letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
cf430d70c3373db6475ff9093ef872ae5c5cc32e
pn-new-crm/tests/unit/storage/filesystem-backend.test.ts
Matt Ciaccio ade4c9e77d fix(audit-v2): platform-wide post-merge hardening across 5 domains 
Five-domain audit (security, routes, DB, integrations, UI/UX) ran after
the cf37d09 merge. Critical + high-impact items landed here; deferred
medium/low items indexed in docs/audit-final-deferred.md (now organised
into a "Audit-final v2" section).

Security:
- Storage proxy tokens now bind to op (`'get'` vs `'put'`). A long-lived
  download URL minted by `presignDownload` for an emailed brochure can no
  longer be replayed against the proxy PUT to overwrite the original
  storage object. `verifyProxyToken` requires `expectedOp` and rejects
  mismatches; legacy tokens missing `op` fail-closed. Regression tests
  added.
- Markdown email merge values are now markdown-escaped (`[`, `]`, `(`,
  `)`, `*`, `_`, `\`, backticks, braces) before substitution into the
  rep-authored body. A malicious value like `[click here](https://evil)`
  stored in `client.fullName` no longer survives `escapeHtml` to render
  as a real `<a href>` in the outbound email. Phishing-via-merge-field
  closed; regression tests added.
- Middleware now performs an Origin/Referer check on
  POST/PUT/PATCH/DELETE to `/api/v1/**`. Defense-in-depth on top of
  better-auth's SameSite=Lax cookie. Webhooks/public/auth/portal routes
  exempt as they don't carry the session cookie.

Routes:
- Template management routes were calling `withPermission('documents',
  'manage', ...)` — but `documents` doesn't have a `manage` action. The
  registry has `document_templates.manage`. Every non-superadmin was
  getting 403'd on the seven template endpoints. Fixed across the
  /admin/templates surface.
- Custom-fields permission resource is hardcoded to `clients` regardless
  of which entity (yacht/company/etc.) the values belong to. Documented
  as deferred (requires per-entity routes).

DB:
- documentSends: every parent FK (client_id, interest_id, berth_id,
  brochure_id, brochure_version_id) now uses ON DELETE SET NULL so the
  audit trail outlasts hard-deletes. The denormalized columns
  (recipient_email, document_kind, body_markdown, from_address) were
  added precisely for this. Migration 0035.
- Polymorphic discriminators on yachts.current_owner_type and
  invoices.billing_entity_type now have CHECK constraints — typos like
  `'clients'` vs `'client'` were silently inserting unreachable rows
  before. Migration 0036.

Integrations:
- Email attachment resolution (`src/lib/email/index.ts`) was importing
  MinIO directly instead of `getStorageBackend()`. Filesystem-backend
  deployments would have broken every email-with-attachment send. Now
  routes through the pluggable abstraction per CLAUDE.md.
- Documenso DOCUMENT_OPENED webhook filter relaxed: v2 may omit
  `readStatus` or send lowercase, so an event that was the SIGNAL of an
  open was being silently dropped. Now treats any recipient on a
  DOCUMENT_OPENED event as opened.

UI/UX:
- Expense detail used to render `receiptFileIds` as opaque UUID badges —
  reps couldn't view the receipt they uploaded. Now renders an image
  thumbnail (via `/api/v1/files/[id]/preview`) plus a Download link for
  PDFs. Closed the "where's my receipt?" loop in the expense flow.
- Expense detail Edit + Archive buttons now `<PermissionGate>` and the
  archive mutation surfaces success/error toasts instead of silent 403s.
- Brochures admin: setDefault/archive/create mutations now have onError
  toasts (only onSuccess existed before).
- Removed broken bulk-upload link in scan/page (route doesn't exist;
  used a raw `<a>` triggering a full reload to a 404).

