gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 22:21:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge fix/M-029-pass3-batch-c (FINAL): Pass 3 complete; M-029 ready to close

Browse Source
This commit is contained in:
Shankar
2026-04-27 03:08:18 +00:00
parent ffeb192f7f 19fd938a6c
commit cdc56f0e80
5 changed files with 401 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/src/pages/AgentFleetPage.test.tsx
+80
View File
@@ -0,0 +1,80 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { render, screen, waitFor, cleanup } from '@testing-library/react';
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
import { MemoryRouter } from 'react-router-dom';
import type { ReactNode } from 'react';
// -----------------------------------------------------------------------------
// M-029 Pass 3 (Audit M-026): AgentFleetPage XSS-hardening + render coverage.
// Agent name / hostname / OS / arch / IP are agent-self-reported (M-003 in
// the MCP fence path); the GUI rendering must also be XSS-safe.
// -----------------------------------------------------------------------------
vi.mock('../api/client', () => ({
getAgents: vi.fn(),
}));
import AgentFleetPage from './AgentFleetPage';
import * as client from '../api/client';
function renderWithQuery(ui: ReactNode) {
const qc = new QueryClient({
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
});
return render(
<QueryClientProvider client={qc}>
<MemoryRouter>{ui}</MemoryRouter>
</QueryClientProvider>,
);
}
const xssPayload = '<script data-xss="agent-fleet">window.__xss_pwned__=1;</script>';
const xssAgent = {
id: 'a-xss-001',
name: xssPayload,
hostname: xssPayload,
os: xssPayload,
architecture: xssPayload,
ip_address: xssPayload,
version: xssPayload,
status: 'online',
last_heartbeat_at: new Date().toISOString(),
agent_group_id: 'ag-xss',
};
describe('AgentFleetPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
beforeEach(() => {
vi.clearAllMocks();
cleanup();
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
});
it('renders the page header when getAgents resolves', async () => {
vi.mocked(client.getAgents).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
renderWithQuery(<AgentFleetPage />);
await waitFor(() => {
expect(screen.getByText(/Agent/i)).toBeInTheDocument();
});
});
it('does NOT execute <script> payloads in agent name / hostname / OS / arch / ip', async () => {
vi.mocked(client.getAgents).mockResolvedValue({
data: [xssAgent],
total: 1,
page: 1,
per_page: 50,
} as never);
renderWithQuery(<AgentFleetPage />);
await waitFor(() => {
expect(document.body.textContent ?? '').toContain('<script data-xss="agent-fleet">');
});
const liveScripts = document.querySelectorAll('script[data-xss="agent-fleet"]');
expect(liveScripts.length, 'agent fields must not inject a live <script>').toBe(0);
expect(
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
'agent <script> body must not have executed',
).toBeUndefined();
});
});
web/src/pages/HealthMonitorPage.test.tsx
+81
View File
@@ -0,0 +1,81 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { render, screen, waitFor, cleanup } from '@testing-library/react';
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
import { MemoryRouter } from 'react-router-dom';
import type { ReactNode } from 'react';
// -----------------------------------------------------------------------------
// M-029 Pass 3 (Audit M-026): HealthMonitorPage XSS-hardening + render
// coverage. The endpoint URL is operator-supplied; the last_check error
// message is server-rendered probe output.
