2025-05-29 13:35:36 +00:00
|
|
|
import { tap, expect } from '@git.zone/tstest/tapbundle';
|
2025-05-26 04:04:51 +00:00
|
|
|
import * as plugins from '../plugins.js';
|
2025-05-29 13:35:36 +00:00
|
|
|
import { EInvoice, PDFExtractor } from '../../../ts/index.js';
|
2025-05-26 04:04:51 +00:00
|
|
|
import { PerformanceTracker } from '../performance.tracker.js';
|
|
|
|
|
import * as path from 'path';
|
2025-05-29 13:35:36 +00:00
|
|
|
import * as fs from 'fs';
|
2025-05-26 04:04:51 +00:00
|
|
|
|
|
|
|
|
const performanceTracker = new PerformanceTracker('SEC-05: Path Traversal Prevention');
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
tap.test('SEC-05: Path Traversal Prevention - should prevent directory traversal attacks', async () => {
|
|
|
|
|
// Test 1: Path traversal in XML attachment references
|
|
|
|
|
const xmlPathTraversal = await performanceTracker.measureAsync(
|
|
|
|
|
'xml-path-traversal-prevention',
|
2025-05-26 04:04:51 +00:00
|
|
|
async () => {
|
|
|
|
|
const traversalPaths = [
|
|
|
|
|
'../../../etc/passwd',
|
|
|
|
|
'..\\..\\..\\windows\\system32\\config\\sam',
|
|
|
|
|
'../../../../../../../../etc/shadow',
|
|
|
|
|
'./../.../.././../etc/hosts',
|
|
|
|
|
'..%2F..%2F..%2Fetc%2Fpasswd',
|
2025-05-29 13:35:36 +00:00
|
|
|
'file:///etc/passwd',
|
|
|
|
|
'file://C:\\Windows\\System32\\drivers\\etc\\hosts'
|
2025-05-26 04:04:51 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
const results = [];
|
|
|
|
|
|
|
|
|
|
for (const maliciousPath of traversalPaths) {
|
2025-05-29 13:35:36 +00:00
|
|
|
// Test path traversal in attachment references
|
|
|
|
|
const xml = `<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
|
<Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2">
|
|
|
|
|
<ID>TEST-001</ID>
|
|
|
|
|
<AdditionalDocumentReference>
|
|
|
|
|
<ID>1</ID>
|
|
|
|
|
<Attachment>
|
|
|
|
|
<ExternalReference>
|
|
|
|
|
<URI>${maliciousPath}</URI>
|
|
|
|
|
</ExternalReference>
|
|
|
|
|
<EmbeddedDocumentBinaryObject filename="${maliciousPath}">
|
|
|
|
|
VGVzdCBkYXRh
|
|
|
|
|
</EmbeddedDocumentBinaryObject>
|
|
|
|
|
</Attachment>
|
|
|
|
|
</AdditionalDocumentReference>
|
|
|
|
|
</Invoice>`;
|
|
|
|
|
|
2025-05-26 04:04:51 +00:00
|
|
|
try {
|
2025-05-29 13:35:36 +00:00
|
|
|
const invoice = await EInvoice.fromXml(xml);
|
2025-05-26 04:04:51 +00:00
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
// If parsing succeeds, the paths are just treated as data
|
2025-05-26 04:04:51 +00:00
|
|
|
results.push({
|
|
|
|
|
path: maliciousPath,
|
2025-05-29 13:35:36 +00:00
|
|
|
parsed: true,
|
|
|
|
|
// The library should not interpret these as actual file paths
|
|
|
|
|
safe: true
|
2025-05-26 04:04:51 +00:00
|
|
|
});
|
|
|
|
|
} catch (error) {
|
|
|
|
|
results.push({
|
|
|
|
|
path: maliciousPath,
|
2025-05-29 13:35:36 +00:00
|
|
|
parsed: false,
|
2025-05-26 04:04:51 +00:00
|
|
|
error: error.message
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return results;
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
console.log('XML path traversal results:', xmlPathTraversal);
|
|
|
|
|
xmlPathTraversal.forEach(result => {
|
|
|
|
|
// Path strings in XML should be treated as data, not file paths
|
|
|
|
|
expect(result.parsed !== undefined).toEqual(true);
|
2025-05-26 04:04:51 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Test 2: Unicode and encoding bypass attempts
|
|
|
|
|
const encodingBypass = await performanceTracker.measureAsync(
|
|
|
|
|
'encoding-bypass-attempts',
|
|
|
|
|
async () => {
|
|
|
|
|
const encodedPaths = [
|
|
|
|
|
