github/TREK
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b8c3d5b3d1398528db7869a47916cd83341b894d
TREK/server/tests/unit/services/notifications.test.ts
jubnl 7b37d337c1 fix(security): address notification system security audit findings 
- SSRF: guard sendWebhook() with checkSsrf() + createPinnedAgent() to block
  requests to loopback, link-local, private network, and cloud metadata endpoints
- XSS: escape subject, body, and ctaHref in buildEmailHtml() via escapeHtml()
  to prevent HTML injection through user-controlled params (actor, preview, etc.)
- Encrypt webhook URLs at rest: apply maybe_encrypt_api_key on save
  (settingsService for user URLs, authService for admin URL) and decrypt_api_key
  on read in getUserWebhookUrl() / getAdminWebhookUrl()
- Log failed channel dispatches: inspect Promise.allSettled() results and log
  rejections via logError instead of silently dropping them
- Log admin webhook failures: replace fire-and-forget .catch(() => {}) with
  .catch(err => logError(...)) and await the call
- Migration 69: guard against missing notification_preferences table on fresh installs
- Migration 70: drop the now-unused notification_preferences table
- Refactor: extract applyUserChannelPrefs() helper to deduplicate
  setPreferences / setAdminPreferences logic
- Tests: add SEC-016 (XSS, 5 cases) and SEC-017 (SSRF, 6 cases) test suites;
  mock ssrfGuard in notificationService tests
2026-04-05 03:36:50 +02:00

320 lines
13 KiB
TypeScript
Raw Blame History

import { describe, it, expect, vi, afterEach, beforeEach } from 'vitest';
vi.mock('../../../src/db/database', () => ({
db: { prepare: () => ({ get: vi.fn(() => undefined), all: vi.fn(() => []) }) },
}));
vi.mock('../../../src/services/apiKeyCrypto', () => ({
decrypt_api_key: vi.fn((v) => v),
maybe_encrypt_api_key: vi.fn((v) => v),
}));
vi.mock('../../../src/services/auditLog', () => ({
logInfo: vi.fn(),
logDebug: vi.fn(),
logError: vi.fn(),
logWarn: vi.fn(),
writeAudit: vi.fn(),
getClientIp: vi.fn(),
}));
vi.mock('nodemailer', () => ({ default: { createTransport: vi.fn(() => ({ sendMail: vi.fn() })) } }));
vi.mock('node-fetch', () => ({ default: vi.fn() }));
// ssrfGuard is mocked per-test in the SSRF describe block; default passes all
vi.mock('../../../src/utils/ssrfGuard', () => ({
checkSsrf: vi.fn(async () => ({ allowed: true, isPrivate: false, resolvedIp: '1.2.3.4' })),
createPinnedAgent: vi.fn(() => ({})),
}));
import { getEventText, buildEmailHtml, buildWebhookBody, sendWebhook } from '../../../src/services/notifications';
import { checkSsrf } from '../../../src/utils/ssrfGuard';
import { logError } from '../../../src/services/auditLog';
afterEach(() => {
vi.unstubAllEnvs();
});
// ── getEventText ─────────────────────────────────────────────────────────────
describe('getEventText', () => {
const params = {
trip: 'Tokyo Adventure',
actor: 'Alice',
invitee: 'Bob',
booking: 'Hotel Sakura',
type: 'hotel',
count: '5',
preview: 'See you there!',
category: 'Clothing',
};
it('returns English title and body for lang=en', () => {
const result = getEventText('en', 'trip_invite', params);
expect(result.title).toBeTruthy();
expect(result.body).toBeTruthy();
expect(result.title).toContain('Tokyo Adventure');
expect(result.body).toContain('Alice');
});
it('returns German text for lang=de', () => {
const result = getEventText('de', 'trip_invite', params);
expect(result.title).toContain('Tokyo Adventure');
// German version uses "Einladung"
expect(result.title).toContain('Einladung');
});
it('falls back to English for unknown language code', () => {
const en = getEventText('en', 'trip_invite', params);
const unknown = getEventText('xx', 'trip_invite', params);
expect(unknown.title).toBe(en.title);
expect(unknown.body).toBe(en.body);
});
it('interpolates params into trip_invite correctly', () => {
const result = getEventText('en', 'trip_invite', params);
expect(result.title).toContain('Tokyo Adventure');
expect(result.body).toContain('Alice');
expect(result.body).toContain('Bob');
});
it('all 7 event types produce non-empty title and body in English', () => {
const events = ['trip_invite', 'booking_change', 'trip_reminder', 'vacay_invite', 'photos_shared', 'collab_message', 'packing_tagged'] as const;
for (const event of events) {
const result = getEventText('en', event, params);
expect(result.title, `title for ${event}`).toBeTruthy();
expect(result.body, `body for ${event}`).toBeTruthy();
