mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 17:12:04 +00:00
shankar0123
12adc97381
Second CI run surfaced 8 real failures across 7 detail/list pages and 1
mock-shape error. Root causes:
1. Multi-match disambiguation. screen.getByText(...) matched both the
PageHeader <h2> AND duplicated text in InfoRow / detail-row spans
within the same page (e.g., issuer name appears as page title AND
in the Issuer Details panel; cert.common_name appears as page title
AND in the Common Name InfoRow). The regex variants (getByText(/X/i))
were even worse — matched any element containing the substring.
2. NetworkScanPage mock-shape. xssScanTarget.ports was '443,8443'
(string), but NetworkScanPage.tsx:180 calls t.ports?.join() which
requires a number[] per src/api/types.ts:506. Page errored before
rendering the DataTable, so the XSS test's body.textContent
assertion saw an empty string.
Fixes:
- Every page-title assertion in the 14 Pass 3 test files now uses
screen.getByRole('heading', { level: 2, name: ... }), which matches
ONLY the PageHeader <h2> (PageHeader.tsx:11 renders an actual <h2>).
Detail-row spans / InfoRow text / column-header text in lower-level
headings (h3) is excluded by the level filter.
- NetworkScanPage xssScanTarget.ports changed from '443,8443' (string)
to [443, 8443] (number[]) per the NetworkScanTarget TS type.
Pages with assertion fixes (8 tests across 7 files):
- AgentFleetPage /Agent/i -> 'Agent Fleet Overview' (h2)
- AuditPage /Audit/ -> 'Audit Trail' (h2)
- CertificateDetailPage 'plain.example.com' (text) -> heading h2
- HealthMonitorPage /Health/i -> 'Health Monitor' (h2)
- IssuerDetailPage 'Plain Name' (text) -> heading h2
- JobDetailPage /j-xss-001/ (text) -> heading h2
- JobsPage /Jobs/i -> 'Jobs' (h2)
- ProfilesPage /Profile/i -> 'Certificate Profiles' (h2)
- TargetDetailPage 'Plain Name' (text) -> heading h2
Plus 4 already-correct pages updated for consistency:
- DigestPage text 'Certificate Digest' -> heading h2
- ObservabilityPage text 'Observability' -> heading h2
- NetworkScanPage /Network/i -> 'Network Scanning' (h2)
- ShortLivedPage text 'Short-Lived...' -> heading h2
Mock-shape fix:
- NetworkScanPage.test.tsx ports: '443,8443' -> [443, 8443]
End-to-end audit:
Every Pass 3 test now anchors on the unambiguous PageHeader <h2>;
no remaining getByText() with regex or substring that could spuriously
multi-match. Mock data shapes verified against src/api/types.ts
interfaces (NetworkScanTarget, MetricsResponse, ManagedCertificate).
86 lines
3.2 KiB
TypeScript
86 lines
3.2 KiB
TypeScript
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
|
import { render, screen, waitFor, cleanup } from '@testing-library/react';
|
|
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
|
|
import { MemoryRouter, Route, Routes } from 'react-router-dom';
|
|
import type { ReactNode } from 'react';
|
|
|
|
// -----------------------------------------------------------------------------
|
|
// M-029 Pass 3 (Audit M-026): TargetDetailPage XSS-hardening + render coverage.
|
|
//
|
|
// TargetDetailPage surfaces the target's name, type, config (operator-supplied
|
|
// host/port/path), and last_test_message (target-side error string from a
|
|
// connection probe). A target that returns an attacker-controlled error
|
|
// payload must not execute as script when rendered.
|
|
// -----------------------------------------------------------------------------
|
|
|
|
vi.mock('../api/client', () => ({
|
|
getTarget: vi.fn(),
|
|
getJobs: vi.fn(),
|
|
updateTarget: vi.fn(),
|
|
testTargetConnection: vi.fn(),
|
|
}));
|
|
|
|
import TargetDetailPage from './TargetDetailPage';
|
|
import * as client from '../api/client';
|
|
|
|
function renderRoute(ui: ReactNode, path = '/targets/t-xss-001') {
|
|
const qc = new QueryClient({
|
|
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
|
|
});
|
|
return render(
|
|
<QueryClientProvider client={qc}>
|
|
<MemoryRouter initialEntries={[path]}>
|
|
<Routes>
|
|
<Route path="/targets/:id" element={ui} />
|
|
</Routes>
|
|
</MemoryRouter>
|
|
</QueryClientProvider>,
|
|
);
|
|
}
|
|
|
|
const xssPayload = '<script data-xss="target-detail">window.__xss_pwned__=1;</script>';
|
|
|
|
const xssTarget = {
|
|
id: 't-xss-001',
|
|
name: xssPayload,
|
|
type: 'nginx',
|
|
agent_id: 'a-xss',
|
|
config: { host: xssPayload, path: xssPayload },
|
|
last_tested_at: new Date().toISOString(),
|
|
last_test_status: 'failed',
|
|
last_test_message: xssPayload,
|
|
};
|
|
|
|
describe('TargetDetailPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
|
|
beforeEach(() => {
|
|
vi.clearAllMocks();
|
|
cleanup();
|
|
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
|
|
});
|
|
|
|
it('renders the page header when getTarget resolves', async () => {
|
|
vi.mocked(client.getTarget).mockResolvedValue({ ...xssTarget, name: 'Plain Name' } as never);
|
|
vi.mocked(client.getJobs).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
|
|
renderRoute(<TargetDetailPage />);
|
|
await waitFor(() => {
|
|
expect(screen.getByRole('heading', { level: 2, name: 'Plain Name' })).toBeInTheDocument();
|
|
});
|
|
});
|
|
|
|
it('does NOT execute <script> payloads in name / config / test message', async () => {
|
|
vi.mocked(client.getTarget).mockResolvedValue(xssTarget as never);
|
|
vi.mocked(client.getJobs).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
|
|
renderRoute(<TargetDetailPage />);
|
|
await waitFor(() => {
|
|
expect(document.body.textContent ?? '').toContain('<script data-xss="target-detail">');
|
|
});
|
|
|
|
const liveScripts = document.querySelectorAll('script[data-xss="target-detail"]');
|
|
expect(liveScripts.length, 'target fields must not inject a live <script>').toBe(0);
|
|
expect(
|
|
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
|
|
'target <script> body must not have executed',
|
|
).toBeUndefined();
|
|
});
|
|
});
|