'..%c0%af..%c0%afetc%c0%afpasswd', // Overlong UTF-8
|
|
|
|
|
'..%25c0%25af..%25c0%25afetc%25c0%25afpasswd', // Double encoding
|
|
|
|
|
'..%c1%9c..%c1%9cetc%c1%9cpasswd', // Invalid UTF-8
|
|
|
|
|
'\u002e\u002e/\u002e\u002e/etc/passwd', // Unicode dots
|
|
|
|
|
'..%u002f..%u002fetc%u002fpasswd', // IIS Unicode
|
|
|
|
|
'..%255c..%255c..%255cwindows%255csystem32' // Double encoded backslash
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
const results = [];
|
|
|
|
|
|
|
|
|
|
for (const encodedPath of encodedPaths) {
|
2025-05-29 13:35:36 +00:00
|
|
|
const xml = `<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
|
<Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2">
|
|
|
|
|
<ID>TEST-002</ID>
|
|
|
|
|
<Note>${encodedPath}</Note>
|
|
|
|
|
<PaymentMeans>
|
|
|
|
|
<PaymentMeansCode>${encodedPath}</PaymentMeansCode>
|
|
|
|
|
</PaymentMeans>
|
|
|
|
|
</Invoice>`;
|
|
|
|
|
|
2025-05-26 04:04:51 +00:00
|
|
|
try {
|
2025-05-29 13:35:36 +00:00
|
|
|
const invoice = await EInvoice.fromXml(xml);
|
2025-05-26 04:04:51 +00:00
|
|
|
results.push({
|
|
|
|
|
original: encodedPath,
|
2025-05-29 13:35:36 +00:00
|
|
|
parsed: true,
|
|
|
|
|
safe: true
|
2025-05-26 04:04:51 +00:00
|
|
|
});
|
|
|
|
|
} catch (error) {
|
|
|
|
|
results.push({
|
|
|
|
|
original: encodedPath,
|
2025-05-29 13:35:36 +00:00
|
|
|
parsed: false,
|
2025-05-26 04:04:51 +00:00
|
|
|
error: error.message
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return results;
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
console.log('Encoding bypass results:', encodingBypass);
|
2025-05-26 04:04:51 +00:00
|
|
|
encodingBypass.forEach(result => {
|
2025-05-29 13:35:36 +00:00
|
|
|
expect(result.parsed !== undefined).toEqual(true);
|
2025-05-26 04:04:51 +00:00
|
|
|
});
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
// Test 3: Path traversal in PDF metadata
|
|
|
|
|
const pdfPathTraversal = await performanceTracker.measureAsync(
|
|
|
|
|
'pdf-path-traversal-prevention',
|
2025-05-26 04:04:51 +00:00
|
|
|
async () => {
|
|
|
|
|
const results = [];
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
// Create a mock PDF with path traversal attempts in metadata
|
|
|
|
|
const traversalPaths = [
|
|
|
|
|
'../../../sensitive/data.xml',
|
|
|
|
|
'..\\..\\..\\config\\secret.xml',
|
|
|
|
|
'file:///etc/invoice.xml'
|
2025-05-26 04:04:51 +00:00
|
|
|
];
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
for (const maliciousPath of traversalPaths) {
|
|
|
|
|
// Mock PDF with embedded file reference
|
|
|
|
|
const pdfContent = Buffer.from(`%PDF-1.4
|
|
|
|
|
1 0 obj
|
|
|
|
|
<</Type /Catalog /Names <</EmbeddedFiles <</Names [(${maliciousPath}) 2 0 R]>>>>>>
|
|
|
|
|
endobj
|
|
|
|
|
2 0 obj
|
|
|
|
|
<</Type /Filespec /F (${maliciousPath}) /EF <</F 3 0 R>>>>
|
|
|
|
|
endobj
|
|
|
|
|
3 0 obj
|
|
|
|
|
<</Length 4>>
|
|
|
|
|
stream
|
|
|
|
|
test
|
|
|
|
|
endstream
|
|
|
|
|
endobj
|
|
|
|
|
xref
|
|
|
|
|
0 4
|
|
|
|
|
0000000000 65535 f
|
|
|
|
|
0000000015 00000 n
|
|
|
|
|
0000000100 00000 n
|
|
|
|
|
0000000200 00000 n
|
|
|
|
|
trailer
|
|
|
|
|
<</Size 4 /Root 1 0 R>>
|
|
|
|
|
startxref
|
|
|
|
|
300
|
|
|
|
|
%%EOF`);
|
|
|
|
|
|
2025-05-26 04:04:51 +00:00
|
|
|
try {
|
2025-05-29 13:35:36 +00:00
|
|
|
const extractor = new PDFExtractor();
|
|
|
|
|
const result = await extractor.extractXml(pdfContent);
|
2025-05-26 04:04:51 +00:00
|
|
|
|
|
|
|
|
results.push({
|
2025-05-29 13:35:36 +00:00
|
|
|
path: maliciousPath,
|
|
|
|
|
extracted: result.success,
|
|
|
|
|
xmlFound: !!result.xml,
|
|
|
|
|
