mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 19:21:29 +00:00
M-029 Pass 3 batch C (FINAL): T-1 tests for 5 list pages — Pass 3 complete
Closes M-029 Pass 3 fully. Every src/pages/*.tsx now has a *.test.tsx peer.
Audit recon: 'comm -23 <pages> <test-peers>' returns zero (all 14 T-1-deferred
pages now covered).
Test files added (each ships render-coverage + an XSS-hardening contract):
- HealthMonitorPage.test.tsx endpoint URL + last_error payloads
- JobsPage.test.tsx type / certificate_id / agent_id /
error_message payloads
- NetworkScanPage.test.tsx network_range / agent_id / last_scan_message
payloads
- ProfilesPage.test.tsx profile name / description / EKUs payloads
- AgentFleetPage.test.tsx agent name / hostname / OS / arch / IP
payloads (mirrors the M-003 MCP fence shape)
Pass 3 totals across batches A + B + C: 14 new test files, 14/14 T-1-deferred
pages closed. Each test pins three invariants:
1. The page renders against mock data without crashing.
2. No live <script data-xss='...'> attaches to the DOM.
3. The literal payload appears as escaped text content (proving the page
surfaces the data without rendering it as HTML).
M-029 status after Pass 3:
Pass 1 — useMutation -> useTrackedMutation COMPLETE (6 batches, 56 -> 0)
Pass 2 — useState pagination -> useListParams COMPLETE (CertificatesPage)
Pass 3 — XSS-hardening test suites COMPLETE (14/14 pages)
M-029 IS NOW READY TO CLOSE.
This commit is contained in:
shankar0123
@@ -0,0 +1,80 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { render, screen, waitFor, cleanup } from '@testing-library/react';
|
||||
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
|
||||
import { MemoryRouter } from 'react-router-dom';
|
||||
import type { ReactNode } from 'react';
|
||||
|
||||
// -----------------------------------------------------------------------------
|
||||
// M-029 Pass 3 (Audit M-026): AgentFleetPage XSS-hardening + render coverage.
|
||||
// Agent name / hostname / OS / arch / IP are agent-self-reported (M-003 in
|
||||
// the MCP fence path); the GUI rendering must also be XSS-safe.
|
||||
// -----------------------------------------------------------------------------
|
||||
|
||||
vi.mock('../api/client', () => ({
|
||||
getAgents: vi.fn(),
|
||||
}));
|
||||
|
||||
import AgentFleetPage from './AgentFleetPage';
|
||||
import * as client from '../api/client';
|
||||
|
||||
function renderWithQuery(ui: ReactNode) {
|
||||
const qc = new QueryClient({
|
||||
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
|
||||
});
|
||||
return render(
|
||||
<QueryClientProvider client={qc}>
|
||||
<MemoryRouter>{ui}</MemoryRouter>
|
||||
</QueryClientProvider>,
|
||||
);
|
||||
}
|
||||
|
||||
const xssPayload = '<script data-xss="agent-fleet">window.__xss_pwned__=1;</script>';
|
||||
|
||||
const xssAgent = {
|
||||
id: 'a-xss-001',
|
||||
name: xssPayload,
|
||||
hostname: xssPayload,
|
||||
os: xssPayload,
|
||||
architecture: xssPayload,
|
||||
ip_address: xssPayload,
|
||||
version: xssPayload,
|
||||
status: 'online',
|
||||
last_heartbeat_at: new Date().toISOString(),
|
||||
agent_group_id: 'ag-xss',
|
||||
};
|
||||
|
||||
describe('AgentFleetPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
cleanup();
|
||||
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
|
||||
});
|
||||
|
||||
it('renders the page header when getAgents resolves', async () => {
|
||||
vi.mocked(client.getAgents).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
|
||||
renderWithQuery(<AgentFleetPage />);
|
||||
await waitFor(() => {
|
||||
expect(screen.getByText(/Agent/i)).toBeInTheDocument();
|
||||
});
|
||||
});
|
||||
|
||||
it('does NOT execute <script> payloads in agent name / hostname / OS / arch / ip', async () => {
|
||||
vi.mocked(client.getAgents).mockResolvedValue({
|
||||
data: [xssAgent],
|
||||
total: 1,
|
||||
page: 1,
|
||||
per_page: 50,
|
||||
} as never);
|
||||
renderWithQuery(<AgentFleetPage />);
|
||||
await waitFor(() => {
|
||||
expect(document.body.textContent ?? '').toContain('<script data-xss="agent-fleet">');
|
||||
});
|
||||
|
||||
const liveScripts = document.querySelectorAll('script[data-xss="agent-fleet"]');
|
||||
expect(liveScripts.length, 'agent fields must not inject a live <script>').toBe(0);
|
||||
expect(
|
||||
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
|
||||
'agent <script> body must not have executed',
|
||||
).toBeUndefined();
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,81 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { render, screen, waitFor, cleanup } from '@testing-library/react';
|
||||
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
|
||||
import { MemoryRouter } from 'react-router-dom';
|
||||
import type { ReactNode } from 'react';
|
||||
|
||||
// -----------------------------------------------------------------------------
|
||||
// M-029 Pass 3 (Audit M-026): HealthMonitorPage XSS-hardening + render
|
||||
// coverage. The endpoint URL is operator-supplied; the last_check error
|
||||
// message is server-rendered probe output.
