+    it('genericizes database errors', () => {
+      const error = new Error('ECONNREFUSED 127.0.0.1:5432 - PostgreSQL connection failed');
+
+      const result = sanitizeError(error, { production: true });
+
+      expect(result.message).toBe('A database error occurred');
+      expect(result.message).not.toContain('127.0.0.1');
+      expect(result.message).not.toContain('5432');
+    });
+
+    it('genericizes SQL syntax errors', () => {
+      const error = new Error("syntax error at or near 'SELECT' at position 42");
+
+      const result = sanitizeError(error, { production: true });
+
+      expect(result.message).toBe('A database error occurred');
+    });
+
+    it('preserves user-friendly message', () => {
+      const error = new Error('Invalid email address');
+      error.isUserFriendly = true;
+
+      const result = sanitizeError(error, { production: true });
+
+      expect(result.message).toBe('Invalid email address');
+    });
+
+    it('returns error ID for support reference', () => {
+      const error = new Error('Internal error');
+
+      const result = sanitizeError(error, { production: true });
+
+      expect(result.id).toBeDefined();
+      expect(result.id).toMatch(/^[a-z0-9-]+$/);
+    });
+
+    it('handles nested error.cause', () => {
+      const cause = new Error('Database timeout at /app/db/pool.js:123');
+      const error = new Error('Request failed');
+      error.cause = cause;
+
+      const result = sanitizeError(error, { production: true });
+
+      expect(result.message).not.toContain('/app/db');
+      expect(result.cause).toBeUndefined(); // Cause should be removed in production
+    });
+
+    it('preserves cause in development', () => {
+      const cause = new Error('Database timeout');
+      const error = new Error('Request failed');
+      error.cause = cause;
+
+      const result = sanitizeError(error, { production: false });
+
+      expect(result.cause).toBeDefined();
+    });
+
+    it('handles circular references', () => {
+      const error = new Error('Circular error');
+      error.circular = error;
+
+      expect(() => {
+        sanitizeError(error, { production: true });
+      }).not.toThrow();
+    });
+
+    it('removes sensitive property names', () => {
+      const error = new Error('Auth failed');
+      error.password = 'secret123';
+      error.apiKey = 'sk_live_xxx';
+      error.token = 'jwt_token_here';
+
+      const result = sanitizeError(error, { production: true });
+
+      expect(result.password).toBeUndefined();
+      expect(result.apiKey).toBeUndefined();
+      expect(result.token).toBeUndefined();
+    });
+  });
+
+  describe('createErrorSanitizer', () => {
+    it('creates sanitizer with custom patterns', () => {
+      const sanitizer = createErrorSanitizer({
+        production: true,
+        redactPatterns: [/SECRET_\w+/gi],
+      });
+
+      const error = new Error('Key is SECRET_ABC123');
+      const result = sanitizer.sanitize(error);
+
+      expect(result.message).not.toContain('SECRET_ABC123');
+    });
+
+    it('creates sanitizer with custom generic messages', () => {
+      const sanitizer = createErrorSanitizer({
+        production: true,
+        genericMessages: {
+          database: 'Database is temporarily unavailable',
+          auth: 'Authentication error',
+        },
+      });
+
+      const error = new Error('ECONNREFUSED PostgreSQL');
+      const result = sanitizer.sanitize(error);
+
+      expect(result.message).toBe('Database is temporarily unavailable');
+    });
+
+    it('logs original error before sanitization', () => {
+      const logger = vi.fn();
+      const sanitizer = createErrorSanitizer({
+        production: true,
+        logger,
+      });
+
+      const error = new Error('Sensitive internal error');
+      sanitizer.sanitize(error);
+
+      expect(logger).toHaveBeenCalledWith(expect.objectContaining({
+        originalMessage: 'Sensitive internal error',
+      }));
+    });
+  });
+
+  describe('formatErrorResponse', () => {
+    it('formats error for HTTP response', () => {
+      const error = new Error('Not found');
+      error.statusCode = 404;
+
+      const response = formatErrorResponse(error, { production: true });
+
+      expect(response).toEqual({
+        error: {
+          message: 'Not found',
+          code: 'NOT_FOUND',
+          id: expect.any(String),
+        },
+      });
+    });
+
+    it('includes status code', () => {
+      const error = new Error('Bad request');
+      error.statusCode = 400;