}
});
it('all 7 event types produce non-empty title and body in German', () => {
const events = ['trip_invite', 'booking_change', 'trip_reminder', 'vacay_invite', 'photos_shared', 'collab_message', 'packing_tagged'] as const;
for (const event of events) {
const result = getEventText('de', event, params);
expect(result.title, `de title for ${event}`).toBeTruthy();
expect(result.body, `de body for ${event}`).toBeTruthy();
}
});
});
// ── buildWebhookBody ─────────────────────────────────────────────────────────
describe('buildWebhookBody', () => {
const payload = {
event: 'trip_invite',
title: 'Trip Invite',
body: 'Alice invited you',
tripName: 'Tokyo Adventure',
};
it('Discord URL produces embeds array format', () => {
const body = JSON.parse(buildWebhookBody('https://discord.com/api/webhooks/123/abc', payload));
expect(body).toHaveProperty('embeds');
expect(Array.isArray(body.embeds)).toBe(true);
expect(body.embeds[0]).toHaveProperty('title');
expect(body.embeds[0]).toHaveProperty('description', payload.body);
expect(body.embeds[0]).toHaveProperty('color');
expect(body.embeds[0]).toHaveProperty('footer');
expect(body.embeds[0]).toHaveProperty('timestamp');
});
it('Discord embed title is prefixed with compass emoji', () => {
const body = JSON.parse(buildWebhookBody('https://discord.com/api/webhooks/123/abc', payload));
expect(body.embeds[0].title).toContain('📍');
expect(body.embeds[0].title).toContain(payload.title);
});
it('Discord embed footer contains trip name when provided', () => {
const body = JSON.parse(buildWebhookBody('https://discord.com/api/webhooks/123/abc', payload));
expect(body.embeds[0].footer.text).toContain('Tokyo Adventure');
});
it('Discord embed footer defaults to TREK when no trip name', () => {
const noTrip = { ...payload, tripName: undefined };
const body = JSON.parse(buildWebhookBody('https://discord.com/api/webhooks/123/abc', noTrip));
expect(body.embeds[0].footer.text).toBe('TREK');
});
it('discordapp.com URL is also detected as Discord', () => {
const body = JSON.parse(buildWebhookBody('https://discordapp.com/api/webhooks/123/abc', payload));
expect(body).toHaveProperty('embeds');
});
it('Slack URL produces text field format', () => {
const body = JSON.parse(buildWebhookBody('https://hooks.slack.com/services/X/Y/Z', payload));
expect(body).toHaveProperty('text');
expect(body.text).toContain(payload.title);
expect(body.text).toContain(payload.body);
});
it('Slack text includes italic trip name when provided', () => {
const body = JSON.parse(buildWebhookBody('https://hooks.slack.com/services/X/Y/Z', payload));
expect(body.text).toContain('Tokyo Adventure');
});
it('Slack text omits trip name when not provided', () => {
const noTrip = { ...payload, tripName: undefined };
const body = JSON.parse(buildWebhookBody('https://hooks.slack.com/services/X/Y/Z', noTrip));
// Should not contain the trip name string
expect(body.text).not.toContain('Tokyo Adventure');
});
it('generic URL produces plain JSON with original fields plus timestamp and source', () => {
const body = JSON.parse(buildWebhookBody('https://mywebhook.example.com/hook', payload));
expect(body).toHaveProperty('event', payload.event);
expect(body).toHaveProperty('title', payload.title);
expect(body).toHaveProperty('body', payload.body);
expect(body).toHaveProperty('timestamp');
expect(body).toHaveProperty('source', 'TREK');
});
});
// ── buildEmailHtml ────────────────────────────────────────────────────────────
describe('buildEmailHtml', () => {
it('returns a string containing <!DOCTYPE html>', () => {
const html = buildEmailHtml('Test Subject', 'Test body text', 'en');
expect(html).toContain('<!DOCTYPE html>');
});
it('contains the subject text', () => {
const html = buildEmailHtml('My Email Subject', 'Some body', 'en');
expect(html).toContain('My Email Subject');
});
it('contains the body text', () => {
const html = buildEmailHtml('Subject', 'Hello world, this is the body!', 'en');
expect(html).toContain('Hello world, this is the body!');
});
it('uses English i18n strings for lang=en', () => {
const html = buildEmailHtml('Subject', 'Body', 'en');
expect(html).toContain('notifications enabled in TREK');
});
it('uses German i18n strings for lang=de', () => {
const html = buildEmailHtml('Subject', 'Body', 'de');
expect(html).toContain('TREK aktiviert');
});
it('falls back to English i18n for unknown language', () => {
