letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
588f8bc43cdfa628de95b3b3d42dfca8220c56ec
pn-new-crm/tests/unit/markdown-email-sanitization.test.ts
Matt Ciaccio ade4c9e77d fix(audit-v2): platform-wide post-merge hardening across 5 domains 
Five-domain audit (security, routes, DB, integrations, UI/UX) ran after
the cf37d09 merge. Critical + high-impact items landed here; deferred
medium/low items indexed in docs/audit-final-deferred.md (now organised
into a "Audit-final v2" section).

Security:
- Storage proxy tokens now bind to op (`'get'` vs `'put'`). A long-lived
  download URL minted by `presignDownload` for an emailed brochure can no
  longer be replayed against the proxy PUT to overwrite the original
  storage object. `verifyProxyToken` requires `expectedOp` and rejects
  mismatches; legacy tokens missing `op` fail-closed. Regression tests
  added.
- Markdown email merge values are now markdown-escaped (`[`, `]`, `(`,
  `)`, `*`, `_`, `\`, backticks, braces) before substitution into the
  rep-authored body. A malicious value like `[click here](https://evil)`
  stored in `client.fullName` no longer survives `escapeHtml` to render
  as a real `<a href>` in the outbound email. Phishing-via-merge-field
  closed; regression tests added.
- Middleware now performs an Origin/Referer check on
  POST/PUT/PATCH/DELETE to `/api/v1/**`. Defense-in-depth on top of
  better-auth's SameSite=Lax cookie. Webhooks/public/auth/portal routes
  exempt as they don't carry the session cookie.

Routes:
- Template management routes were calling `withPermission('documents',
  'manage', ...)` — but `documents` doesn't have a `manage` action. The
  registry has `document_templates.manage`. Every non-superadmin was
  getting 403'd on the seven template endpoints. Fixed across the
  /admin/templates surface.
- Custom-fields permission resource is hardcoded to `clients` regardless
  of which entity (yacht/company/etc.) the values belong to. Documented
  as deferred (requires per-entity routes).

DB:
- documentSends: every parent FK (client_id, interest_id, berth_id,
  brochure_id, brochure_version_id) now uses ON DELETE SET NULL so the
  audit trail outlasts hard-deletes. The denormalized columns
  (recipient_email, document_kind, body_markdown, from_address) were
  added precisely for this. Migration 0035.
- Polymorphic discriminators on yachts.current_owner_type and
  invoices.billing_entity_type now have CHECK constraints — typos like
  `'clients'` vs `'client'` were silently inserting unreachable rows
  before. Migration 0036.

Integrations:
- Email attachment resolution (`src/lib/email/index.ts`) was importing
  MinIO directly instead of `getStorageBackend()`. Filesystem-backend
  deployments would have broken every email-with-attachment send. Now
  routes through the pluggable abstraction per CLAUDE.md.
- Documenso DOCUMENT_OPENED webhook filter relaxed: v2 may omit
  `readStatus` or send lowercase, so an event that was the SIGNAL of an
  open was being silently dropped. Now treats any recipient on a
  DOCUMENT_OPENED event as opened.

UI/UX:
- Expense detail used to render `receiptFileIds` as opaque UUID badges —
  reps couldn't view the receipt they uploaded. Now renders an image
  thumbnail (via `/api/v1/files/[id]/preview`) plus a Download link for
  PDFs. Closed the "where's my receipt?" loop in the expense flow.
- Expense detail Edit + Archive buttons now `<PermissionGate>` and the
  archive mutation surfaces success/error toasts instead of silent 403s.
- Brochures admin: setDefault/archive/create mutations now have onError
  toasts (only onSuccess existed before).
- Removed broken bulk-upload link in scan/page (route doesn't exist;
  used a raw `<a>` triggering a full reload to a 404).

Test status: 1168/1168 vitest passing. tsc clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 05:51:39 +02:00