// PDF extractor should not follow file paths
|
|
|
|
|
safe: true
|
2025-05-26 04:04:51 +00:00
|
|
|
});
|
|
|
|
|
} catch (error) {
|
|
|
|
|
results.push({
|
2025-05-29 13:35:36 +00:00
|
|
|
path: maliciousPath,
|
|
|
|
|
extracted: false,
|
2025-05-26 04:04:51 +00:00
|
|
|
error: error.message
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return results;
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
console.log('PDF path traversal results:', pdfPathTraversal);
|
|
|
|
|
pdfPathTraversal.forEach(result => {
|
|
|
|
|
// Path references in PDFs should not be followed
|
|
|
|
|
expect(result.safe || result.extracted === false).toEqual(true);
|
2025-05-26 04:04:51 +00:00
|
|
|
});
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
// Test 4: Null byte injection for path truncation
|
|
|
|
|
const nullByteInjection = await performanceTracker.measureAsync(
|
|
|
|
|
'null-byte-injection',
|
2025-05-26 04:04:51 +00:00
|
|
|
async () => {
|
2025-05-29 13:35:36 +00:00
|
|
|
const nullBytePaths = [
|
|
|
|
|
'invoice.xml\x00.pdf',
|
|
|
|
|
'data\x00../../../etc/passwd',
|
|
|
|
|
'file.xml\x00.jpg',
|
|
|
|
|
'../uploads/invoice.xml\x00.exe'
|
2025-05-26 04:04:51 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
const results = [];
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
for (const nullPath of nullBytePaths) {
|
|
|
|
|
const xml = `<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
|
<Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2">
|
|
|
|
|
<ID>TEST-003</ID>
|
|
|
|
|
<AdditionalDocumentReference>
|
|
|
|
|
<ID>${nullPath}</ID>
|
|
|
|
|
<DocumentDescription>${nullPath}</DocumentDescription>
|
|
|
|
|
</AdditionalDocumentReference>
|
|
|
|
|
</Invoice>`;
|
|
|
|
|
|
2025-05-26 04:04:51 +00:00
|
|
|
try {
|
2025-05-29 13:35:36 +00:00
|
|
|
const invoice = await EInvoice.fromXml(xml);
|
2025-05-26 04:04:51 +00:00
|
|
|
results.push({
|
2025-05-29 13:35:36 +00:00
|
|
|
path: nullPath.replace(/\x00/g, '\\x00'),
|
|
|
|
|
parsed: true,
|
|
|
|
|
safe: true
|
2025-05-26 04:04:51 +00:00
|
|
|
});
|
|
|
|
|
} catch (error) {
|
|
|
|
|
results.push({
|
2025-05-29 13:35:36 +00:00
|
|
|
path: nullPath.replace(/\x00/g, '\\x00'),
|
|
|
|
|
parsed: false,
|
2025-05-26 04:04:51 +00:00
|
|
|
error: error.message
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return results;
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
console.log('Null byte injection results:', nullByteInjection);
|
|
|
|
|
nullByteInjection.forEach(result => {
|
|
|
|
|
expect(result.parsed !== undefined).toEqual(true);
|
2025-05-26 04:04:51 +00:00
|
|
|
});
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
// Test 5: Windows UNC path injection
|
2025-05-26 04:04:51 +00:00
|
|
|
const uncPathInjection = await performanceTracker.measureAsync(
|
|
|
|
|
'unc-path-injection',
|
|
|
|
|
async () => {
|
|
|
|
|
const uncPaths = [
|
2025-05-29 13:35:36 +00:00
|
|
|
'\\\\attacker.com\\share\\evil.xml',
|
|
|
|
|
'\\\\127.0.0.1\\c$\\windows\\system32',
|
|
|
|
|
'//attacker.com/share/payload.xml',
|
|
|
|
|
'\\\\?\\UNC\\attacker\\share\\file'
|
2025-05-26 04:04:51 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
const results = [];
|
|
|
|
|
|
|
|
|
|
for (const uncPath of uncPaths) {
|
2025-05-29 13:35:36 +00:00
|
|
|
const xml = `<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
|
<Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2">
|
|
|
|
|
<ID>TEST-004</ID>
|
|
|
|
|
<ProfileID>${uncPath}</ProfileID>
|
|
|
|
|
<CustomizationID>${uncPath}</CustomizationID>
|
|
|
|
|
</Invoice>`;
|
|
|
|
|
|
2025-05-26 04:04:51 +00:00
