Matt
acf878f997
Resolved 65 type errors across the codebase via these v4 migration
patterns:
- `ZodError.errors` renamed to `ZodError.issues` (4 call sites in auth
routes + central error handler).
- `z.record(value)` now requires explicit key type: `z.record(z.string(),
value)`. Updated 7 sites across templates / forms / saved-views /
website-inquiries.
- `.refine(check, msgFn)` second-arg shape changed — now requires an
`{ error: (issue) => ... }` object form. Updated
`mergeFieldsSchema` in document-templates validator.
- `.transform(...).default(...)` chains: v4 enforces default value type
matches transform OUTPUT. Reordered to `.default(...).transform(...)`
in list-query / company-memberships handlers.
- `z.coerce.*()` INPUT type widened to `unknown` in v4. Service signatures
using `z.input<typeof schema>` (kept for caller flexibility around
defaults) now re-parse via `schema.parse(data)` to recover the
post-coercion shape Drizzle needs. Done in berth-reservations service.
Invoice service narrows `lineItems` locally with a typed cast since
re-parsing would double-validate.
- `.optional().transform(...)` no longer propagates the optional marker
through v4's new ZodPipe. Moved `.optional()` to the END of chain in
`optionalDesiredDimSchema` (interests) and documents list query
(folderId, signatureOnly).
- ZodIssue subtype shapes simplified: `received` removed from
invalid_type, `type` renamed to `origin` on too_small. Test fixtures
updated.
- @hookform/resolvers v5 splits Resolver into 3-generic form (Input,
Context, Output). useForm calls in 6 forms (client, yacht, berth,
interest, expense, invoices-new-page) now pass explicit generics:
`useForm<z.input<typeof schema>, unknown, z.infer<typeof schema>>`.
Verified: tsc clean (0 errors), vitest 1293/1293 pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
248 lines
9.3 KiB
TypeScript
248 lines
9.3 KiB
TypeScript
/**
|
|
* Security: Error Response Sanitization
|
|
*
|
|
* Verifies that errorResponse() never leaks stack traces, SQL queries,
|
|
* internal file paths, or other sensitive server-side details to callers.
|
|
*
|
|
* Rule from SECURITY-GUIDELINES.md:
|
|
* "Error responses must NEVER contain stack traces, SQL queries, or internal paths"
|
|
*/
|
|
import { describe, expect, it, vi } from 'vitest';
|
|
|
|
// ── Mock next/server before importing the module under test ──────────────────
|
|
// NextResponse is a Next.js runtime class unavailable in a plain Node environment.
|
|
// We replace it with a minimal shim that captures status + body.
|
|
|
|
vi.mock('next/server', () => {
|
|
class MockNextResponse {
|
|
readonly status: number;
|
|
private body: unknown;
|
|
|
|
constructor(body: unknown, init?: { status?: number }) {
|
|
this.body = body;
|
|
this.status = init?.status ?? 200;
|
|
}
|
|
|
|
async json() {
|
|
return this.body;
|
|
}
|
|
|
|
static json(body: unknown, init?: { status?: number }) {
|
|
return new MockNextResponse(body, init);
|
|
}
|
|
}
|
|
|
|
return { NextResponse: MockNextResponse };
|
|
});
|
|
|
|
// Mock the logger so error-level calls don't pollute test output
|
|
vi.mock('@/lib/logger', () => ({
|
|
logger: {
|
|
error: vi.fn(),
|
|
warn: vi.fn(),
|
|
info: vi.fn(),
|
|
},
|
|
}));
|
|
|
|
import {
|
|
AppError,
|
|
ForbiddenError,
|
|
NotFoundError,
|
|
RateLimitError,
|
|
ValidationError,
|
|
errorResponse,
|
|
} from '@/lib/errors';
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('Error response security — AppError subclasses', () => {
|
|
it('AppError returns correct status without leaking constructor args', async () => {
|
|
const error = new AppError(400, 'Bad request', 'BAD_REQUEST');
|
|
const response = errorResponse(error);
|
|
expect(response.status).toBe(400);
|
|
const body = (await response.json()) as any;
|
|
expect(body.error).toBe('Bad request');
|
|
expect(body.code).toBe('BAD_REQUEST');
|
|
// Stack trace must never appear in the response body
|
|
expect(JSON.stringify(body)).not.toMatch(/at\s+\w+/); // no call-site lines
|
|
expect(JSON.stringify(body)).not.toContain('node_modules');
|
|
});
|
|
|
|
it('NotFoundError returns 404 with plain-text message, not entity internals', async () => {
|
|
const error = new NotFoundError('Client');
|
|
const response = errorResponse(error);
|
|
expect(response.status).toBe(404);
|
|
const body = (await response.json()) as any;
|
|
// Message is now plain-text user-facing (no jargon, lowercased entity).