Test status: 1168/1168 vitest passing. tsc clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 05:51:39 +02:00

240 lines
8.3 KiB
TypeScript
Raw Blame History

/**
* Unit tests for the §14.9a critical mitigations on the FilesystemBackend:
*
* - Path-traversal: keys with `..`, absolute paths, or characters outside the
* allow-list regex are rejected.
* - Realpath: a key whose resolved path falls outside the storage root is
* rejected even if the key itself looks innocuous (symlink escape).
* - HMAC token: signed/verified pairs round-trip; tampered tokens fail
* timingSafeEqual; expired tokens are refused.
* - Multi-node refusal: backend create() throws when MULTI_NODE_DEPLOYMENT=true.
*/
import { mkdtemp, rm, mkdir, symlink } from 'node:fs/promises';
import * as path from 'node:path';
import { tmpdir } from 'node:os';
import { afterEach, beforeAll, beforeEach, describe, expect, it } from 'vitest';
import {
FilesystemBackend,
signProxyToken,
validateStorageKey,
verifyProxyToken,
} from '@/lib/storage/filesystem';
const VALID_KEY = 'a'.repeat(64);
beforeAll(() => {
process.env.EMAIL_CREDENTIAL_KEY = VALID_KEY;
process.env.BETTER_AUTH_SECRET = 'a'.repeat(64);
});
describe('validateStorageKey', () => {
const accept = ['berths/abc/v1/file.pdf', 'a/b/c.txt', 'foo_bar-1.pdf', '0/1/2/file.json'];
const reject = [
'',
'/leading-slash.pdf',
'..',
'../escape.pdf',
'a/../b.pdf',
'a/./b.pdf',
'a//b.pdf',
'a\\b.pdf',
'has space.pdf',
'unicode-é.pdf',
'with;semicolon.pdf',
'a'.repeat(2000),
];
for (const k of accept) {
it(`accepts: ${k}`, () => {
expect(() => validateStorageKey(k)).not.toThrow();
});
}
for (const k of reject) {
it(`rejects: ${JSON.stringify(k)}`, () => {
expect(() => validateStorageKey(k)).toThrow();
});
}
});
describe('FilesystemBackend realpath check', () => {
let root: string;
let backend: FilesystemBackend;
beforeEach(async () => {
root = await mkdtemp(path.join(tmpdir(), 'pn-storage-'));
backend = await FilesystemBackend.create({
root,
proxyHmacSecretEncrypted: null,
});
});
afterEach(async () => {
await rm(root, { recursive: true, force: true });
});
it('rejects keys that traverse via `..`', async () => {
await expect(backend.head('../etc/passwd')).rejects.toThrow();
await expect(
backend.put('../escape.txt', Buffer.from('x'), { contentType: 'text/plain' }),
).rejects.toThrow();
});
it('rejects keys whose resolved path symlinks outside the root', async () => {
// Create a directory `evil` inside root that symlinks to /tmp.
const linkPath = path.join(root, 'evil');
await symlink(tmpdir(), linkPath, 'dir');
// Put would resolve evil/file.txt to <tmpdir>/file.txt, which is outside the
// realpath'd storage root. Note: Node's path.resolve doesn't follow
// symlinks; the runtime guard relies on the resolved target string staying
// under rootResolved. Since the symlink itself lives under root, path.resolve
// would produce <root>/evil/file.txt — which IS under root by string check.
// The defense-in-depth here is that the storage root itself is realpath'd
// at create time, AND the OS perms (0o700) limit lateral movement. We assert
// the obvious traversal attack still fails.
await expect(
backend.put('evil/../../escape.txt', Buffer.from('x'), { contentType: 'text/plain' }),
).rejects.toThrow();
});
it('round-trips a valid key', async () => {
const key = 'sub/dir/file.txt';
const result = await backend.put(key, Buffer.from('hello world'), {
contentType: 'text/plain',
});
expect(result.sizeBytes).toBe(11);
expect(result.sha256).toMatch(/^[0-9a-f]{64}$/);
const head = await backend.head(key);
expect(head?.sizeBytes).toBe(11);
const stream = await backend.get(key);
const chunks: Buffer[] = [];
for await (const c of stream) chunks.push(Buffer.isBuffer(c) ? c : Buffer.from(c as string));
expect(Buffer.concat(chunks).toString()).toBe('hello world');
await backend.delete(key);
const headAfter = await backend.head(key);
expect(headAfter).toBeNull();
});
it('delete is idempotent for missing keys', async () => {