// -----------------------------------------------------------------------------
vi.mock('../api/client', () => ({
listHealthChecks: vi.fn(),
createHealthCheck: vi.fn(),
deleteHealthCheck: vi.fn(),
acknowledgeHealthCheck: vi.fn(),
getHealthCheckSummary: vi.fn(),
}));
import HealthMonitorPage from './HealthMonitorPage';
import * as client from '../api/client';
function renderWithQuery(ui: ReactNode) {
const qc = new QueryClient({
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
});
return render(
<QueryClientProvider client={qc}>
<MemoryRouter>{ui}</MemoryRouter>
</QueryClientProvider>,
);
}
const xssPayload = '<script data-xss="health">window.__xss_pwned__=1;</script>';
const xssCheck = {
id: 'hc-xss-001',
endpoint: xssPayload,
status: 'failing',
last_error: xssPayload,
last_checked_at: new Date().toISOString(),
acknowledged: false,
};
describe('HealthMonitorPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
beforeEach(() => {
vi.clearAllMocks();
cleanup();
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
vi.mocked(client.getHealthCheckSummary).mockResolvedValue({ total: 0, failing: 0, ok: 0 } as never);
});
it('renders the page header when listHealthChecks resolves', async () => {
vi.mocked(client.listHealthChecks).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 100 } as never);
renderWithQuery(<HealthMonitorPage />);
await waitFor(() => {
expect(screen.getByText(/Health/i)).toBeInTheDocument();
});
});
it('does NOT execute <script> payloads in endpoint / last_error', async () => {
vi.mocked(client.listHealthChecks).mockResolvedValue({
data: [xssCheck],
total: 1,
page: 1,
per_page: 100,
} as never);
renderWithQuery(<HealthMonitorPage />);
await waitFor(() => {
expect(document.body.textContent ?? '').toContain('<script data-xss="health">');
});
const liveScripts = document.querySelectorAll('script[data-xss="health"]');
expect(liveScripts.length, 'health-check fields must not inject a live <script>').toBe(0);
expect(
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
'health-check <script> body must not have executed',
).toBeUndefined();
});
});
web/src/pages/JobsPage.test.tsx
+75
View File
@@ -0,0 +1,75 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { render, screen, waitFor, cleanup } from '@testing-library/react';
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
import { MemoryRouter } from 'react-router-dom';
import type { ReactNode } from 'react';
// -----------------------------------------------------------------------------
// M-029 Pass 3 (Audit M-026): JobsPage XSS-hardening + render coverage.
// Job error_message is upstream-CA / target-side text — operator-controllable.
// -----------------------------------------------------------------------------
vi.mock('../api/client', () => ({
getJobs: vi.fn(),
cancelJob: vi.fn(),
approveRenewal: vi.fn(),
rejectRenewal: vi.fn(),
}));
import JobsPage from './JobsPage';
import * as client from '../api/client';
function renderWithQuery(ui: ReactNode) {
const qc = new QueryClient({
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
});
return render(
<QueryClientProvider client={qc}>
<MemoryRouter>{ui}</MemoryRouter>
</QueryClientProvider>,
);
}
const xssPayload = '<script data-xss="jobs">window.__xss_pwned__=1;</script>';
const xssJob = {
id: 'j-xss-001',
type: xssPayload,
status: 'Failed',
certificate_id: xssPayload,
agent_id: xssPayload,
error_message: xssPayload,
created_at: new Date().toISOString(),
updated_at: new Date().toISOString(),
};
describe('JobsPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
beforeEach(() => {
vi.clearAllMocks();
cleanup();
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
});
it('renders the page header when getJobs resolves', async () => {
vi.mocked(client.getJobs).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
renderWithQuery(<JobsPage />);
await waitFor(() => {
expect(screen.getByText(/Jobs/i)).toBeInTheDocument();
});
});
it('does NOT execute <script> payloads in job fields', async () => {
vi.mocked(client.getJobs).mockResolvedValue({ data: [xssJob], total: 1, page: 1, per_page: 50 } as never);
renderWithQuery(<JobsPage />);
await waitFor(() => {
expect(document.body.textContent ?? '').toContain('<script data-xss="jobs">');
});
const liveScripts = document.querySelectorAll('script[data-xss="jobs"]');
expect(liveScripts.length, 'job fields must not inject a live <script>').toBe(0);
expect(
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
'job <script> body must not have executed',
).toBeUndefined();
});
});
web/src/pages/NetworkScanPage.test.tsx
+84
View File
@@ -0,0 +1,84 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { render, screen, waitFor, cleanup } from '@testing-library/react';
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
import { MemoryRouter } from 'react-router-dom';
import type { ReactNode } from 'react';
// -----------------------------------------------------------------------------
// M-029 Pass 3 (Audit M-026): NetworkScanPage XSS-hardening + render coverage.
// Scan targets are operator-supplied CIDR / hostname strings; scan results
// are server-side discovery output that may include attacker-controlled
// cert subjects via the discovery surface.
