mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity
Files
8e3177fbbd7e215e40e7d90fe7c215660a712b5c
stack/apps/api/src/common/utils/sanitize.util.spec.ts
Jason Woltje 01639fff95 feat(#285): Add input sanitization for XSS prevention 
Security improvements:
- Create sanitization utility using sanitize-html library
- Add @Sanitize() and @SanitizeObject() decorators for DTOs
- Apply sanitization to vulnerable fields:
  - Connection rejection/disconnection reasons
  - Connection metadata
  - Identity linking metadata
  - Command payloads
- Remove script tags, event handlers, javascript: URLs
- Prevent data exfiltration, CSS-based XSS, SVG-based XSS

Changes:
- Add sanitize.util.ts with recursive sanitization functions
- Add sanitize.decorator.ts for class-transformer integration
- Update connection.dto.ts with sanitization decorators
- Update identity-linking.dto.ts with sanitization decorators
- Update command.dto.ts with sanitization decorators
- Add comprehensive test coverage including attack vectors

Part of M7.1 Remediation Sprint P1 security fixes.

Fixes #285

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 21:47:32 -06:00

172 lines
5.1 KiB
TypeScript
Raw Blame History

/**
* Sanitization Utility Tests
*
* Tests for HTML sanitization and XSS prevention.
*/
import { describe, it, expect } from "vitest";
import { sanitizeString, sanitizeObject, sanitizeArray } from "./sanitize.util";
describe("Sanitization Utilities", () => {
describe("sanitizeString", () => {
it("should remove script tags", () => {
const dirty = '<script>alert("XSS")</script>Hello';
const clean = sanitizeString(dirty);
expect(clean).not.toContain("<script>");
expect(clean).not.toContain("alert");
expect(clean).toContain("Hello");
});
it("should remove javascript: URLs", () => {
const dirty = '<a href="javascript:alert(1)">Click</a>';
const clean = sanitizeString(dirty);
expect(clean).not.toContain("javascript:");
expect(clean).toContain("Click");
});
it("should remove on* event handlers", () => {
const dirty = '<div onclick="alert(1)">Click me</div>';
const clean = sanitizeString(dirty);
expect(clean).not.toContain("onclick");
expect(clean).toContain("Click me");
});
it("should allow safe HTML tags", () => {
const input = "<p>Hello <b>world</b>!</p>";
const clean = sanitizeString(input);
expect(clean).toContain("<p>");
expect(clean).toContain("<b>");
expect(clean).toContain("Hello");
});
it("should handle null and undefined", () => {
expect(sanitizeString(null)).toBe("");
expect(sanitizeString(undefined)).toBe("");
});
it("should handle non-string values", () => {
expect(sanitizeString(123 as any)).toBe("123");
expect(sanitizeString(true as any)).toBe("true");
});
it("should prevent data exfiltration via img tags", () => {
const dirty = '<img src="x" onerror="fetch(\'/steal?data=\'+document.cookie)">';
const clean = sanitizeString(dirty);
expect(clean).not.toContain("onerror");
expect(clean).not.toContain("fetch");
});
it("should remove style tags with malicious CSS", () => {
const dirty = '<style>body { background: url("javascript:alert(1)") }</style>Hello';
const clean = sanitizeString(dirty);
expect(clean).not.toContain("<style>");
expect(clean).not.toContain("javascript:");
});
});
describe("sanitizeObject", () => {
it("should sanitize all string values in an object", () => {
const dirty = {
name: '<script>alert("XSS")</script>John',
description: "Safe text",
nested: {
value: '<img src=x onerror="alert(1)">',
},
};
const clean = sanitizeObject(dirty);
expect(clean.name).not.toContain("<script>");
expect(clean.name).toContain("John");
expect(clean.description).toBe("Safe text");
expect(clean.nested.value).not.toContain("onerror");
});
it("should preserve non-string values", () => {
const input = {
string: "test",
number: 123,
boolean: true,
nullValue: null,
undefinedValue: undefined,
};
const clean = sanitizeObject(input);
expect(clean.number).toBe(123);
expect(clean.boolean).toBe(true);
expect(clean.nullValue).toBeNull();
expect(clean.undefinedValue).toBeUndefined();
});
it("should handle arrays within objects", () => {
const input = {
tags: ["<script>alert(1)</script>safe", "another<script>"],
};
const clean = sanitizeObject(input);
expect(clean.tags[0]).not.toContain("<script>");
expect(clean.tags[0]).toContain("safe");
expect(clean.tags[1]).not.toContain("<script>");
});
it("should handle deeply nested objects", () => {
const input = {
level1: {
level2: {
level3: {
xss: "<script>alert(1)</script>",
},
},
},
};
const clean = sanitizeObject(input);
expect(clean.level1.level2.level3.xss).not.toContain("<script>");
});
});
describe("sanitizeArray", () => {
it("should sanitize all strings in an array", () => {
const dirty = ["<script>alert(1)</script>safe", "clean", '<img src=x onerror="alert(2)">'];
const clean = sanitizeArray(dirty);
expect(clean[0]).not.toContain("<script>");
expect(clean[0]).toContain("safe");
expect(clean[1]).toBe("clean");
expect(clean[2]).not.toContain("onerror");
});
it("should handle arrays with mixed types", () => {
const input = ["<script>test</script>", 123, true, null, { key: "<b>value</b>" }];
const clean = sanitizeArray(input);
expect(clean[0]).not.toContain("<script>");
expect(clean[1]).toBe(123);
expect(clean[2]).toBe(true);
expect(clean[3]).toBeNull();
expect((clean[4] as any).key).toContain("<b>");
});
it("should handle nested arrays", () => {
const input = [["<script>alert(1)</script>", "safe"], ['<img src=x onerror="alert(2)">']];
const clean = sanitizeArray(input);
expect(clean[0][0]).not.toContain("<script>");
expect(clean[0][1]).toBe("safe");
expect(clean[1][0]).not.toContain("onerror");
});
});
});
Reference in New Issue View Git Blame Copy Permalink