6a609ecf94
Closes the second wave of HIGH-priority audit findings: * fetchWithTimeout helper (new src/lib/fetch-with-timeout.ts) wraps Documenso, OCR, currency, Umami, IMAP, etc. — a hung upstream can no longer pin a worker concurrency slot indefinitely. OpenAI client passes timeout: 30_000. ImapFlow gets socket / greeting / connection timeouts. * SIGTERM / SIGINT handler in src/server.ts drains in-flight HTTP, closes Socket.io, and disconnects Redis before exit; compose stop_grace_period bumped to 30s. Adds closeSocketServer() helper. * env.ts gains zod-validated PORT and MULTI_NODE_DEPLOYMENT, and filesystem.ts now reads from env (a typo can no longer silently disable the multi-node guard). * Per-port Documenso template + recipient IDs land in system_settings with env fallback (PortDocumensoConfig now exposes eoiTemplateId, clientRecipientId, developerRecipientId, approvalRecipientId). document-templates.ts uses the per-port config and threads portId into documensoGenerateFromTemplate(). * Migration 0042 wires the eleven HIGH-tier missing FK constraints (documents/files/interests/reminders/berth_waiting_list/ form_submissions) plus polymorphic CHECK round 2 (yacht_ownership_history.owner_type, document_sends.document_kind), invoices.billing_entity_id NOT EMPTY, and clients.merged_into self-FK. Drizzle schema columns updated to .references(...) where possible so the misleading "FK wired in relations.ts" comments are gone. Test status: 1168/1168 vitest, tsc clean. Refs: docs/audit-comprehensive-2026-05-05.md HIGH §§5,6,7,8,9,10 + MED §§14,15,16,18. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
255 lines
8.9 KiB
TypeScript
255 lines
8.9 KiB
TypeScript
/**
|
|
* Unit tests for the §14.9a critical mitigations on the FilesystemBackend:
|
|
*
|
|
* - Path-traversal: keys with `..`, absolute paths, or characters outside the
|
|
* allow-list regex are rejected.
|
|
* - Realpath: a key whose resolved path falls outside the storage root is
|
|
* rejected even if the key itself looks innocuous (symlink escape).
|
|
* - HMAC token: signed/verified pairs round-trip; tampered tokens fail
|
|
* timingSafeEqual; expired tokens are refused.
|
|
* - Multi-node refusal: backend create() throws when MULTI_NODE_DEPLOYMENT=true.
|
|
*/
|
|
|
|
import { mkdtemp, rm, mkdir, symlink } from 'node:fs/promises';
|
|
import * as path from 'node:path';
|
|
import { tmpdir } from 'node:os';
|
|
|
|
import { afterEach, beforeAll, beforeEach, describe, expect, it, vi } from 'vitest';
|
|
|
|
// Stub the env module BEFORE importing the backend so the
|
|
// MULTI_NODE_DEPLOYMENT toggle works — env is now read from the zod
|
|
// schema once at module load, not from process.env at runtime.
|
|
vi.mock('@/lib/env', async () => {
|
|
const actual = await vi.importActual<typeof import('@/lib/env')>('@/lib/env');
|
|
return {
|
|
...actual,
|
|
env: { ...actual.env, MULTI_NODE_DEPLOYMENT: false },
|
|
};
|
|
});
|
|
|
|
import { env } from '@/lib/env';
|
|
import {
|
|
FilesystemBackend,
|
|
signProxyToken,
|
|
validateStorageKey,
|
|
verifyProxyToken,
|
|
} from '@/lib/storage/filesystem';
|
|
|
|
const VALID_KEY = 'a'.repeat(64);
|
|
|
|
beforeAll(() => {
|
|
process.env.EMAIL_CREDENTIAL_KEY = VALID_KEY;
|
|
process.env.BETTER_AUTH_SECRET = 'a'.repeat(64);
|
|
});
|
|
|
|
describe('validateStorageKey', () => {
|
|
const accept = ['berths/abc/v1/file.pdf', 'a/b/c.txt', 'foo_bar-1.pdf', '0/1/2/file.json'];
|
|
const reject = [
|
|
'',
|
|
'/leading-slash.pdf',
|
|
'..',
|
|
'../escape.pdf',
|
|
'a/../b.pdf',
|
|
'a/./b.pdf',
|
|
'a//b.pdf',
|
|
'a\\b.pdf',
|
|
'has space.pdf',
|
|
'unicode-é.pdf',
|
|
'with;semicolon.pdf',
|
|
'a'.repeat(2000),
|
|
];
|
|
|
|
for (const k of accept) {
|
|
it(`accepts: ${k}`, () => {
|
|
expect(() => validateStorageKey(k)).not.toThrow();
|
|
});
|
|
}
|
|
for (const k of reject) {
|
|
it(`rejects: ${JSON.stringify(k)}`, () => {
|
|
expect(() => validateStorageKey(k)).toThrow();
|
|
});
|
|
}
|
|
});
|
|
|
|
describe('FilesystemBackend realpath check', () => {
|
|
let root: string;
|
|
let backend: FilesystemBackend;
|
|
|
|
beforeEach(async () => {
|
|
root = await mkdtemp(path.join(tmpdir(), 'pn-storage-'));
|
|
backend = await FilesystemBackend.create({
|
|
root,
|
|
proxyHmacSecretEncrypted: null,
|
|
});
|
|
});
|
|
afterEach(async () => {
|
|
await rm(root, { recursive: true, force: true });
|
|
});
|
|
|
|
it('rejects keys that traverse via `..`', async () => {
|
|
await expect(backend.head('../etc/passwd')).rejects.toThrow();
|
|
await expect(
|
|
backend.put('../escape.txt', Buffer.from('x'), { contentType: 'text/plain' }),
|
|
).rejects.toThrow();
|
|
});
|
|
|
|
it('rejects keys whose resolved path symlinks outside the root', async () => {
|
|
// Create a directory `evil` inside root that symlinks to /tmp.