+
+      const response = formatErrorResponse(error, {
+        production: true,
+        includeStatus: true,
+      });
+
+      expect(response.error.status).toBe(400);
+    });
+
+    it('maps error codes correctly', () => {
+      const testCases = [
+        { statusCode: 400, expectedCode: 'BAD_REQUEST' },
+        { statusCode: 401, expectedCode: 'UNAUTHORIZED' },
+        { statusCode: 403, expectedCode: 'FORBIDDEN' },
+        { statusCode: 404, expectedCode: 'NOT_FOUND' },
+        { statusCode: 409, expectedCode: 'CONFLICT' },
+        { statusCode: 422, expectedCode: 'UNPROCESSABLE_ENTITY' },
+        { statusCode: 429, expectedCode: 'TOO_MANY_REQUESTS' },
+        { statusCode: 500, expectedCode: 'INTERNAL_ERROR' },
+        { statusCode: 502, expectedCode: 'BAD_GATEWAY' },
+        { statusCode: 503, expectedCode: 'SERVICE_UNAVAILABLE' },
+      ];
+
+      for (const { statusCode, expectedCode } of testCases) {
+        const error = new Error('Error');
+        error.statusCode = statusCode;
+
+        const response = formatErrorResponse(error, { production: true });
+
+        expect(response.error.code).toBe(expectedCode);
+      }
+    });
+
+    it('includes validation errors for 400', () => {
+      const error = new Error('Validation failed');
+      error.statusCode = 400;
+      error.validationErrors = [
+        { field: 'email', message: 'Invalid email format' },
+        { field: 'age', message: 'Must be positive' },
+      ];
+
+      const response = formatErrorResponse(error, { production: true });
+
+      expect(response.error.details).toEqual([
+        { field: 'email', message: 'Invalid email format' },
+        { field: 'age', message: 'Must be positive' },
+      ]);
+    });
+
+    it('includes stack in development', () => {
+      const error = new Error('Dev error');
+      error.stack = 'Error: Dev error\n    at test.js:1';
+
+      const response = formatErrorResponse(error, { production: false });
+
+      expect(response.error.stack).toBeDefined();
+    });
+  });
+
+  describe('isOperationalError', () => {
+    it('identifies validation errors as operational', () => {
+      const error = new Error('Invalid input');
+      error.statusCode = 400;
+
+      expect(isOperationalError(error)).toBe(true);
+    });
+
+    it('identifies auth errors as operational', () => {
+      const error = new Error('Unauthorized');
+      error.statusCode = 401;
+
+      expect(isOperationalError(error)).toBe(true);
+    });
+
+    it('identifies 5xx errors as non-operational', () => {
+      const error = new Error('Server error');
+      error.statusCode = 500;
+
+      expect(isOperationalError(error)).toBe(false);
+    });
+
+    it('identifies programmer errors as non-operational', () => {
+      const error = new TypeError('Cannot read property of undefined');
+
+      expect(isOperationalError(error)).toBe(false);
+    });
+
+    it('identifies custom operational errors', () => {
+      const error = new Error('Business rule violation');
+      error.isOperational = true;
+
+      expect(isOperationalError(error)).toBe(true);
+    });
+  });
+
+  describe('edge cases', () => {
+    it('handles null error', () => {
+      const result = sanitizeError(null, { production: true });
+
+      expect(result.message).toBe('An unexpected error occurred');
+    });
+
+    it('handles undefined error', () => {
+      const result = sanitizeError(undefined, { production: true });
+
+      expect(result.message).toBe('An unexpected error occurred');
+    });
+
+    it('handles non-Error objects', () => {
+      const result = sanitizeError('string error', { production: true });
+
+      expect(result.message).toBe('An error occurred');
+    });
+
+    it('handles error with no message', () => {
+      const error = new Error();
+
+      const result = sanitizeError(error, { production: true });
+
+      expect(result.message).toBe('An unexpected error occurred');
+    });
+
+    it('handles deeply nested errors', () => {
+      let error = new Error('Deep error');
+      for (let i = 0; i < 10; i++) {
+        const wrapper = new Error(`Wrapper ${i}`);
+        wrapper.cause = error;
+        error = wrapper;
+      }
+
+      expect(() => {
+        sanitizeError(error, { production: true });
+      }).not.toThrow();
+    });
+  });
+});

package/server/lib/security/headers-generator.js

@@ -0,0 +1,368 @@
+/**
+ * Security Headers Generator Module
+ *
+ * Generates secure HTTP headers to prevent common attacks.
