pn-new-crm/tests/unit/security-input-sanitization.test.ts

/**
 * Security: Input Sanitization & File Upload Validation
 *
 * Documents the security boundary between Zod schema validation and the
 * parameterized-query layer (Drizzle ORM).
 *
 * Key principle from SECURITY-GUIDELINES.md:
 *   SQL injection is prevented by Drizzle's parameterized queries ($1 placeholders),
 *   NOT by filtering characters out of input.  These tests confirm:
 *     (a) Zod schemas pass injection payloads as plain strings (correct behaviour).
 *     (b) File upload constants enforce the MIME-type allowlist and 50 MB cap.
 */
import { describe, expect, it } from 'vitest';

// ─────────────────────────────────────────────────────────────────────────────

describe('SQL injection prevention via Zod schemas', () => {
  it('createClientSchema accepts SQL injection payload as plain string (parameterized queries handle it)', async () => {
    const { createClientSchema } = await import('@/lib/validators/clients');
    const result = createClientSchema.safeParse({
      fullName: "Robert'); DROP TABLE clients;--",
      contacts: [{ channel: 'email', value: 'test@example.com' }],
    });
    // Zod must accept this as a valid string — we rely on Drizzle for SQL safety
    expect(result.success).toBe(true);
    if (result.success) {
      // The payload passes through unchanged; the query layer uses $1 placeholders
      expect(result.data.fullName).toBe("Robert'); DROP TABLE clients;--");
    }
  });

  it('createClientSchema accepts UNION-based injection as plain text', async () => {
    const { createClientSchema } = await import('@/lib/validators/clients');
    const result = createClientSchema.safeParse({
      fullName: "' UNION SELECT table_name FROM information_schema.tables--",
      contacts: [{ channel: 'phone', value: '+61400000000' }],
    });
    expect(result.success).toBe(true);
  });

  it('createClientSchema rejects empty fullName (business rule, not injection defence)', async () => {
    const { createClientSchema } = await import('@/lib/validators/clients');
    const result = createClientSchema.safeParse({
      fullName: '',
      contacts: [{ channel: 'email', value: 'test@example.com' }],
    });
    expect(result.success).toBe(false);
  });

  it('createClientSchema rejects when contacts array is empty', async () => {
    const { createClientSchema } = await import('@/lib/validators/clients');
    const result = createClientSchema.safeParse({
      fullName: 'John Smith',
      contacts: [],
    });
    expect(result.success).toBe(false);
  });

  it('searchQuerySchema accepts injection payload with length ≥ 2 (parameterized query handles it)', async () => {
    const { searchQuerySchema } = await import('@/lib/validators/search');
    const result = searchQuerySchema.safeParse({
      q: "'; DROP TABLE clients;--",
    });
    // Min length 2, so this passes — Drizzle uses $1 for the actual query
    expect(result.success).toBe(true);
  });

  it('searchQuerySchema rejects single-char input (below min length)', async () => {
    const { searchQuerySchema } = await import('@/lib/validators/search');
    const result = searchQuerySchema.safeParse({ q: "'" });
    expect(result.success).toBe(false);
  });

  it('searchQuerySchema rejects empty query string', async () => {
    const { searchQuerySchema } = await import('@/lib/validators/search');
    const result = searchQuerySchema.safeParse({ q: '' });
    expect(result.success).toBe(false);
  });

  it('searchQuerySchema enforces max length of 200', async () => {
    const { searchQuerySchema } = await import('@/lib/validators/search');
    const result = searchQuerySchema.safeParse({ q: 'a'.repeat(201) });
    expect(result.success).toBe(false);
  });

  it('createClientSchema enforces fullName max length of 200', async () => {
    const { createClientSchema } = await import('@/lib/validators/clients');
    const result = createClientSchema.safeParse({
      fullName: 'x'.repeat(201),
      contacts: [{ channel: 'email', value: 'test@example.com' }],
    });
    expect(result.success).toBe(false);
  });
});

// ─────────────────────────────────────────────────────────────────────────────

describe('File upload validation — MIME type allowlist', () => {
  it('rejects application/x-executable (binary/shellcode)', async () => {
    const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
    expect(ALLOWED_MIME_TYPES.has('application/x-executable')).toBe(false);
  });

  it('rejects text/html (XSS vector)', async () => {
    const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
    expect(ALLOWED_MIME_TYPES.has('text/html')).toBe(false);
  });

  it('rejects application/javascript (script injection)', async () => {
    const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
    expect(ALLOWED_MIME_TYPES.has('application/javascript')).toBe(false);
  });

  it('rejects application/x-sh (shell script)', async () => {
    const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
    expect(ALLOWED_MIME_TYPES.has('application/x-sh')).toBe(false);
  });

  it('rejects application/octet-stream (generic binary)', async () => {
    const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
    expect(ALLOWED_MIME_TYPES.has('application/octet-stream')).toBe(false);
  });

  it('rejects image/svg+xml (SVG can embed scripts)', async () => {
    const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
    expect(ALLOWED_MIME_TYPES.has('image/svg+xml')).toBe(false);
  });

  it('allows application/pdf', async () => {
    const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
    expect(ALLOWED_MIME_TYPES.has('application/pdf')).toBe(true);
  });

  it('allows image/jpeg', async () => {
    const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
    expect(ALLOWED_MIME_TYPES.has('image/jpeg')).toBe(true);
  });

  it('allows image/png', async () => {
    const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
    expect(ALLOWED_MIME_TYPES.has('image/png')).toBe(true);
  });

  it('allows image/webp', async () => {
    const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
    expect(ALLOWED_MIME_TYPES.has('image/webp')).toBe(true);
  });

  it('allows common office document types', async () => {
    const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
    expect(ALLOWED_MIME_TYPES.has('application/msword')).toBe(true);
    expect(
      ALLOWED_MIME_TYPES.has(
        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
      ),
    ).toBe(true);
    expect(ALLOWED_MIME_TYPES.has('application/vnd.ms-excel')).toBe(true);
    expect(
      ALLOWED_MIME_TYPES.has(
        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
      ),
    ).toBe(true);
  });

  it('allows text/plain and text/csv', async () => {
    const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
    expect(ALLOWED_MIME_TYPES.has('text/plain')).toBe(true);
    expect(ALLOWED_MIME_TYPES.has('text/csv')).toBe(true);
  });
});

describe('File upload validation — size limit', () => {
  it('MAX_FILE_SIZE is exactly 50 MB (52_428_800 bytes)', async () => {
    const { MAX_FILE_SIZE } = await import('@/lib/constants/file-validation');
    expect(MAX_FILE_SIZE).toBe(50 * 1024 * 1024);
    expect(MAX_FILE_SIZE).toBe(52_428_800);
  });

  it('a 50 MB file is within the allowed limit', async () => {
    const { MAX_FILE_SIZE } = await import('@/lib/constants/file-validation');
    const fiftyMb = 50 * 1024 * 1024;
    expect(fiftyMb).toBeLessThanOrEqual(MAX_FILE_SIZE);
  });

  it('a 50 MB + 1 byte file exceeds the limit', async () => {
    const { MAX_FILE_SIZE } = await import('@/lib/constants/file-validation');
    const overLimit = 50 * 1024 * 1024 + 1;
    expect(overLimit).toBeGreaterThan(MAX_FILE_SIZE);
  });
});