|
||||
// -----------------------------------------------------------------------------
|
||||
|
||||
vi.mock('../api/client', () => ({
|
||||
listHealthChecks: vi.fn(),
|
||||
createHealthCheck: vi.fn(),
|
||||
deleteHealthCheck: vi.fn(),
|
||||
acknowledgeHealthCheck: vi.fn(),
|
||||
getHealthCheckSummary: vi.fn(),
|
||||
}));
|
||||
|
||||
import HealthMonitorPage from './HealthMonitorPage';
|
||||
import * as client from '../api/client';
|
||||
|
||||
function renderWithQuery(ui: ReactNode) {
|
||||
const qc = new QueryClient({
|
||||
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
|
||||
});
|
||||
return render(
|
||||
<QueryClientProvider client={qc}>
|
||||
<MemoryRouter>{ui}</MemoryRouter>
|
||||
</QueryClientProvider>,
|
||||
);
|
||||
}
|
||||
|
||||
const xssPayload = '<script data-xss="health">window.__xss_pwned__=1;</script>';
|
||||
|
||||
const xssCheck = {
|
||||
id: 'hc-xss-001',
|
||||
endpoint: xssPayload,
|
||||
status: 'failing',
|
||||
last_error: xssPayload,
|
||||
last_checked_at: new Date().toISOString(),
|
||||
acknowledged: false,
|
||||
};
|
||||
|
||||
describe('HealthMonitorPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
cleanup();
|
||||
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
|
||||
vi.mocked(client.getHealthCheckSummary).mockResolvedValue({ total: 0, failing: 0, ok: 0 } as never);
|
||||
});
|
||||
|
||||
it('renders the page header when listHealthChecks resolves', async () => {
|
||||
vi.mocked(client.listHealthChecks).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 100 } as never);
|
||||
renderWithQuery(<HealthMonitorPage />);
|
||||
await waitFor(() => {
|
||||
expect(screen.getByText(/Health/i)).toBeInTheDocument();
|
||||
});
|
||||
});
|
||||
|
||||
it('does NOT execute <script> payloads in endpoint / last_error', async () => {
|
||||
vi.mocked(client.listHealthChecks).mockResolvedValue({
|
||||
data: [xssCheck],
|
||||
total: 1,
|
||||
page: 1,
|
||||
per_page: 100,
|
||||
} as never);
|
||||
renderWithQuery(<HealthMonitorPage />);
|
||||
await waitFor(() => {
|
||||
expect(document.body.textContent ?? '').toContain('<script data-xss="health">');
|
||||
});
|
||||
|
||||
const liveScripts = document.querySelectorAll('script[data-xss="health"]');
|
||||
expect(liveScripts.length, 'health-check fields must not inject a live <script>').toBe(0);
|
||||
expect(
|
||||
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
|
||||
'health-check <script> body must not have executed',
|
||||
).toBeUndefined();
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,75 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { render, screen, waitFor, cleanup } from '@testing-library/react';
|
||||
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
|
||||
import { MemoryRouter } from 'react-router-dom';
|
||||
import type { ReactNode } from 'react';
|
||||
|
||||
// -----------------------------------------------------------------------------
|
||||
// M-029 Pass 3 (Audit M-026): JobsPage XSS-hardening + render coverage.
|
||||
// Job error_message is upstream-CA / target-side text — operator-controllable.