|
|
|
try {
|
2025-05-29 13:35:36 +00:00
|
|
|
const invoice = await EInvoice.fromXml(xml);
|
2025-05-26 04:04:51 +00:00
|
|
|
results.push({
|
|
|
|
|
path: uncPath,
|
2025-05-29 13:35:36 +00:00
|
|
|
parsed: true,
|
|
|
|
|
safe: true
|
2025-05-26 04:04:51 +00:00
|
|
|
});
|
|
|
|
|
} catch (error) {
|
|
|
|
|
results.push({
|
|
|
|
|
path: uncPath,
|
2025-05-29 13:35:36 +00:00
|
|
|
parsed: false,
|
2025-05-26 04:04:51 +00:00
|
|
|
error: error.message
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return results;
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
console.log('UNC path injection results:', uncPathInjection);
|
2025-05-26 04:04:51 +00:00
|
|
|
uncPathInjection.forEach(result => {
|
2025-05-29 13:35:36 +00:00
|
|
|
// UNC paths in XML data should be treated as strings, not executed
|
|
|
|
|
expect(result.parsed !== undefined).toEqual(true);
|
2025-05-26 04:04:51 +00:00
|
|
|
});
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
// Test 6: Zip slip vulnerability simulation
|
|
|
|
|
const zipSlipTest = await performanceTracker.measureAsync(
|
|
|
|
|
'zip-slip-prevention',
|
2025-05-26 04:04:51 +00:00
|
|
|
async () => {
|
2025-05-29 13:35:36 +00:00
|
|
|
const zipSlipPaths = [
|
|
|
|
|
'../../../../../../tmp/evil.xml',
|
|
|
|
|
'../../../etc/invoice.xml',
|
|
|
|
|
'..\\..\\..\\..\\windows\\temp\\malicious.xml'
|
2025-05-26 04:04:51 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
const results = [];
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
for (const slipPath of zipSlipPaths) {
|
|
|
|
|
// Simulate a filename that might come from a zip entry
|
|
|
|
|
const xml = `<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
|
<Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2">
|
|
|
|
|
<ID>TEST-005</ID>
|
|
|
|
|
<AdditionalDocumentReference>
|
|
|
|
|
<ID>1</ID>
|
|
|
|
|
<Attachment>
|
|
|
|
|
<EmbeddedDocumentBinaryObject filename="${slipPath}" mimeCode="application/xml">
|
|
|
|
|
PD94bWwgdmVyc2lvbj0iMS4wIj8+Cjxyb290Lz4=
|
|
|
|
|
</EmbeddedDocumentBinaryObject>
|
|
|
|
|
</Attachment>
|
|
|
|
|
</AdditionalDocumentReference>
|
|
|
|
|
</Invoice>`;
|
|
|
|
|
|
2025-05-26 04:04:51 +00:00
|
|
|
try {
|
2025-05-29 13:35:36 +00:00
|
|
|
const invoice = await EInvoice.fromXml(xml);
|
2025-05-26 04:04:51 +00:00
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
// The library should not extract files to the filesystem
|
2025-05-26 04:04:51 +00:00
|
|
|
results.push({
|
2025-05-29 13:35:36 +00:00
|
|
|
path: slipPath,
|
|
|
|
|
parsed: true,
|
|
|
|
|
safe: true,
|
|
|
|
|
wouldExtract: false
|
2025-05-26 04:04:51 +00:00
|
|
|
});
|
|
|
|
|
} catch (error) {
|
|
|
|
|
results.push({
|
2025-05-29 13:35:36 +00:00
|
|
|
path: slipPath,
|
|
|
|
|
parsed: false,
|
2025-05-26 04:04:51 +00:00
|
|
|
error: error.message
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return results;
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
console.log('Zip slip test results:', zipSlipTest);
|
|
|
|
|
zipSlipTest.forEach(result => {
|
|
|
|
|
// The library should not extract embedded files to the filesystem
|
|
|
|
|
expect(result.safe || result.parsed === false).toEqual(true);
|
|
|
|
|
if (result.wouldExtract !== undefined) {
|
|
|
|
|
expect(result.wouldExtract).toEqual(false);
|
2025-05-26 04:04:51 +00:00
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
2025-05-29 13:35:36 +00:00
|
|
|
console.log('Path traversal prevention tests completed');
|
2025-05-26 04:04:51 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Run the test
|
|
|
|
|
tap.start();
|
