Etusivu Tutki Apua
Kirjaudu sisään
AI
/
claude-code-hub
peilaus alkaen https://github.com/ding113/claude-code-hub.git
2
0
Haarauta 0
Tiedostot Esitykset 0 Wiki
Haara: dashboard-perf-optimization
Haarat Tunnisteet
claude-code-hub
/
tests
/
security
/
csrf-origin-guard.test.ts

csrf-origin-guard.test.ts 3.4 KB
Pysyvä linkki Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133 
  1. import { afterEach, describe, expect, it } from "vitest";
    2. 

  2. import { createCsrfOriginGuard } from "@/lib/security/csrf-origin-guard";
    3. 

  3. 

  4. function createRequest(headers: Record<string, string>) {
    5. 

  5.   return {
    6. 

  6.     headers: new Headers(headers),
    7. 

  7.   };
    8. 

  8. }
    9. 

  9. 

  10. describe("createCsrfOriginGuard", () => {
    11. 

  11.   const originalNodeEnv = process.env.NODE_ENV;
    12. 

  12. 

  13.   afterEach(() => {
    14. 

  14.     process.env.NODE_ENV = originalNodeEnv;
    15. 

  15.   });
    16. 

  16. 

  17.   it("allows same-origin request when allowSameOrigin is enabled", () => {
    18. 

  18.     const guard = createCsrfOriginGuard({
    19. 

  19.       allowedOrigins: [],
    20. 

  20.       allowSameOrigin: true,
    21. 

  21.       enforceInDevelopment: true,
    22. 

  22.     });
    23. 

  23. 

  24.     const result = guard.check(
    25. 

  25.       createRequest({
    26. 

  26.         "sec-fetch-site": "same-origin",
    27. 

  27.       })
    28. 

  28.     );
    29. 

  29. 

  30.     expect(result).toEqual({ allowed: true });
    31. 

  31.   });
    32. 

  32. 

  33.   it("allows request when Origin is in allowlist", () => {
    34. 

  34.     const origin = "https://example.com";
    35. 

  35.     const guard = createCsrfOriginGuard({
    36. 

  36.       allowedOrigins: [origin],
    37. 

  37.       allowSameOrigin: false,
    38. 

  38.       enforceInDevelopment: true,
    39. 

  39.     });
    40. 

  40. 

  41.     const result = guard.check(
    42. 

  42.       createRequest({
    43. 

  43.         "sec-fetch-site": "cross-site",
    44. 

  44.         origin,
    45. 

  45.       })
    46. 

  46.     );
    47. 

  47. 

  48.     expect(result).toEqual({ allowed: true });
    49. 

  49.   });
    50. 

  50. 

  51.   it("blocks request when Origin is not in allowlist", () => {
    52. 

  52.     const guard = createCsrfOriginGuard({
    53. 

  53.       allowedOrigins: ["https://allowed.example.com"],
    54. 

  54.       allowSameOrigin: false,
    55. 

  55.       enforceInDevelopment: true,
    56. 

  56.     });
    57. 

  57. 

  58.     const result = guard.check(
    59. 

  59.       createRequest({
    60. 

  60.         origin: "https://evil.example.com",
    61. 

  61.       })
    62. 

  62.     );
    63. 

  63. 

  64.     expect(result.allowed).toBe(false);
    65. 

  65.     expect(result.reason).toBe("Origin https://evil.example.com not in allowlist");
    66. 

  66.   });
    67. 

  67. 

  68.   it("allows request without Origin header", () => {
    69. 

  69.     const guard = createCsrfOriginGuard({
    70. 

  70.       allowedOrigins: [],
    71. 

  71.       allowSameOrigin: true,
    72. 

  72.       enforceInDevelopment: true,
    73. 

  73.     });
    74. 

  74. 

  75.     const result = guard.check(createRequest({}));
    76. 

  76. 

  77.     expect(result).toEqual({ allowed: true });
    78. 

  78.   });
    79. 

  79. 

  80.   it("blocks cross-site request when Origin header is missing", () => {
    81. 

  81.     const guard = createCsrfOriginGuard({
    82. 

  82.       allowedOrigins: ["https://example.com"],
    83. 

  83.       allowSameOrigin: true,
    84. 

  84.       enforceInDevelopment: true,
    85. 

  85.     });
    86. 

  86. 

  87.     const result = guard.check(
    88. 

  88.       createRequest({
    89. 

  89.         "sec-fetch-site": "cross-site",
    90. 

  90.       })
    91. 

  91.     );
    92. 

  92. 

  93.     expect(result.allowed).toBe(false);
    94. 

  94.     expect(result.reason).toBe("Cross-site request blocked: missing Origin header");
    95. 

  95.   });
    96. 

  96. 

  97.   it("matches allowedOrigins case-insensitively", () => {
    98. 

  98.     const guard = createCsrfOriginGuard({
    99. 

  99.       allowedOrigins: ["https://Example.COM"],
    100. 

  100.       allowSameOrigin: false,
    101. 

  101.       enforceInDevelopment: true,
    102. 

  102.     });
    103. 

  103. 

  104.     const result = guard.check(
    105. 

  105.       createRequest({
    106. 

  106.         "sec-fetch-site": "cross-site",
    107. 

  107.         origin: "https://example.com",
    108. 

  108.       })
    109. 

  109.     );
    110. 

  110. 

  111.     expect(result).toEqual({ allowed: true });
    112. 

  112.   });
    113. 

  113. 

  114.   it("bypasses guard in development when enforceInDevelopment is disabled", () => {
    115. 

  115.     process.env.NODE_ENV = "development";
    116. 

  116. 

  117.     const guard = createCsrfOriginGuard({
    118. 

  118.       allowedOrigins: ["https://allowed.example.com"],
    119. 

  119.       allowSameOrigin: false,
    120. 

  120.       enforceInDevelopment: false,
    121. 

  121.     });
    122. 

  122. 

  123.     const result = guard.check(
    124. 

  124.       createRequest({
    125. 

  125.         "sec-fetch-site": "cross-site",
    126. 

  126.         origin: "https://evil.example.com",
    127. 

  127.       })
    128. 

  128.     );
    129. 

  129. 

  130.     expect(result.allowed).toBe(true);
    131. 

  131.     expect(result.reason).toBe("csrf_guard_bypassed_in_development");
    132. 

  132.   });
    133. 

  133. });
    134.