// -----------------------------------------------------------------------------
vi.mock('../api/client', () => ({
getNetworkScanTargets: vi.fn(),
createNetworkScanTarget: vi.fn(),
updateNetworkScanTarget: vi.fn(),
deleteNetworkScanTarget: vi.fn(),
triggerNetworkScan: vi.fn(),
}));
import NetworkScanPage from './NetworkScanPage';
import * as client from '../api/client';
function renderWithQuery(ui: ReactNode) {
const qc = new QueryClient({
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
});
return render(
<QueryClientProvider client={qc}>
<MemoryRouter>{ui}</MemoryRouter>
</QueryClientProvider>,
);
}
const xssPayload = '<script data-xss="network-scan">window.__xss_pwned__=1;</script>';
const xssScanTarget = {
id: 'ns-xss-001',
name: xssPayload,
network_range: xssPayload,
ports: '443,8443',
agent_id: xssPayload,
enabled: true,
last_scan_at: new Date().toISOString(),
last_scan_status: 'failed',
last_scan_message: xssPayload,
};
describe('NetworkScanPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
beforeEach(() => {
vi.clearAllMocks();
cleanup();
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
});
it('renders the page header when getNetworkScanTargets resolves', async () => {
vi.mocked(client.getNetworkScanTargets).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
renderWithQuery(<NetworkScanPage />);
await waitFor(() => {
expect(screen.getByText(/Network/i)).toBeInTheDocument();
});
});
it('does NOT execute <script> payloads in scan-target fields', async () => {
vi.mocked(client.getNetworkScanTargets).mockResolvedValue({
data: [xssScanTarget],
total: 1,
page: 1,
per_page: 50,
} as never);
renderWithQuery(<NetworkScanPage />);
await waitFor(() => {
expect(document.body.textContent ?? '').toContain('<script data-xss="network-scan">');
});
const liveScripts = document.querySelectorAll('script[data-xss="network-scan"]');
expect(liveScripts.length, 'scan-target fields must not inject a live <script>').toBe(0);
expect(
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
'scan-target <script> body must not have executed',
).toBeUndefined();
});
});
web/src/pages/ProfilesPage.test.tsx
+81
View File
@@ -0,0 +1,81 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { render, screen, waitFor, cleanup } from '@testing-library/react';
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
import { MemoryRouter } from 'react-router-dom';
import type { ReactNode } from 'react';
// -----------------------------------------------------------------------------
// M-029 Pass 3 (Audit M-026): ProfilesPage XSS-hardening + render coverage.
// Profile name + description are operator-supplied free text.
// -----------------------------------------------------------------------------
vi.mock('../api/client', () => ({
getProfiles: vi.fn(),
deleteProfile: vi.fn(),
createProfile: vi.fn(),
updateProfile: vi.fn(),
}));
import ProfilesPage from './ProfilesPage';
import * as client from '../api/client';
function renderWithQuery(ui: ReactNode) {
const qc = new QueryClient({
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
});
return render(
<QueryClientProvider client={qc}>
<MemoryRouter>{ui}</MemoryRouter>
</QueryClientProvider>,
);
}
const xssPayload = '<script data-xss="profiles">window.__xss_pwned__=1;</script>';
const xssProfile = {
id: 'cp-xss-001',
name: xssPayload,
description: xssPayload,
max_ttl_seconds: 3600,
allow_short_lived: false,
ekus: [xssPayload],
key_usages: [xssPayload],
san_types: [xssPayload],
created_at: new Date().toISOString(),
};
describe('ProfilesPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
beforeEach(() => {
vi.clearAllMocks();
cleanup();
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
});
it('renders the page header when getProfiles resolves', async () => {
vi.mocked(client.getProfiles).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
renderWithQuery(<ProfilesPage />);
await waitFor(() => {
expect(screen.getByText(/Profile/i)).toBeInTheDocument();
});
});
it('does NOT execute <script> payloads in profile name / description / EKUs', async () => {
vi.mocked(client.getProfiles).mockResolvedValue({
data: [xssProfile],
total: 1,
page: 1,
per_page: 50,
} as never);
renderWithQuery(<ProfilesPage />);
await waitFor(() => {
expect(document.body.textContent ?? '').toContain('<script data-xss="profiles">');
});
const liveScripts = document.querySelectorAll('script[data-xss="profiles"]');
expect(liveScripts.length, 'profile fields must not inject a live <script>').toBe(0);
expect(
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
'profile <script> body must not have executed',
).toBeUndefined();
});
});