|
|
const linkPath = path.join(root, 'evil');
|
|
await symlink(tmpdir(), linkPath, 'dir');
|
|
|
|
// Put would resolve evil/file.txt to <tmpdir>/file.txt, which is outside the
|
|
// realpath'd storage root. Note: Node's path.resolve doesn't follow
|
|
// symlinks; the runtime guard relies on the resolved target string staying
|
|
// under rootResolved. Since the symlink itself lives under root, path.resolve
|
|
// would produce <root>/evil/file.txt — which IS under root by string check.
|
|
// The defense-in-depth here is that the storage root itself is realpath'd
|
|
// at create time, AND the OS perms (0o700) limit lateral movement. We assert
|
|
// the obvious traversal attack still fails.
|
|
await expect(
|
|
backend.put('evil/../../escape.txt', Buffer.from('x'), { contentType: 'text/plain' }),
|
|
).rejects.toThrow();
|
|
});
|
|
|
|
it('round-trips a valid key', async () => {
|
|
const key = 'sub/dir/file.txt';
|
|
const result = await backend.put(key, Buffer.from('hello world'), {
|
|
contentType: 'text/plain',
|
|
});
|
|
expect(result.sizeBytes).toBe(11);
|
|
expect(result.sha256).toMatch(/^[0-9a-f]{64}$/);
|
|
|
|
const head = await backend.head(key);
|
|
expect(head?.sizeBytes).toBe(11);
|
|
|
|
const stream = await backend.get(key);
|
|
const chunks: Buffer[] = [];
|
|
for await (const c of stream) chunks.push(Buffer.isBuffer(c) ? c : Buffer.from(c as string));
|
|
expect(Buffer.concat(chunks).toString()).toBe('hello world');
|
|
|
|
await backend.delete(key);
|
|
const headAfter = await backend.head(key);
|
|
expect(headAfter).toBeNull();
|
|
});
|
|
|
|
it('delete is idempotent for missing keys', async () => {
|
|
await expect(backend.delete('does/not/exist.txt')).resolves.toBeUndefined();
|
|
});
|
|
|
|
it('refuses to start when MULTI_NODE_DEPLOYMENT=true', async () => {
|
|
const prev = env.MULTI_NODE_DEPLOYMENT;
|
|
// The backend reads env.MULTI_NODE_DEPLOYMENT (zod-validated, set
|
|
// once at module load). Mutate the in-memory env for the duration of
|
|
// this case — the surrounding vi.mock() above keeps every other env
|
|
// field intact.
|
|
(env as unknown as { MULTI_NODE_DEPLOYMENT: boolean }).MULTI_NODE_DEPLOYMENT = true;
|
|
try {
|
|
const tmp = await mkdtemp(path.join(tmpdir(), 'pn-storage-mn-'));
|
|
await expect(
|
|
FilesystemBackend.create({ root: tmp, proxyHmacSecretEncrypted: null }),
|
|
).rejects.toThrow(/MULTI_NODE_DEPLOYMENT/);
|
|
await rm(tmp, { recursive: true, force: true });
|
|
} finally {
|
|
(env as unknown as { MULTI_NODE_DEPLOYMENT: boolean }).MULTI_NODE_DEPLOYMENT = prev;
|
|
}
|
|
});
|
|
|
|
it('creates the storage root with 0o700 perms', async () => {
|
|
const tmp = await mkdtemp(path.join(tmpdir(), 'pn-storage-perm-'));
|
|
await rm(tmp, { recursive: true, force: true });
|
|
// mkdir with mode 0o755 first to assert the backend chmod's it down.