+ * Addresses OWASP A05: Security Misconfiguration
+ */
+
+import crypto from 'crypto';
+
+/**
+ * Valid CSP directives
+ */
+const VALID_CSP_DIRECTIVES = new Set([
+  'default-src', 'script-src', 'style-src', 'img-src', 'font-src',
+  'connect-src', 'media-src', 'object-src', 'frame-src', 'child-src',
+  'worker-src', 'frame-ancestors', 'form-action', 'base-uri', 'manifest-src',
+  'upgrade-insecure-requests', 'block-all-mixed-content', 'report-uri', 'report-to',
+  'require-trusted-types-for', 'trusted-types', 'sandbox',
+]);
+
+/**
+ * Valid Permissions-Policy features
+ */
+const VALID_PERMISSIONS_FEATURES = new Set([
+  'accelerometer', 'ambient-light-sensor', 'autoplay', 'battery', 'camera',
+  'display-capture', 'document-domain', 'encrypted-media', 'fullscreen',
+  'geolocation', 'gyroscope', 'layout-animations', 'legacy-image-formats',
+  'magnetometer', 'microphone', 'midi', 'oversized-images', 'payment',
+  'picture-in-picture', 'publickey-credentials-get', 'sync-xhr', 'usb',
+  'wake-lock', 'xr-spatial-tracking', 'interest-cohort',
+]);
+
+/**
+ * Default CSP directives (strict)
+ */
+const DEFAULT_CSP = {
+  'default-src': ["'self'"],
+  'script-src': ["'self'"],
+  'style-src': ["'self'"],
+  'img-src': ["'self'", 'data:'],
+  'font-src': ["'self'"],
+  'connect-src': ["'self'"],
+  'frame-ancestors': ["'none'"],
+  'base-uri': ["'self'"],
+  'form-action': ["'self'"],
+  'upgrade-insecure-requests': [],
+  'block-all-mixed-content': [],
+};
+
+/**
+ * Generate Content Security Policy header value
+ * @param {Object} options - CSP options
+ * @returns {string} CSP header value
+ */
+export function generateCsp(options = {}) {
+  const {
+    useNonce = false,
+    nonce = null,
+    scriptSrc = null,
+    styleSrc = null,
+    imgSrc = null,
+    connectSrc = null,
+    frameAncestors = null,
+    reportUri = null,
+    reportTo = null,
+    mode = null,
+    reportOnly = false, // Consumed here, not passed to CSP string
+    ...customDirectives
+  } = options;
+
+  // Validate custom directive names
+  for (const directive of Object.keys(customDirectives)) {
+    if (!VALID_CSP_DIRECTIVES.has(directive)) {
+      throw new Error(`Invalid CSP directive: ${directive}`);
+    }
+  }
+
+  // Start with defaults
+  const directives = { ...DEFAULT_CSP };
+
+  // Apply script-src
+  if (scriptSrc && scriptSrc.length > 0) {
+    directives['script-src'] = ["'self'", ...scriptSrc];
+  }
+
+  // Apply style-src
+  if (styleSrc && styleSrc.length > 0) {
+    directives['style-src'] = ["'self'", ...styleSrc];
+  }
+
+  // Apply img-src
+  if (imgSrc && imgSrc.length > 0) {
+    directives['img-src'] = ["'self'", ...imgSrc];
+  }
+
+  // Apply connect-src
+  if (connectSrc && connectSrc.length > 0) {
+    directives['connect-src'] = ["'self'", ...connectSrc];
+  }
+
+  // Apply frame-ancestors
+  if (frameAncestors) {
+    directives['frame-ancestors'] = frameAncestors;
+  }
+
+  // Add nonce if configured
+  if (useNonce && nonce) {
+    directives['script-src'] = [...(directives['script-src'] || ["'self'"]), `'nonce-${nonce}'`];
+
+    // SPA mode adds strict-dynamic
+    if (mode === 'spa') {
+      directives['script-src'].push("'strict-dynamic'");
+    }
+  }
+
+  // Build CSP string
+  const parts = [];
+
+  for (const [directive, values] of Object.entries(directives)) {
+    if (values && values.length > 0) {
+      parts.push(`${directive} ${values.join(' ')}`);
