letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
feat/mobile-ux-polish
pn-new-crm/tests/unit/security-input-sanitization.test.ts

191 lines
8.1 KiB
TypeScript
Raw Permalink Normal View History

Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
/**
* Security: Input Sanitization & File Upload Validation
*
* Documents the security boundary between Zod schema validation and the
* parameterized-query layer (Drizzle ORM).
*
* Key principle from SECURITY-GUIDELINES.md:
* SQL injection is prevented by Drizzle's parameterized queries ($1 placeholders),
* NOT by filtering characters out of input. These tests confirm:
* (a) Zod schemas pass injection payloads as plain strings (correct behaviour).
* (b) File upload constants enforce the MIME-type allowlist and 50 MB cap.
*/
import { describe, expect, it } from 'vitest';
// ─────────────────────────────────────────────────────────────────────────────
describe('SQL injection prevention via Zod schemas', () => {
it('createClientSchema accepts SQL injection payload as plain string (parameterized queries handle it)', async () => {
const { createClientSchema } = await import('@/lib/validators/clients');
const result = createClientSchema.safeParse({
fullName: "Robert'); DROP TABLE clients;--",
contacts: [{ channel: 'email', value: 'test@example.com' }],
});
// Zod must accept this as a valid string — we rely on Drizzle for SQL safety
expect(result.success).toBe(true);
if (result.success) {
// The payload passes through unchanged; the query layer uses $1 placeholders
expect(result.data.fullName).toBe("Robert'); DROP TABLE clients;--");
}
});
it('createClientSchema accepts UNION-based injection as plain text', async () => {
const { createClientSchema } = await import('@/lib/validators/clients');
const result = createClientSchema.safeParse({
fullName: "' UNION SELECT table_name FROM information_schema.tables--",
contacts: [{ channel: 'phone', value: '+61400000000' }],
});
expect(result.success).toBe(true);
});
it('createClientSchema rejects empty fullName (business rule, not injection defence)', async () => {
const { createClientSchema } = await import('@/lib/validators/clients');
const result = createClientSchema.safeParse({
fullName: '',
contacts: [{ channel: 'email', value: 'test@example.com' }],
});
expect(result.success).toBe(false);
});
it('createClientSchema rejects when contacts array is empty', async () => {
const { createClientSchema } = await import('@/lib/validators/clients');
const result = createClientSchema.safeParse({
fullName: 'John Smith',
contacts: [],
});
expect(result.success).toBe(false);
});
it('searchQuerySchema accepts injection payload with length ≥ 2 (parameterized query handles it)', async () => {
const { searchQuerySchema } = await import('@/lib/validators/search');
const result = searchQuerySchema.safeParse({
q: "'; DROP TABLE clients;--",
});
// Min length 2, so this passes — Drizzle uses $1 for the actual query
expect(result.success).toBe(true);
});
it('searchQuerySchema rejects single-char input (below min length)', async () => {
const { searchQuerySchema } = await import('@/lib/validators/search');
const result = searchQuerySchema.safeParse({ q: "'" });
expect(result.success).toBe(false);
});
it('searchQuerySchema rejects empty query string', async () => {
const { searchQuerySchema } = await import('@/lib/validators/search');
const result = searchQuerySchema.safeParse({ q: '' });
expect(result.success).toBe(false);
});
it('searchQuerySchema enforces max length of 200', async () => {
const { searchQuerySchema } = await import('@/lib/validators/search');
const result = searchQuerySchema.safeParse({ q: 'a'.repeat(201) });
expect(result.success).toBe(false);
});
it('createClientSchema enforces fullName max length of 200', async () => {
const { createClientSchema } = await import('@/lib/validators/clients');
const result = createClientSchema.safeParse({
fullName: 'x'.repeat(201),
contacts: [{ channel: 'email', value: 'test@example.com' }],
});
expect(result.success).toBe(false);
});
});
// ─────────────────────────────────────────────────────────────────────────────
describe('File upload validation — MIME type allowlist', () => {
it('rejects application/x-executable (binary/shellcode)', async () => {
const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
expect(ALLOWED_MIME_TYPES.has('application/x-executable')).toBe(false);
});
it('rejects text/html (XSS vector)', async () => {
const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
expect(ALLOWED_MIME_TYPES.has('text/html')).toBe(false);
});
it('rejects application/javascript (script injection)', async () => {
const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
expect(ALLOWED_MIME_TYPES.has('application/javascript')).toBe(false);
});
it('rejects application/x-sh (shell script)', async () => {
const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
expect(ALLOWED_MIME_TYPES.has('application/x-sh')).toBe(false);
});
it('rejects application/octet-stream (generic binary)', async () => {
const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
expect(ALLOWED_MIME_TYPES.has('application/octet-stream')).toBe(false);
});
it('rejects image/svg+xml (SVG can embed scripts)', async () => {
const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
expect(ALLOWED_MIME_TYPES.has('image/svg+xml')).toBe(false);
});
it('allows application/pdf', async () => {
const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
expect(ALLOWED_MIME_TYPES.has('application/pdf')).toBe(true);
});
it('allows image/jpeg', async () => {
const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
expect(ALLOWED_MIME_TYPES.has('image/jpeg')).toBe(true);
});
it('allows image/png', async () => {
const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
expect(ALLOWED_MIME_TYPES.has('image/png')).toBe(true);
});
it('allows image/webp', async () => {
const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
expect(ALLOWED_MIME_TYPES.has('image/webp')).toBe(true);
});
it('allows common office document types', async () => {
const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
expect(ALLOWED_MIME_TYPES.has('application/msword')).toBe(true);
expect(
ALLOWED_MIME_TYPES.has(
'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
),
).toBe(true);
expect(ALLOWED_MIME_TYPES.has('application/vnd.ms-excel')).toBe(true);
expect(
ALLOWED_MIME_TYPES.has(
'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
),
).toBe(true);
});
it('allows text/plain and text/csv', async () => {
const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
expect(ALLOWED_MIME_TYPES.has('text/plain')).toBe(true);
expect(ALLOWED_MIME_TYPES.has('text/csv')).toBe(true);
});
});
describe('File upload validation — size limit', () => {
it('MAX_FILE_SIZE is exactly 50 MB (52_428_800 bytes)', async () => {
const { MAX_FILE_SIZE } = await import('@/lib/constants/file-validation');
expect(MAX_FILE_SIZE).toBe(50 * 1024 * 1024);
expect(MAX_FILE_SIZE).toBe(52_428_800);
});
it('a 50 MB file is within the allowed limit', async () => {
const { MAX_FILE_SIZE } = await import('@/lib/constants/file-validation');
const fiftyMb = 50 * 1024 * 1024;
expect(fiftyMb).toBeLessThanOrEqual(MAX_FILE_SIZE);
});
it('a 50 MB + 1 byte file exceeds the limit', async () => {
const { MAX_FILE_SIZE } = await import('@/lib/constants/file-validation');
const overLimit = 50 * 1024 * 1024 + 1;
expect(overLimit).toBeGreaterThan(MAX_FILE_SIZE);
});
});
Reference in New Issue Copy Permalink