gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-09 23:48:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7ffc213c8fa375573052f9b1ee949a7430ae9ef2
certctl/web/src/pages/AuditPage.test.tsx
T
Shankar 805568b000 M-029 Pass 3 batch A: T-1 page tests for 5 simpler pages — XSS hardening 
Pass 3 of M-029 ships per-page render + XSS-hardening test suites for the

14 T-1-deferred pages. Each test:

  - Renders the page with mock data containing <script> payloads in every

    text-rendering field.

  - Asserts no live <script data-xss='...'> element attached to the DOM.

  - Asserts no global side-effect from the script body executed (window

    __xss_pwned__ stays undefined).

  - Asserts the literal payload text appears as escaped content (proving

    the page surfaces the data without rendering it as HTML).

Batch A: 5 simpler pages (display-only / single-mutation / login).

Test files added:

  - DigestPage.test.tsx           preview HTML payload + render coverage

  - LoginPage.test.tsx            useAuth.error payload + form invariants

                                   (mocked AuthProvider via Layout.test pattern)

  - ShortLivedPage.test.tsx       cert subject DN / SAN / id / environment

                                   payloads through the DataTable rendering

  - AuditPage.test.tsx            audit-event action / actor / resource_*

                                   payloads through the DataTable rendering

  - ObservabilityPage.test.tsx    health.status + Prometheus text payloads

                                   through the <pre> rendering surface

Closes 5 of 14 T-1-deferred pages toward M-029 Pass 3 completion.
2026-04-27 03:03:57 +00:00

105 lines
3.5 KiB
TypeScript
Raw Blame History

import { describe, it, expect, vi, beforeEach } from 'vitest';
import { render, screen, waitFor, cleanup } from '@testing-library/react';
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
import { MemoryRouter } from 'react-router-dom';
import type { ReactNode } from 'react';
// -----------------------------------------------------------------------------
// M-029 Pass 3 (Audit M-026): AuditPage XSS-hardening + render coverage.
//
// AuditPage renders audit-event rows with action / actor / actor_type /
// resource_type / resource_id / details fields. Audit events are written by
// the server but their detail fields can contain operator-supplied content
// (e.g., reason strings on certificate_revoked events). H-008 / M-022 already
// ship the redactor that scrubs PII + credentials from audit details, but the
// rendering path also has to be XSS-safe in case a non-PII free-text field
// (action, resource_type, etc.) reflects attacker-controllable bytes.
//
// Pins:
// 1. Page renders.
// 2. Audit events containing literal <script> payloads do NOT execute.
// 3. The literal payload text appears as escaped content.
// -----------------------------------------------------------------------------
vi.mock('../api/client', () => ({
getAuditEvents: vi.fn(),
}));
import AuditPage from './AuditPage';
import * as client from '../api/client';
function renderWithQuery(ui: ReactNode) {
const qc = new QueryClient({
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
});
return render(
<QueryClientProvider client={qc}>
<MemoryRouter>{ui}</MemoryRouter>
</QueryClientProvider>,
);
}
const xssPayload = '<script data-xss="audit">window.__xss_pwned__=1;</script>';
const xssEvent = {
id: 'ae-xss-001',
action: xssPayload,
actor: xssPayload,
actor_type: xssPayload,
resource_type: xssPayload,
resource_id: xssPayload,
details: { note: xssPayload },
timestamp: new Date().toISOString(),
};
describe('AuditPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
beforeEach(() => {
vi.clearAllMocks();
cleanup();
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
});
it('renders the page header when audit events resolve', async () => {
vi.mocked(client.getAuditEvents).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
renderWithQuery(<AuditPage />);
await waitFor(() => {
expect(screen.getByText(/Audit/)).toBeInTheDocument();
});
});
it('does NOT execute <script> payloads embedded in audit-event fields', async () => {
vi.mocked(client.getAuditEvents).mockResolvedValue({
data: [xssEvent],
total: 1,
page: 1,
per_page: 50,
} as never);
renderWithQuery(<AuditPage />);
await waitFor(() => {
expect(screen.getByText(/Audit/)).toBeInTheDocument();
});
const liveScripts = document.querySelectorAll('script[data-xss="audit"]');
expect(liveScripts.length, 'audit event must not inject a live <script>').toBe(0);
expect(
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
'audit event <script> body must not have executed',
).toBeUndefined();
});
it('renders the literal payload as escaped text', async () => {
vi.mocked(client.getAuditEvents).mockResolvedValue({
data: [xssEvent],
total: 1,
page: 1,
per_page: 50,
} as never);
renderWithQuery(<AuditPage />);
await waitFor(() => {
expect(document.body.textContent ?? '').toContain('<script data-xss="audit">');
});
});
});
Reference in New Issue View Git Blame Copy Permalink