+    } else if (directive === 'upgrade-insecure-requests' || directive === 'block-all-mixed-content') {
+      parts.push(directive);
+    }
+  }
+
+  // Add reporting
+  if (reportUri) {
+    parts.push(`report-uri ${reportUri}`);
+  }
+  if (reportTo) {
+    parts.push(`report-to ${reportTo}`);
+  }
+
+  return parts.join('; ');
+}
+
+/**
+ * Generate HSTS header value
+ * @param {Object} options - HSTS options
+ * @returns {string} HSTS header value
+ */
+export function generateHsts(options = {}) {
+  const {
+    maxAge = 31536000, // 1 year
+    includeSubDomains = true,
+    preload = false,
+  } = options;
+
+  // Preload requires at least 1 year (31536000 seconds)
+  if (preload && maxAge < 31536000) {
+    throw new Error('HSTS preload requires max-age of at least 31536000 seconds (1 year)');
+  }
+
+  let hsts = `max-age=${maxAge}`;
+
+  if (includeSubDomains) {
+    hsts += '; includeSubDomains';
+  }
+
+  if (preload) {
+    hsts += '; preload';
+  }
+
+  return hsts;
+}
+
+/**
+ * Generate Permissions-Policy header value
+ * @param {Object} policies - Feature policies
+ * @returns {string} Permissions-Policy value
+ */
+export function generatePermissionsPolicy(policies = {}) {
+  // Validate feature names
+  for (const feature of Object.keys(policies)) {
+    if (!VALID_PERMISSIONS_FEATURES.has(feature)) {
+      throw new Error(`Invalid Permissions-Policy feature: ${feature}`);
+    }
+  }
+
+  const defaultPolicies = {
+    accelerometer: [],
+    'ambient-light-sensor': [],
+    autoplay: [],
+    battery: [],
+    camera: [],
+    'display-capture': [],
+    'encrypted-media': [],
+    fullscreen: ['self'],
+    geolocation: [],
+    gyroscope: [],
+    magnetometer: [],
+    microphone: [],
+    midi: [],
+    payment: [],
+    'picture-in-picture': [],
+    'publickey-credentials-get': [],
+    'sync-xhr': [],
+    usb: [],
+    'interest-cohort': [],
+  };
+
+  const merged = { ...defaultPolicies, ...policies };
+
+  return Object.entries(merged)
+    .map(([feature, allowList]) => {
+      if (allowList.length === 0) {
+        return `${feature}=()`;
+      }
+      const formatted = allowList.map((item) => {
+        if (item === 'self') return 'self';
+        if (item === '*') return '*';
+        return `"${item}"`;
+      }).join(' ');
+      return `${feature}=(${formatted})`;
+    })
+    .join(', ');
+}
+
+/**
+ * Generate all security headers
+ * @param {Object} options - Header options
+ * @returns {Object} Security headers
+ */
+export function generateSecurityHeaders(options = {}) {
+  const {
+    csp = {},
+    frameOptions = 'DENY',
+    contentTypeOptions = true,
+    referrerPolicy = 'strict-origin-when-cross-origin',
+    hsts = {},
+    permissionsPolicy = {},
+  } = options;
+
+  const headers = {};
+
+  // Content Security Policy
+  headers['Content-Security-Policy'] = generateCsp(csp);
+
+  // X-Frame-Options (clickjacking protection)
+  if (frameOptions) {
+    headers['X-Frame-Options'] = frameOptions;
+  }
+
+  // X-Content-Type-Options (MIME sniffing protection)
+  if (contentTypeOptions) {
+    headers['X-Content-Type-Options'] = 'nosniff';
+  }
+
+  // Referrer-Policy
+  if (referrerPolicy) {
+    headers['Referrer-Policy'] = referrerPolicy;
+  }
+
+  // Strict-Transport-Security
+  headers['Strict-Transport-Security'] = generateHsts(hsts);
+
+  // Permissions-Policy