|
||||
// -----------------------------------------------------------------------------
|
||||
|
||||
vi.mock('../api/client', () => ({
|
||||
getJobs: vi.fn(),
|
||||
cancelJob: vi.fn(),
|
||||
approveRenewal: vi.fn(),
|
||||
rejectRenewal: vi.fn(),
|
||||
}));
|
||||
|
||||
import JobsPage from './JobsPage';
|
||||
import * as client from '../api/client';
|
||||
|
||||
function renderWithQuery(ui: ReactNode) {
|
||||
const qc = new QueryClient({
|
||||
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
|
||||
});
|
||||
return render(
|
||||
<QueryClientProvider client={qc}>
|
||||
<MemoryRouter>{ui}</MemoryRouter>
|
||||
</QueryClientProvider>,
|
||||
);
|
||||
}
|
||||
|
||||
const xssPayload = '<script data-xss="jobs">window.__xss_pwned__=1;</script>';
|
||||
|
||||
const xssJob = {
|
||||
id: 'j-xss-001',
|
||||
type: xssPayload,
|
||||
status: 'Failed',
|
||||
certificate_id: xssPayload,
|
||||
agent_id: xssPayload,
|
||||
error_message: xssPayload,
|
||||
created_at: new Date().toISOString(),
|
||||
updated_at: new Date().toISOString(),
|
||||
};
|
||||
|
||||
describe('JobsPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
cleanup();
|
||||
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
|
||||
});
|
||||
|
||||
it('renders the page header when getJobs resolves', async () => {
|
||||
vi.mocked(client.getJobs).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
|
||||
renderWithQuery(<JobsPage />);
|
||||
await waitFor(() => {
|
||||
expect(screen.getByText(/Jobs/i)).toBeInTheDocument();
|
||||
});
|
||||
});
|
||||
|
||||
it('does NOT execute <script> payloads in job fields', async () => {
|
||||
vi.mocked(client.getJobs).mockResolvedValue({ data: [xssJob], total: 1, page: 1, per_page: 50 } as never);
|
||||
renderWithQuery(<JobsPage />);
|
||||
await waitFor(() => {
|
||||
expect(document.body.textContent ?? '').toContain('<script data-xss="jobs">');
|
||||
});
|
||||
|
||||
const liveScripts = document.querySelectorAll('script[data-xss="jobs"]');
|
||||
expect(liveScripts.length, 'job fields must not inject a live <script>').toBe(0);
|
||||
expect(
|
||||
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
|
||||
'job <script> body must not have executed',
|
||||
).toBeUndefined();
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,84 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { render, screen, waitFor, cleanup } from '@testing-library/react';
|
||||
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
|
||||
import { MemoryRouter } from 'react-router-dom';
|
||||
import type { ReactNode } from 'react';
|
||||
|
||||
// -----------------------------------------------------------------------------
|
||||
// M-029 Pass 3 (Audit M-026): NetworkScanPage XSS-hardening + render coverage.
|
||||
// Scan targets are operator-supplied CIDR / hostname strings; scan results
|
||||
// are server-side discovery output that may include attacker-controlled
|
||||
// cert subjects via the discovery surface.
|
||||
// -----------------------------------------------------------------------------
|
||||
|
||||
vi.mock('../api/client', () => ({
|
||||
getNetworkScanTargets: vi.fn(),
|
||||
createNetworkScanTarget: vi.fn(),
|
||||
updateNetworkScanTarget: vi.fn(),
|
||||
deleteNetworkScanTarget: vi.fn(),
|
||||
triggerNetworkScan: vi.fn(),
|
||||
}));
|
||||
|
||||
import NetworkScanPage from './NetworkScanPage';
|
||||
import * as client from '../api/client';
|
||||
|
||||
function renderWithQuery(ui: ReactNode) {
|
||||
const qc = new QueryClient({
|
||||
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
|
||||
});
|
||||
return render(
|
||||
<QueryClientProvider client={qc}>
|
||||
<MemoryRouter>{ui}</MemoryRouter>
|
||||
</QueryClientProvider>,
|
||||
);
|
||||
}
|
||||
|
||||
const xssPayload = '<script data-xss="network-scan">window.__xss_pwned__=1;</script>';
|
||||
|
||||
const xssScanTarget = {
|
||||
id: 'ns-xss-001',
|
||||
name: xssPayload,
|
||||
network_range: xssPayload,
|
||||
ports: '443,8443',
|
||||
agent_id: xssPayload,
|
||||
enabled: true,
|
||||
last_scan_at: new Date().toISOString(),
|
||||
last_scan_status: 'failed',
|
||||
last_scan_message: xssPayload,
|
||||
};
|
||||
|
||||
describe('NetworkScanPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