const en = buildEmailHtml('Subject', 'Body', 'en');
const unknown = buildEmailHtml('Subject', 'Body', 'xx');
// Both should have the same footer text
expect(unknown).toContain('notifications enabled in TREK');
});
});
// ── SEC: XSS escaping in buildEmailHtml ──────────────────────────────────────
describe('buildEmailHtml XSS prevention (SEC-016)', () => {
it('escapes HTML special characters in subject', () => {
const html = buildEmailHtml('<script>alert(1)</script>', 'Body', 'en');
expect(html).not.toContain('<script>');
expect(html).toContain('&lt;script&gt;');
});
it('escapes HTML special characters in body', () => {
const html = buildEmailHtml('Subject', '<img src=x onerror=alert(1)>', 'en');
expect(html).toContain('&lt;img');
expect(html).not.toContain('<img src=x');
});
it('escapes double quotes in subject to prevent attribute injection', () => {
const html = buildEmailHtml('He said "hello"', 'Body', 'en');
expect(html).toContain('&quot;');
expect(html).not.toContain('"hello"');
});
it('escapes ampersands in body', () => {
const html = buildEmailHtml('Subject', 'a & b', 'en');
expect(html).toContain('&amp;');
expect(html).not.toMatch(/>[^<]*a & b[^<]*</);
});
it('escapes user-controlled actor and preview in collab_message body', () => {
const { body } = getEventText('en', 'collab_message', {
trip: 'MyTrip',
actor: '<evil>',
preview: '<script>xss()</script>',
});
const html = buildEmailHtml('Subject', body, 'en');
expect(html).not.toContain('<evil>');
expect(html).not.toContain('<script>');
expect(html).toContain('&lt;evil&gt;');
expect(html).toContain('&lt;script&gt;');
});
});
// ── SEC: SSRF protection in sendWebhook ──────────────────────────────────────
describe('sendWebhook SSRF protection (SEC-017)', () => {
const payload = { event: 'test', title: 'T', body: 'B' };
beforeEach(() => {
vi.mocked(logError).mockClear();
});
it('allows a public URL and calls fetch', async () => {
const mockFetch = (await import('node-fetch')).default as unknown as ReturnType<typeof vi.fn>;
mockFetch.mockResolvedValueOnce({ ok: true, text: async () => '' } as never);
vi.mocked(checkSsrf).mockResolvedValueOnce({ allowed: true, isPrivate: false, resolvedIp: '1.2.3.4' });
const result = await sendWebhook('https://example.com/hook', payload);
expect(result).toBe(true);
expect(mockFetch).toHaveBeenCalled();
});
it('blocks loopback address and returns false', async () => {
vi.mocked(checkSsrf).mockResolvedValueOnce({
allowed: false, isPrivate: true, resolvedIp: '127.0.0.1',
error: 'Requests to loopback and link-local addresses are not allowed',
});
const result = await sendWebhook('http://localhost/secret', payload);
expect(result).toBe(false);
expect(vi.mocked(logError)).toHaveBeenCalledWith(expect.stringContaining('SSRF'));
});
it('blocks cloud metadata endpoint (169.254.169.254) and returns false', async () => {
vi.mocked(checkSsrf).mockResolvedValueOnce({
allowed: false, isPrivate: true, resolvedIp: '169.254.169.254',
error: 'Requests to loopback and link-local addresses are not allowed',
});
const result = await sendWebhook('http://169.254.169.254/latest/meta-data', payload);
expect(result).toBe(false);
expect(vi.mocked(logError)).toHaveBeenCalledWith(expect.stringContaining('SSRF'));
});
it('blocks private network addresses and returns false', async () => {
vi.mocked(checkSsrf).mockResolvedValueOnce({
allowed: false, isPrivate: true, resolvedIp: '192.168.1.1',
error: 'Requests to private/internal network addresses are not allowed',
});
const result = await sendWebhook('http://192.168.1.1/hook', payload);
expect(result).toBe(false);
expect(vi.mocked(logError)).toHaveBeenCalledWith(expect.stringContaining('SSRF'));
});
it('blocks non-HTTP protocols', async () => {
vi.mocked(checkSsrf).mockResolvedValueOnce({
allowed: false, isPrivate: false,
error: 'Only HTTP and HTTPS URLs are allowed',
});
const result = await sendWebhook('file:///etc/passwd', payload);
expect(result).toBe(false);
});
it('does not call fetch when SSRF check blocks the URL', async () => {
const mockFetch = (await import('node-fetch')).default as unknown as ReturnType<typeof vi.fn>;
mockFetch.mockClear();
vi.mocked(checkSsrf).mockResolvedValueOnce({
allowed: false, isPrivate: true, resolvedIp: '127.0.0.1',
error: 'blocked',
});
await sendWebhook('http://localhost/secret', payload);
expect(mockFetch).not.toHaveBeenCalled();
});
});
Reference in New Issue View Git Blame Copy Permalink