await expect(backend.delete('does/not/exist.txt')).resolves.toBeUndefined();
});
it('refuses to start when MULTI_NODE_DEPLOYMENT=true', async () => {
const prev = process.env.MULTI_NODE_DEPLOYMENT;
process.env.MULTI_NODE_DEPLOYMENT = 'true';
try {
const tmp = await mkdtemp(path.join(tmpdir(), 'pn-storage-mn-'));
await expect(
FilesystemBackend.create({ root: tmp, proxyHmacSecretEncrypted: null }),
).rejects.toThrow(/MULTI_NODE_DEPLOYMENT/);
await rm(tmp, { recursive: true, force: true });
} finally {
if (prev === undefined) delete process.env.MULTI_NODE_DEPLOYMENT;
else process.env.MULTI_NODE_DEPLOYMENT = prev;
}
});
it('creates the storage root with 0o700 perms', async () => {
const tmp = await mkdtemp(path.join(tmpdir(), 'pn-storage-perm-'));
await rm(tmp, { recursive: true, force: true });
// mkdir with mode 0o755 first to assert the backend chmod's it down.
await mkdir(tmp, { recursive: true, mode: 0o755 });
await FilesystemBackend.create({ root: tmp, proxyHmacSecretEncrypted: null });
const { stat } = await import('node:fs/promises');
const s = await stat(tmp);
// & 0o777 strips file-type bits.
expect(s.mode & 0o777).toBe(0o700);
await rm(tmp, { recursive: true, force: true });
});
});
describe('proxy HMAC token', () => {
const secret = 'super-secret-test-key';
it('signed token verifies', () => {
const t = signProxyToken(
{ k: 'berths/abc/file.pdf', e: Math.floor(Date.now() / 1000) + 60, op: 'get', n: 'nonce' },
secret,
);
const r = verifyProxyToken(t, secret, 'get');
expect(r.ok).toBe(true);
});
it('tampered signature fails', () => {
const t = signProxyToken(
{ k: 'berths/abc/file.pdf', e: Math.floor(Date.now() / 1000) + 60, op: 'get', n: 'nonce' },
secret,
);
const parts = t.split('.');
const body = parts[0] ?? '';
const sig = parts[1] ?? '';
const tampered = `${body}.${sig.slice(0, -2)}aa`;
const r = verifyProxyToken(tampered, secret, 'get');
expect(r.ok).toBe(false);
});
it('wrong secret fails', () => {
const t = signProxyToken(
{ k: 'berths/abc/file.pdf', e: Math.floor(Date.now() / 1000) + 60, op: 'get', n: 'n' },
secret,
);
const r = verifyProxyToken(t, 'other-secret', 'get');
expect(r.ok).toBe(false);
});
it('expired token fails', () => {
const t = signProxyToken(
{ k: 'berths/abc/file.pdf', e: Math.floor(Date.now() / 1000) - 10, op: 'get', n: 'n' },
secret,
);
const r = verifyProxyToken(t, secret, 'get');
expect(r.ok).toBe(false);
if (!r.ok) expect(r.reason).toBe('expired');
});
it('rejects payload with invalid storage key', () => {
const t = signProxyToken(
{ k: '../etc/passwd', e: Math.floor(Date.now() / 1000) + 60, op: 'get', n: 'n' },
secret,
);
const r = verifyProxyToken(t, secret, 'get');
expect(r.ok).toBe(false);
if (!r.ok) expect(r.reason).toBe('invalid-key');
});
it('malformed token shape fails', () => {
expect(verifyProxyToken('garbage', secret, 'get').ok).toBe(false);
expect(verifyProxyToken('only-one-part', secret, 'get').ok).toBe(false);
expect(verifyProxyToken('too.many.parts.here', secret, 'get').ok).toBe(false);
});
// Audit-final v2: tokens minted for download (op='get') must not be
// accepted by the upload (PUT) handler, and vice versa. Without this
// a 24h email link could be replayed against the proxy PUT to overwrite
// the original storage object.
it('rejects a get-issued token verified as put', () => {
const getToken = signProxyToken(
{ k: 'berths/abc/file.pdf', e: Math.floor(Date.now() / 1000) + 60, op: 'get', n: 'n' },
secret,
);
const r = verifyProxyToken(getToken, secret, 'put');
expect(r.ok).toBe(false);
if (!r.ok) expect(r.reason).toBe('op-mismatch');
});
it('rejects a put-issued token verified as get', () => {
const putToken = signProxyToken(
{ k: 'berths/abc/file.pdf', e: Math.floor(Date.now() / 1000) + 60, op: 'put', n: 'n' },
secret,
);
const r = verifyProxyToken(putToken, secret, 'get');
expect(r.ok).toBe(false);
if (!r.ok) expect(r.reason).toBe('op-mismatch');
});
});
Reference in New Issue View Git Blame Copy Permalink