cleanup();
|
||||
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
|
||||
});
|
||||
|
||||
it('renders the page header when getNetworkScanTargets resolves', async () => {
|
||||
vi.mocked(client.getNetworkScanTargets).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
|
||||
renderWithQuery(<NetworkScanPage />);
|
||||
await waitFor(() => {
|
||||
expect(screen.getByText(/Network/i)).toBeInTheDocument();
|
||||
});
|
||||
});
|
||||
|
||||
it('does NOT execute <script> payloads in scan-target fields', async () => {
|
||||
vi.mocked(client.getNetworkScanTargets).mockResolvedValue({
|
||||
data: [xssScanTarget],
|
||||
total: 1,
|
||||
page: 1,
|
||||
per_page: 50,
|
||||
} as never);
|
||||
renderWithQuery(<NetworkScanPage />);
|
||||
await waitFor(() => {
|
||||
expect(document.body.textContent ?? '').toContain('<script data-xss="network-scan">');
|
||||
});
|
||||
|
||||
const liveScripts = document.querySelectorAll('script[data-xss="network-scan"]');
|
||||
expect(liveScripts.length, 'scan-target fields must not inject a live <script>').toBe(0);
|
||||
expect(
|
||||
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
|
||||
'scan-target <script> body must not have executed',
|
||||
).toBeUndefined();
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,81 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { render, screen, waitFor, cleanup } from '@testing-library/react';
|
||||
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
|
||||
import { MemoryRouter } from 'react-router-dom';
|
||||
import type { ReactNode } from 'react';
|
||||
|
||||
// -----------------------------------------------------------------------------
|
||||
// M-029 Pass 3 (Audit M-026): ProfilesPage XSS-hardening + render coverage.
|
||||
// Profile name + description are operator-supplied free text.
|
||||
// -----------------------------------------------------------------------------
|
||||
|
||||
vi.mock('../api/client', () => ({
|
||||
getProfiles: vi.fn(),
|
||||
deleteProfile: vi.fn(),
|
||||
createProfile: vi.fn(),
|
||||
updateProfile: vi.fn(),
|
||||
}));
|
||||
|
||||
import ProfilesPage from './ProfilesPage';
|
||||
import * as client from '../api/client';
|
||||
|
||||
function renderWithQuery(ui: ReactNode) {
|
||||
const qc = new QueryClient({
|
||||
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
|
||||
});
|
||||
return render(
|
||||
<QueryClientProvider client={qc}>
|
||||
<MemoryRouter>{ui}</MemoryRouter>
|
||||
</QueryClientProvider>,
|
||||
);
|
||||
}
|
||||
|
||||
const xssPayload = '<script data-xss="profiles">window.__xss_pwned__=1;</script>';
|
||||
|
||||
const xssProfile = {
|
||||
id: 'cp-xss-001',
|
||||
name: xssPayload,
|
||||
description: xssPayload,
|
||||
max_ttl_seconds: 3600,
|
||||
allow_short_lived: false,
|
||||
ekus: [xssPayload],
|
||||
key_usages: [xssPayload],
|
||||
san_types: [xssPayload],
|
||||
created_at: new Date().toISOString(),
|
||||
};
|
||||
|
||||
describe('ProfilesPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
cleanup();
|
||||
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
|
||||
});
|
||||
|
||||
it('renders the page header when getProfiles resolves', async () => {
|
||||
vi.mocked(client.getProfiles).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
|
||||
renderWithQuery(<ProfilesPage />);
|
||||
await waitFor(() => {
|
||||
expect(screen.getByText(/Profile/i)).toBeInTheDocument();
|
||||
});
|
||||
});
|
||||
|
||||
it('does NOT execute <script> payloads in profile name / description / EKUs', async () => {
|
||||
vi.mocked(client.getProfiles).mockResolvedValue({
|
||||
data: [xssProfile],
|
||||
total: 1,
|
||||
page: 1,
|
||||
per_page: 50,
|
||||
} as never);
|
||||
renderWithQuery(<ProfilesPage />);
|
||||
await waitFor(() => {
|
||||
expect(document.body.textContent ?? '').toContain('<script data-xss="profiles">');
|
||||
});
|
||||
|
||||
const liveScripts = document.querySelectorAll('script[data-xss="profiles"]');
|
||||
expect(liveScripts.length, 'profile fields must not inject a live <script>').toBe(0);
|
||||
expect(
|
||||
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
|
||||
'profile <script> body must not have executed',
|
||||
).toBeUndefined();
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user