|
|
expect(body.error).toBe("We couldn't find that client. It may have been removed.");
|
|
expect(body.code).toBe('NOT_FOUND');
|
|
expect(JSON.stringify(body)).not.toContain('stack');
|
|
});
|
|
|
|
it('ForbiddenError returns 403', async () => {
|
|
const error = new ForbiddenError();
|
|
const response = errorResponse(error);
|
|
expect(response.status).toBe(403);
|
|
const body = (await response.json()) as any;
|
|
expect(body.code).toBe('FORBIDDEN');
|
|
});
|
|
|
|
it('RateLimitError returns 429 with retryAfter but no stack', async () => {
|
|
const error = new RateLimitError(60);
|
|
const response = errorResponse(error);
|
|
expect(response.status).toBe(429);
|
|
const body = (await response.json()) as any;
|
|
expect(body.retryAfter).toBe(60);
|
|
expect(JSON.stringify(body)).not.toMatch(/stack|node_modules/i);
|
|
});
|
|
|
|
it('ValidationError returns 400 with details array, no internal paths', async () => {
|
|
const error = new ValidationError('Invalid input', [
|
|
{ field: 'email', message: 'Invalid email format' },
|
|
]);
|
|
const response = errorResponse(error);
|
|
expect(response.status).toBe(400);
|
|
const body = (await response.json()) as any;
|
|
expect(body.details).toHaveLength(1);
|
|
expect(body.details[0].field).toBe('email');
|
|
expect(JSON.stringify(body)).not.toContain('src/');
|
|
expect(JSON.stringify(body)).not.toContain('G:\\');
|
|
});
|
|
});
|
|
|
|
describe('Error response security — unknown / native errors', () => {
|
|
it('native Error with SQL content returns generic 500', async () => {
|
|
const error = new Error('SELECT * FROM users WHERE id = 1; DROP TABLE users;--');
|
|
const response = errorResponse(error);
|
|
expect(response.status).toBe(500);
|
|
const body = (await response.json()) as any;
|
|
expect(body.error).toBe('Internal server error');
|
|
expect(JSON.stringify(body)).not.toContain('SELECT');
|
|
expect(JSON.stringify(body)).not.toContain('DROP TABLE');
|
|
});
|
|
|
|
it('native Error with Windows file path returns generic 500 without path', async () => {
|
|
const error = new Error(
|
|
'at Object.<anonymous> (G:\\Repos\\new-pn-crm\\src\\lib\\db\\index.ts:15:3)',
|
|
);
|
|
const response = errorResponse(error);
|
|
expect(response.status).toBe(500);
|
|
const body = (await response.json()) as any;
|
|
expect(body.error).toBe('Internal server error');
|
|
expect(JSON.stringify(body)).not.toContain('G:\\');
|
|
expect(JSON.stringify(body)).not.toContain('src\\lib');
|
|
});
|
|
|
|
it('native Error with node_modules path returns generic 500 without path', async () => {
|
|
const error = new Error('ENOENT: no such file at /app/node_modules/pg/lib/connection.js');
|
|
const response = errorResponse(error);
|
|
expect(response.status).toBe(500);
|
|
const body = (await response.json()) as any;
|
|
expect(body.error).toBe('Internal server error');
|
|
expect(JSON.stringify(body)).not.toContain('node_modules');
|
|
expect(JSON.stringify(body)).not.toContain('ENOENT');
|
|
});
|
|
|
|
it('native Error with Postgres relation message returns generic 500', async () => {
|
|
const error = new Error('relation "users" does not exist');
|
|
const response = errorResponse(error);
|
|
expect(response.status).toBe(500);
|
|
const body = (await response.json()) as any;
|
|
expect(body.error).toBe('Internal server error');
|
|
expect(JSON.stringify(body)).not.toContain('relation');
|
|
expect(JSON.stringify(body)).not.toContain('"users"');
|
|
});
|
|
|