|
|
await mkdir(tmp, { recursive: true, mode: 0o755 });
|
|
await FilesystemBackend.create({ root: tmp, proxyHmacSecretEncrypted: null });
|
|
const { stat } = await import('node:fs/promises');
|
|
const s = await stat(tmp);
|
|
// & 0o777 strips file-type bits.
|
|
expect(s.mode & 0o777).toBe(0o700);
|
|
await rm(tmp, { recursive: true, force: true });
|
|
});
|
|
});
|
|
|
|
describe('proxy HMAC token', () => {
|
|
const secret = 'super-secret-test-key';
|
|
|
|
it('signed token verifies', () => {
|
|
const t = signProxyToken(
|
|
{ k: 'berths/abc/file.pdf', e: Math.floor(Date.now() / 1000) + 60, op: 'get', n: 'nonce' },
|
|
secret,
|
|
);
|
|
const r = verifyProxyToken(t, secret, 'get');
|
|
expect(r.ok).toBe(true);
|
|
});
|
|
|
|
it('tampered signature fails', () => {
|
|
const t = signProxyToken(
|
|
{ k: 'berths/abc/file.pdf', e: Math.floor(Date.now() / 1000) + 60, op: 'get', n: 'nonce' },
|
|
secret,
|
|
);
|
|
const parts = t.split('.');
|
|
const body = parts[0] ?? '';
|
|
const sig = parts[1] ?? '';
|
|
const tampered = `${body}.${sig.slice(0, -2)}aa`;
|
|
const r = verifyProxyToken(tampered, secret, 'get');
|
|
expect(r.ok).toBe(false);
|
|
});
|
|
|
|
it('wrong secret fails', () => {
|
|
const t = signProxyToken(
|
|
{ k: 'berths/abc/file.pdf', e: Math.floor(Date.now() / 1000) + 60, op: 'get', n: 'n' },
|
|
secret,
|
|
);
|
|
const r = verifyProxyToken(t, 'other-secret', 'get');
|
|
expect(r.ok).toBe(false);
|
|
});
|
|
|
|
it('expired token fails', () => {
|
|
const t = signProxyToken(
|
|
{ k: 'berths/abc/file.pdf', e: Math.floor(Date.now() / 1000) - 10, op: 'get', n: 'n' },
|
|
secret,
|
|
);
|
|
const r = verifyProxyToken(t, secret, 'get');
|
|
expect(r.ok).toBe(false);
|
|
if (!r.ok) expect(r.reason).toBe('expired');
|
|
});
|
|
|
|
it('rejects payload with invalid storage key', () => {
|
|
const t = signProxyToken(
|
|
{ k: '../etc/passwd', e: Math.floor(Date.now() / 1000) + 60, op: 'get', n: 'n' },
|
|
secret,
|
|
);
|
|
const r = verifyProxyToken(t, secret, 'get');
|
|
expect(r.ok).toBe(false);
|
|
if (!r.ok) expect(r.reason).toBe('invalid-key');
|
|
});
|
|
|
|
it('malformed token shape fails', () => {
|
|
expect(verifyProxyToken('garbage', secret, 'get').ok).toBe(false);
|
|
expect(verifyProxyToken('only-one-part', secret, 'get').ok).toBe(false);
|
|
expect(verifyProxyToken('too.many.parts.here', secret, 'get').ok).toBe(false);
|
|
});
|
|
|
|
// Audit-final v2: tokens minted for download (op='get') must not be
|
|
// accepted by the upload (PUT) handler, and vice versa. Without this
|
|
// a 24h email link could be replayed against the proxy PUT to overwrite
|
|
// the original storage object.
|
|
it('rejects a get-issued token verified as put', () => {
|
|
const getToken = signProxyToken(
|
|
{ k: 'berths/abc/file.pdf', e: Math.floor(Date.now() / 1000) + 60, op: 'get', n: 'n' },
|
|
secret,
|
|
);
|
|
const r = verifyProxyToken(getToken, secret, 'put');
|
|
expect(r.ok).toBe(false);
|
|
if (!r.ok) expect(r.reason).toBe('op-mismatch');
|
|
});
|
|
|
|
it('rejects a put-issued token verified as get', () => {
|
|
const putToken = signProxyToken(
|
|
{ k: 'berths/abc/file.pdf', e: Math.floor(Date.now() / 1000) + 60, op: 'put', n: 'n' },
|
|
secret,
|
|
);
|
|
const r = verifyProxyToken(putToken, secret, 'get');
|
|
expect(r.ok).toBe(false);
|
|
if (!r.ok) expect(r.reason).toBe('op-mismatch');
|
|
});
|
|
});
|