173 lines
6.4 KiB
TypeScript
Raw Blame History

/**
* Phase 7 §14.7 critical mitigation: body markdown XSS sanitization.
*
* Every code path that turns rep-authored markdown into the email's
* `html` body is required to go through `renderEmailBody()`. These tests
* are the canary — if any future change to the renderer lets a known XSS
* payload through, the test breaks before the change ships.
*/
import { describe, expect, it } from 'vitest';
import {
EMAIL_BODY_MAX_BYTES,
expandMergeTokens,
extractTokens,
findUnresolvedTokens,
renderEmailBody,
} from '@/lib/utils/markdown-email';
describe('renderEmailBody — XSS payload coverage', () => {
it('escapes <script> tags so they render as text, not active script', () => {
const html = renderEmailBody('Hi <script>alert(1)</script> there');
expect(html).not.toContain('<script>');
expect(html).toContain('&lt;script&gt;');
});
it('escapes onerror handlers in img tags', () => {
const html = renderEmailBody('<img src=x onerror=alert(1)>');
expect(html).not.toContain('<img');
expect(html).toContain('&lt;img');
});
it('strips javascript: URLs from markdown links', () => {
const html = renderEmailBody('[click](javascript:alert(1))');
expect(html).not.toContain('javascript:');
expect(html).not.toContain('<a ');
// Falls back to rendering the link text as plain.
expect(html).toContain('click');
});
it('strips data: URLs from markdown links', () => {
const html = renderEmailBody('[bad](data:text/html,<script>alert(1)</script>)');
expect(html).not.toContain('<a ');
expect(html).not.toContain('<script');
});
it('allows https:// URLs in markdown links', () => {
const html = renderEmailBody('[example](https://example.com)');
expect(html).toContain('<a href="https://example.com"');
expect(html).toContain('rel="noopener noreferrer"');
});
it('allows mailto: URLs in markdown links', () => {
const html = renderEmailBody('[reach me](mailto:hi@example.com)');
expect(html).toContain('<a href="mailto:hi@example.com"');
});
it('escapes <iframe> tags', () => {
const html = renderEmailBody('<iframe src="https://evil.com"></iframe>');
expect(html).not.toContain('<iframe');
expect(html).toContain('&lt;iframe');
});
it('escapes <style> blocks', () => {
const html = renderEmailBody('<style>body{background:red}</style>');
expect(html).not.toContain('<style');
expect(html).toContain('&lt;style');
});
it('escapes attribute-style XSS attempts (no live <svg> tag survives)', () => {
const html = renderEmailBody('"><svg onload=alert(1)>');
// The literal "<svg" must never appear unescaped — the angle bracket is
// what the browser parses, not the word "onload".
expect(html).not.toContain('<svg');
expect(html).toContain('&lt;svg');
expect(html).toContain('&quot;');
});
it('escapes the polyglot from CWE-79 reference samples', () => {
const polyglot = `'\`<img src=x onerror=alert(1)>"<svg/onload=alert(1)>"`;
const html = renderEmailBody(polyglot);
// Only unescaped tags can fire handlers; we just need to be sure no
// unescaped `<` survives.
expect(html).not.toContain('<img');
expect(html).not.toContain('<svg');
expect(html).toContain('&lt;img');
expect(html).toContain('&lt;svg');
});
it('rejects bodies above 50KB', () => {
const huge = 'x'.repeat(EMAIL_BODY_MAX_BYTES + 1);
expect(() => renderEmailBody(huge)).toThrow(/maximum length/);
});
});
describe('renderEmailBody — markdown rules', () => {
it('renders **bold** as <strong>', () => {
expect(renderEmailBody('this is **bold**')).toContain('<strong>bold</strong>');
});
it('renders *italic* as <em>', () => {
expect(renderEmailBody('this is *italic*')).toContain('<em>italic</em>');
});
it('renders `code` spans', () => {
expect(renderEmailBody('use `apiFetch`')).toContain('<code>apiFetch</code>');
});
it('splits paragraphs on blank lines', () => {
const out = renderEmailBody('para one\n\npara two');
expect(out).toContain('<p>para one</p>');
expect(out).toContain('<p>para two</p>');
});
it('converts single newlines to <br>', () => {
const out = renderEmailBody('line one\nline two');
expect(out).toContain('line one<br>line two');
});
});
describe('merge token helpers', () => {
it('extracts tokens from a body', () => {
const tokens = extractTokens('Hi {{client.fullName}} re {{berth.mooringNumber}}.');
expect(tokens).toEqual(['{{client.fullName}}', '{{berth.mooringNumber}}']);
});
it('expands tokens that have values', () => {
const out = expandMergeTokens('Hi {{client.fullName}}', {
'{{client.fullName}}': 'Jane Doe',
});
expect(out).toBe('Hi Jane Doe');
});
it('leaves unresolved tokens intact', () => {
const out = expandMergeTokens('Hi {{client.fullName}} {{missing}}', {
'{{client.fullName}}': 'Jane',
});
expect(out).toBe('Hi Jane {{missing}}');
});
it('reports unresolved tokens', () => {
const unresolved = findUnresolvedTokens('Hi {{a}} {{b}} {{c}}', {
'{{a}}': 'value',
});
expect(unresolved).toEqual(['{{b}}', '{{c}}']);
});
// Audit-final v2: a malicious merge value (e.g. a client.fullName imported
// from a low-trust source) must NOT inject a link or emphasis into the
// rendered email body. escapeMergeValue neutralizes the markdown chars
// inside the value before substitution.
it('escapes markdown control chars inside merge values', () => {
const expanded = expandMergeTokens('Hi {{client.fullName}}, welcome.', {
'{{client.fullName}}': '[click here](https://attacker.tld)',
});
// The brackets/parens are now entity-encoded, so the markdown link
// rule will not fire.
expect(expanded).not.toContain('[click here](https://attacker.tld)');
expect(expanded).toContain('&#91;click here&#93;');
const html = renderEmailBody(expanded);
expect(html).not.toContain('<a href="https://attacker.tld');
// Plain-text version (visible to recipient) still reads normally.
expect(html).toContain('click here');
});
it('escapes nested {{token}} forms in merge values to prevent re-expansion shenanigans', () => {
const expanded = expandMergeTokens('Hi {{a}}', { '{{a}}': '{{secret_token}}' });
// Both braces and the underscore are entity-encoded.
expect(expanded).toContain('&#123;&#123;secret&#95;token&#125;&#125;');
expect(expanded).not.toContain('{{secret_token}}');
});
});
Reference in New Issue View Git Blame Copy Permalink