+  headers['Permissions-Policy'] = generatePermissionsPolicy(permissionsPolicy);
+
+  // Cross-Origin headers
+  headers['Cross-Origin-Opener-Policy'] = 'same-origin';
+  headers['Cross-Origin-Embedder-Policy'] = 'require-corp';
+
+  return headers;
+}
+
+/**
+ * Create a headers generator with preset configuration
+ * @param {Object} config - Generator configuration
+ * @returns {Object} Headers generator instance
+ */
+export function createHeadersGenerator(config = {}) {
+  const {
+    csp = {},
+    cspReportOnly = null,
+    hsts = {},
+    permissionsPolicy = {},
+  } = config;
+
+  return {
+    /**
+     * Generate headers
+     * @param {Object} options - Per-request options
+     * @returns {Object} Security headers
+     */
+    generate(options = {}) {
+      const { overrides = {}, route } = options;
+
+      // Merge CSP options
+      let cspOptions = { ...csp };
+      if (overrides.csp) {
+        cspOptions = { ...cspOptions, ...overrides.csp };
+      }
+
+      // Auto-generate nonce if useNonce is configured
+      if (cspOptions.useNonce && !cspOptions.nonce) {
+        cspOptions.nonce = crypto.randomBytes(16).toString('base64');
+      }
+
+      const headers = {};
+
+      // Generate main CSP
+      if (csp.reportOnly) {
+        headers['Content-Security-Policy-Report-Only'] = generateCsp(cspOptions);
+      } else {
+        headers['Content-Security-Policy'] = generateCsp(cspOptions);
+      }
+
+      // Generate report-only CSP if configured separately
+      if (cspReportOnly) {
+        headers['Content-Security-Policy-Report-Only'] = generateCsp(cspReportOnly);
+      }
+
+      // HSTS
+      const hstsOptions = overrides.hsts ? { ...hsts, ...overrides.hsts } : hsts;
+      headers['Strict-Transport-Security'] = generateHsts(hstsOptions);
+
+      // Other headers
+      headers['X-Frame-Options'] = 'DENY';
+      headers['X-Content-Type-Options'] = 'nosniff';
+      headers['Referrer-Policy'] = 'strict-origin-when-cross-origin';
+      headers['Permissions-Policy'] = generatePermissionsPolicy(permissionsPolicy);
+      headers['Cross-Origin-Opener-Policy'] = 'same-origin';
+      headers['Cross-Origin-Embedder-Policy'] = 'require-corp';
+
+      return headers;
+    },
+
+    /**
+     * Generate headers with nonce
+     * @returns {{headers: Object, nonce: string}} Headers and nonce
+     */
+    generateWithNonce() {
+      const nonce = crypto.randomBytes(16).toString('base64');
+      const cspOptions = { ...csp, useNonce: true, nonce };
+
+      const headers = {};
+      headers['Content-Security-Policy'] = generateCsp(cspOptions);
+
+      // HSTS
+      headers['Strict-Transport-Security'] = generateHsts(hsts);
+
+      // Other headers
+      headers['X-Frame-Options'] = 'DENY';
+      headers['X-Content-Type-Options'] = 'nosniff';
+      headers['Referrer-Policy'] = 'strict-origin-when-cross-origin';
+      headers['Permissions-Policy'] = generatePermissionsPolicy(permissionsPolicy);
+      headers['Cross-Origin-Opener-Policy'] = 'same-origin';
+      headers['Cross-Origin-Embedder-Policy'] = 'require-corp';
+
+      return { headers, nonce };
+    },
+
+    /**
+     * Express middleware
+     */
+    middleware() {
+      return (req, res, next) => {
+        const headers = this.generate();
+        Object.entries(headers).forEach(([key, value]) => {
+          res.setHeader(key, value);
+        });
+        next();
+      };
+    },
+  };
+}