|
it('null thrown value returns generic 500', async () => {
|
|
const response = errorResponse(null);
|
|
expect(response.status).toBe(500);
|
|
const body = (await response.json()) as any;
|
|
expect(body.error).toBe('Internal server error');
|
|
});
|
|
|
|
it('string thrown returns generic 500', async () => {
|
|
const response = errorResponse('something went wrong internally');
|
|
expect(response.status).toBe(500);
|
|
const body = (await response.json()) as any;
|
|
expect(body.error).toBe('Internal server error');
|
|
// The raw string must not appear in the response
|
|
expect(JSON.stringify(body)).not.toContain('something went wrong internally');
|
|
});
|
|
});
|
|
|
|
describe('Error response security — ZodError', () => {
|
|
it('ZodError returns 400 with VALIDATION_ERROR code', async () => {
|
|
const { ZodError, ZodIssueCode } = await import('zod');
|
|
const error = new ZodError([
|
|
{
|
|
code: ZodIssueCode.invalid_type,
|
|
expected: 'string',
|
|
input: 42,
|
|
path: ['name'],
|
|
message: 'Expected string, received number',
|
|
},
|
|
]);
|
|
const response = errorResponse(error);
|
|
expect(response.status).toBe(400);
|
|
const body = (await response.json()) as any;
|
|
expect(body.code).toBe('VALIDATION_ERROR');
|
|
expect(body.details).toBeDefined();
|
|
expect(Array.isArray(body.details)).toBe(true);
|
|
});
|
|
|
|
it('ZodError details contain field + message, no internal paths', async () => {
|
|
const { ZodError, ZodIssueCode } = await import('zod');
|
|
const error = new ZodError([
|
|
{
|
|
code: ZodIssueCode.too_small,
|
|
minimum: 1,
|
|
origin: 'string',
|
|
inclusive: true,
|
|
input: '',
|
|
path: ['fullName'],
|
|
message: 'String must contain at least 1 character(s)',
|
|
},
|
|
]);
|
|
const response = errorResponse(error);
|
|
const body = (await response.json()) as any;
|
|
const bodyStr = JSON.stringify(body);
|
|
expect(bodyStr).not.toContain('src/');
|
|
expect(bodyStr).not.toContain('node_modules');
|
|
expect(bodyStr).not.toContain('.ts:');
|
|
// The field path is safe to expose (it's user-visible)
|
|
expect(body.details[0].field).toBe('fullName');
|
|
});
|
|
});
|
|
|
|
describe('Error response security — response shape invariants', () => {
|
|
it('every AppError response body follows { error, code } shape', async () => {
|
|
const errors = [
|
|
new AppError(400, 'Bad request', 'BAD_REQUEST'),
|
|
new NotFoundError('Invoice'),
|
|
new ForbiddenError('Cannot delete'),
|
|
new RateLimitError(30),
|
|
];
|
|
for (const err of errors) {
|
|
const body = (await errorResponse(err).json()) as any;
|
|
expect(typeof body.error).toBe('string');
|
|
expect(body.error.length).toBeGreaterThan(0);
|
|
// Stack must never appear
|
|
expect(body).not.toHaveProperty('stack');
|
|
}
|
|
});
|
|
|
|
it('500 response body carries error + code (and requestId when in-flight)', async () => {
|
|
const response = errorResponse(new Error('db connection refused'));
|
|
const body = (await response.json()) as any;
|
|
// Allowed keys for a 500 response. `code` is always present; `requestId`
|
|
// and `message` only appear when an active request context is in scope.
|
|
const allowed = new Set(['error', 'code', 'requestId', 'message']);
|
|
for (const key of Object.keys(body)) {
|
|
expect(allowed.has(key)).toBe(true);
|
|
}
|
|
expect(body.error).toBe('Internal server error');
|
|
expect(body.code).toBe('INTERNAL');
|
|
expect(body).not.toHaveProperty('stack');
|
|
});
|
|
});
|