fin.cx/einvoice
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
einvoice/test/suite/einvoice_security/test.sec-04.input-validation.ts
Philipp Kunz 960bbc2208 update
2025-05-29 13:35:36 +00:00

358 lines
10 KiB
TypeScript
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as plugins from '../plugins.js';
import { EInvoice, FormatDetector } from '../../../ts/index.js';
import { PerformanceTracker } from '../performance.tracker.js';
const performanceTracker = new PerformanceTracker('SEC-04: Input Validation');
tap.test('SEC-04: Input Validation - should validate and sanitize all inputs', async () => {
// Test 1: SQL Injection attempts in XML fields
const sqlInjection = await performanceTracker.measureAsync(
'sql-injection-prevention',
async () => {
const sqlPayloads = [
"'; DROP TABLE invoices; --",
"1' OR '1'='1",
"admin'--",
"1; DELETE FROM users WHERE 1=1; --",
"' UNION SELECT * FROM passwords --"
];
const results = [];
for (const payload of sqlPayloads) {
const maliciousXML = `<?xml version="1.0" encoding="UTF-8"?>
<Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2">
<ID>${payload}</ID>
<CustomerName>${payload}</CustomerName>
<InvoiceLine>
<ID>1</ID>
<LineExtensionAmount currencyID="EUR">${payload}</LineExtensionAmount>
</InvoiceLine>
</Invoice>`;
try {
const invoice = await EInvoice.fromXml(maliciousXML);
// If parsing succeeds, the payload should be preserved as-is in XML
// SQL injection is not a concern for XML processing
results.push({
payload,
parsed: true,
error: null
});
} catch (error) {
// Parsing might fail for invalid XML characters
results.push({
payload,
parsed: false,
error: error.message
});
}
}
return results;
}
);
console.log('SQL injection test results:', sqlInjection);
// For XML processing, SQL payloads should either parse or fail - both are acceptable
sqlInjection.forEach(result => {
expect(result.parsed !== undefined).toEqual(true);
});
// Test 2: XSS (Cross-Site Scripting) attempts
const xssAttempts = await performanceTracker.measureAsync(
'xss-prevention',
async () => {
const xssPayloads = [
'<script>alert("XSS")</script>',
'<img src=x onerror=alert("XSS")>',
'<svg onload=alert("XSS")>',
'javascript:alert("XSS")',
'<iframe src="javascript:alert(\'XSS\')">',
'"><script>alert(String.fromCharCode(88,83,83))</script>'
];
const results = [];
for (const payload of xssPayloads) {
const maliciousXML = `<?xml version="1.0" encoding="UTF-8"?>
<Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2">
<Note>${payload}</Note>
<AccountingCustomerParty>
<Party>
<PostalAddress>
<StreetName>${payload}</StreetName>
</PostalAddress>
</Party>
</AccountingCustomerParty>
</Invoice>`;
try {
const invoice = await EInvoice.fromXml(maliciousXML);
// XML parsers should handle or escape dangerous content
results.push({
payload: payload.substring(0, 30),
parsed: true,
error: null
});
} catch (error) {
// Malformed XML should be rejected
results.push({
payload: payload.substring(0, 30),
parsed: false,
error: error.message
});
}
}
return results;
}
);
console.log('XSS test results:', xssAttempts);
xssAttempts.forEach(result => {
// Either parsing succeeds (content is escaped) or fails (rejected) - both are safe
expect(result.parsed !== undefined).toEqual(true);
});
// Test 3: Path Traversal attempts
const pathTraversal = await performanceTracker.measureAsync(
'path-traversal-prevention',
async () => {
const pathPayloads = [
'../../../etc/passwd',
'..\\..\\..\\windows\\system32\\config\\sam',
'/etc/passwd',
'C:\\Windows\\System32\\drivers\\etc\\hosts',
'file:///etc/passwd'
];
const results = [];
for (const payload of pathPayloads) {
const maliciousXML = `<?xml version="1.0" encoding="UTF-8"?>
<Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2">
<ID>123</ID>
<AdditionalDocumentReference>
<ID>${payload}</ID>
<Attachment>
<ExternalReference>
<URI>${payload}</URI>
</ExternalReference>
</Attachment>
</AdditionalDocumentReference>
</Invoice>`;
try {
const invoice = await EInvoice.fromXml(maliciousXML);
// Path traversal strings in XML data are just strings - not file paths
results.push({
payload,
parsed: true
});
} catch (error) {
results.push({
payload,
parsed: false,
error: error.message
});
}
}
return results;
}
);
console.log('Path traversal test results:', pathTraversal);
