gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 00:08:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7ffc213c8fa375573052f9b1ee949a7430ae9ef2
certctl/web/src/pages/LoginPage.test.tsx
T
Shankar 805568b000 M-029 Pass 3 batch A: T-1 page tests for 5 simpler pages — XSS hardening 
Pass 3 of M-029 ships per-page render + XSS-hardening test suites for the

14 T-1-deferred pages. Each test:

  - Renders the page with mock data containing <script> payloads in every

    text-rendering field.

  - Asserts no live <script data-xss='...'> element attached to the DOM.

  - Asserts no global side-effect from the script body executed (window

    __xss_pwned__ stays undefined).

  - Asserts the literal payload text appears as escaped content (proving

    the page surfaces the data without rendering it as HTML).

Batch A: 5 simpler pages (display-only / single-mutation / login).

Test files added:

  - DigestPage.test.tsx           preview HTML payload + render coverage

  - LoginPage.test.tsx            useAuth.error payload + form invariants

                                   (mocked AuthProvider via Layout.test pattern)

  - ShortLivedPage.test.tsx       cert subject DN / SAN / id / environment

                                   payloads through the DataTable rendering

  - AuditPage.test.tsx            audit-event action / actor / resource_*

                                   payloads through the DataTable rendering

  - ObservabilityPage.test.tsx    health.status + Prometheus text payloads

                                   through the <pre> rendering surface

Closes 5 of 14 T-1-deferred pages toward M-029 Pass 3 completion.
2026-04-27 03:03:57 +00:00

96 lines
3.6 KiB
TypeScript
Raw Blame History

import { describe, it, expect, vi, beforeEach } from 'vitest';
import { render, screen, fireEvent, cleanup, waitFor } from '@testing-library/react';
import { MemoryRouter } from 'react-router-dom';
import type { ReactNode } from 'react';
// -----------------------------------------------------------------------------
// M-029 Pass 3 (Audit M-026): LoginPage XSS-hardening + render coverage.
//
// LoginPage surfaces an error from useAuth().error verbatim into the login
// form. A backend that round-trips the user-supplied API key into an error
// message ("invalid API key XYZ123 ...") would let an attacker deliver an
// XSS payload by trying to log in with `<script>...</script>` as the key.
// React's JSX text-interpolation escapes by default, so the payload should
// render as literal text with no script execution; this test pins that
// invariant against future refactors that might switch to
// dangerouslySetInnerHTML or v-html-style rendering.
//
// Pins:
// 1. The login form renders.
// 2. An auth error containing a literal <script> tag does NOT execute.
// 3. The literal payload text appears as escaped content.
// -----------------------------------------------------------------------------
const xssError = '<script data-xss="login-error">window.__xss_pwned__=1;</script>';
let mockError: string | null = null;
vi.mock('../components/AuthProvider', () => ({
useAuth: () => ({
loading: false,
authRequired: true,
authenticated: false,
authType: 'api-key',
user: '',
admin: false,
login: vi.fn(),
logout: vi.fn(),
error: mockError,
}),
}));
import LoginPage from './LoginPage';
function renderWithRouter(ui: ReactNode) {
return render(<MemoryRouter>{ui}</MemoryRouter>);
}
describe('LoginPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
beforeEach(() => {
vi.clearAllMocks();
cleanup();
mockError = null;
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
});
it('renders the login form', () => {
renderWithRouter(<LoginPage />);
expect(screen.getByLabelText('API Key')).toBeInTheDocument();
expect(screen.getByRole('button', { name: /Sign In/i })).toBeInTheDocument();
});
it('does NOT execute a <script> payload surfaced via auth error', () => {
mockError = xssError;
renderWithRouter(<LoginPage />);
const liveScripts = document.querySelectorAll('script[data-xss="login-error"]');
expect(liveScripts.length, 'auth error must not inject a live <script>').toBe(0);
expect(
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
'auth error <script> body must not have executed',
).toBeUndefined();
});
it('renders the literal error payload as escaped text', () => {
mockError = xssError;
renderWithRouter(<LoginPage />);
// React text-interpolation escapes the payload. The literal "<script"
// substring shows up in the document text content.
expect(document.body.textContent ?? '').toContain('<script data-xss="login-error">');
});
it('does not submit when the key field is empty', () => {
renderWithRouter(<LoginPage />);
const submit = screen.getByRole('button', { name: /Sign In/i });
expect(submit).toBeDisabled();
});
it('shows literal-text submit-disabled state when key is whitespace-only', async () => {
renderWithRouter(<LoginPage />);
const input = screen.getByLabelText('API Key') as HTMLInputElement;
fireEvent.change(input, { target: { value: ' ' } });
await waitFor(() => {
expect(screen.getByRole('button', { name: /Sign In/i })).toBeDisabled();
});
});
});
Reference in New Issue View Git Blame Copy Permalink