pathTraversal.forEach(result => {
expect(result.parsed !== undefined).toEqual(true);
});
// Test 4: Extremely long input fields
const longInputs = await performanceTracker.measureAsync(
'long-input-handling',
async () => {
const lengths = [1000, 10000, 100000, 1000000];
const results = [];
for (const length of lengths) {
const longString = 'A'.repeat(length);
const xml = `<?xml version="1.0" encoding="UTF-8"?>
<Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2">
<ID>${longString}</ID>
<Note>${longString}</Note>
</Invoice>`;
try {
const startTime = Date.now();
const invoice = await EInvoice.fromXml(xml);
const endTime = Date.now();
results.push({
length,
parsed: true,
duration: endTime - startTime
});
} catch (error) {
results.push({
length,
parsed: false,
error: error.message
});
}
}
return results;
}
);
console.log('Long input test results:', longInputs);
longInputs.forEach(result => {
// Very long inputs might be rejected or cause performance issues
if (result.parsed && result.duration) {
// Processing should complete in reasonable time (< 5 seconds)
expect(result.duration).toBeLessThan(5000);
}
});
// Test 5: Special characters and encoding
const specialChars = await performanceTracker.measureAsync(
'special-character-handling',
async () => {
const specialPayloads = [
'\x00\x01\x02\x03\x04\x05', // Control characters
'<?xml version="1.0"?>', // XML declaration in content
'<!DOCTYPE foo [<!ENTITY bar "test">]>', // DTD
'&entity;', // Undefined entity
'\uFFFE\uFFFF', // Invalid Unicode
'𝕳𝖊𝖑𝖑𝖔', // Unicode beyond BMP
String.fromCharCode(0xD800), // Invalid surrogate
];
const results = [];
for (const payload of specialPayloads) {
const xml = `<?xml version="1.0" encoding="UTF-8"?>
<Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2">
<ID>INV-001</ID>
<Note>${payload}</Note>
</Invoice>`;
try {
const invoice = await EInvoice.fromXml(xml);
results.push({
payload: payload.substring(0, 20),
parsed: true
});
} catch (error) {
results.push({
payload: payload.substring(0, 20),
parsed: false,
error: error.message
});
}
}
return results;
}
);
console.log('Special character test results:', specialChars);
specialChars.forEach(result => {
// Special characters should either be handled or rejected
expect(result.parsed !== undefined).toEqual(true);
});
// Test 6: Format detection with malicious inputs
const formatDetection = await performanceTracker.measureAsync(
'format-detection-security',
async () => {
const maliciousFormats = [
'<?xml version="1.0"?><root>Not an invoice</root>',
'<Invoice><script>alert(1)</script></Invoice>',
'{"invoice": "this is JSON not XML"}',
'This is just plain text',
Buffer.from([0xFF, 0xFE, 0x00, 0x00]), // Binary data
];
const results = [];
for (const input of maliciousFormats) {
try {
const format = FormatDetector.detectFormat(input);
results.push({
detected: true,
format: format || 'unknown'
});
} catch (error) {
results.push({
detected: false,
error: error.message
});
}
}
return results;
}
);
console.log('Format detection test results:', formatDetection);
formatDetection.forEach(result => {
// Format detection should handle all inputs safely
expect(result.detected !== undefined).toEqual(true);
});
// Test 7: Null byte injection
const nullBytes = await performanceTracker.measureAsync(
'null-byte-injection',
async () => {
const nullPayloads = [
'invoice\x00.xml',
'data\x00<script>',
'\x00\x00\x00',
'before\x00after'
];
const results = [];
for (const payload of nullPayloads) {
const xml = `<?xml version="1.0" encoding="UTF-8"?>
<Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2">
<ID>${payload}</ID>
<IssueDate>2024-01-01</IssueDate>
</Invoice>`;
try {
const invoice = await EInvoice.fromXml(xml);
results.push({
payload: payload.replace(/\x00/g, '\\x00'),
parsed: true
});
} catch (error) {
results.push({
payload: payload.replace(/\x00/g, '\\x00'),
parsed: false,
error: error.message
});
}
}
return results;
}
);
console.log('Null byte test results:', nullBytes);
nullBytes.forEach(result => {
// Null bytes should be handled safely
expect(result.parsed !== undefined).toEqual(true);
});
// Performance tracking complete
console.log('Input validation tests completed');
});
// Run the test
tap.start();
Reference in New Issue View Git Blame Copy Permalink